fix(onboard): auto-assign Exchange Admin to Exchange Operator SP; mark Sandteko fully onboarded

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.claude/skills/remediation-tool/references/tenants.md

@@ -41,7 +41,7 @@ After full onboarding, update the Onboarded column below.
 | Rincon Vista Veterinary Center | rinconvistavet.onmicrosoft.com | b8cdcd89-d0f4-4747-bcf3-8bd8a25fd7e1 | NO | |
 | Russo Law Firm | rrs-law.com | bef1b190-f78f-4b1c-aa4b-fab186a30702 | NO | |
 | Safe Site Utility Services LLC | safesitellc.com | 71b4e637-c802-4137-a812-ae50dbc839e3 | NO | |
-| SANDTEKO MACHINERY LLC | SANDTEKOMACHINERY.com | 739bb777-cf76-478f-866b-f61c830c8246 | PARTIAL | Sec Inv + Exch Op + User Mgr + Tenant Admin consented 2026-04-24; Sec Inv Exchange Admin + User Mgr User Admin + Auth Admin roles assigned; Exch Op Exchange Admin role needs manual Entra assignment; no MDE |
+| SANDTEKO MACHINERY LLC | SANDTEKOMACHINERY.com | 739bb777-cf76-478f-866b-f61c830c8246 | YES | All apps consented 2026-04-24; Sec Inv + Exch Op Exchange Admin + User Mgr User Admin + Auth Admin roles assigned; no MDE |
 | Shave, Kevin | az2son.com | 984c05a9-708b-4ec1-9f43-558865cb3c9d | NO | |
 | Sonorangreenllc.com | sonorangreenllc.com | ededa4fb-f6eb-4398-851d-5eb3e11fab27 | NO | |
 | Starr Pass Realty | starrpass.com | 222450dd-141f-435f-87b8-cec719aac99e | NO | |

.claude/skills/remediation-tool/scripts/onboard-tenant.sh

@@ -473,6 +473,7 @@ echo ""
 echo "[INFO] Checking and assigning directory roles..."
 
 SEC_INV_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$APP_SEC_INV")
+EXCH_OP_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$APP_EXCH_OP")
 USER_MGR_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$APP_USER_MGR")
 
 PARTIAL_FAILURE=false
@@ -499,6 +500,28 @@ else
   fi
 fi
 
+# Exchange Operator -> Exchange Administrator
+if [[ -z "$EXCH_OP_OID" ]]; then
+  echo "[WARNING] Exchange Operator SP still not found after consent attempt"
+  STATUS_MAP["Exchange Operator:Exchange Administrator"]="MISSING SP"
+else
+  echo ""
+  echo "[CHECK] Exchange Operator SP: $EXCH_OP_OID"
+  IS_PRESENT=$(role_assigned "$TENANT_ADMIN_TOKEN" "$EXCH_OP_OID" "$ROLE_EXCHANGE_ADMIN")
+  if [[ "$IS_PRESENT" == "true" ]]; then
+    echo "  Exchange Administrator: PRESENT"
+    STATUS_MAP["Exchange Operator:Exchange Administrator"]="OK"
+  else
+    echo "  Exchange Administrator: MISSING -> ASSIGNING..."
+    if assign_role "$TENANT_ADMIN_TOKEN" "$EXCH_OP_OID" "$ROLE_EXCHANGE_ADMIN" "Exchange Administrator"; then
+      STATUS_MAP["Exchange Operator:Exchange Administrator"]=$( [[ "$DRY_RUN" == "true" ]] && echo "DRY-RUN" || echo "ASSIGNED" )
+    else
+      STATUS_MAP["Exchange Operator:Exchange Administrator"]="ERROR"
+      PARTIAL_FAILURE=true
+    fi
+  fi
+fi
+
 # User Manager -> User Administrator + Authentication Administrator
 if [[ -z "$USER_MGR_OID" ]]; then
   echo "[WARNING] User Manager SP still not found after consent attempt"
@@ -554,6 +577,10 @@ SEC_EXCH="${STATUS_MAP["Security Investigator:Exchange Administrator"]:-SKIPPED}
 echo "  Security Investigator:"
 printf "    Exchange Administrator:       %s\n" "[$SEC_EXCH]"
 
+EO_EXCH="${STATUS_MAP["Exchange Operator:Exchange Administrator"]:-SKIPPED}"
+echo "  Exchange Operator:"
+printf "    Exchange Administrator:       %s\n" "[$EO_EXCH]"
+
 UA="${STATUS_MAP["User Manager:User Administrator"]:-SKIPPED}"
 AA="${STATUS_MAP["User Manager:Authentication Administrator"]:-SKIPPED}"
 echo "  User Manager:"