From 2a285d9898c7e58fb02b6a3374780bcd8c66eed9 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Thu, 7 May 2026 09:10:02 -0400 Subject: [PATCH] Cascades: MSP app suite onboarding complete All 5 ComputerGuru apps successfully onboarded: - Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on - API permissions granted (0 errors) - Exchange Administrator role assigned to Security Investigator SP Exchange REST API access pending propagation (15-30 min typical). Next: Re-test Exchange REST after 09:30 AM MST to verify litigation hold check. Co-Authored-By: Claude Sonnet 4.5 --- .../2026-05-07-app-onboarding-complete.md | 129 ++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 clients/cascades-tucson/reports/2026-05-07-app-onboarding-complete.md diff --git a/clients/cascades-tucson/reports/2026-05-07-app-onboarding-complete.md b/clients/cascades-tucson/reports/2026-05-07-app-onboarding-complete.md new file mode 100644 index 0000000..074d70d --- /dev/null +++ b/clients/cascades-tucson/reports/2026-05-07-app-onboarding-complete.md @@ -0,0 +1,129 @@ +# ComputerGuru MSP App Suite Onboarding - Cascades Tucson + +**Date:** 2026-05-07 +**Tenant:** Cascades of Tucson (207fa277-e9d8-4eb7-ada1-1064d2221498) +**Completed by:** Mike Swanson (via Claude) + +--- + +## Summary + +Successfully onboarded the ComputerGuru MSP app suite to the Cascades Tucson tenant. All five apps are now consented with appropriate API permissions granted. Exchange Administrator directory role assigned to Security Investigator service principal. + +--- + +## Apps Onboarded + +| App | App ID | Status | Permissions | +|-----|--------|--------|-------------| +| **Security Investigator** | bfbc12a4-f0dd-4e12-b06d-997e7271e10c | Consented | Graph (10), Exchange Online (1) | +| **Exchange Operator** | b43e7342-5b4b-492f-890f-bb5a4f7f40e9 | Consented | Graph (5), Exchange Online (2) | +| **User Manager** | 64fac46b-8b44-41ad-93ee-7da03927576c | Consented | Graph (6) | +| **Tenant Admin** | 709e6eed-0711-4875-9c44-2d3518c47063 | Consented | Graph (admin-level) | +| **Defender Add-on** | dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b | Consented | Graph (1), Defender ATP (5) | + +--- + +## Directory Role Assignments + +**Security Investigator SP (c64ee5c1-a607-46cb-81b8-42de3de98d48):** +- Exchange Administrator role (29232cdf-9323-42fd-ade2-1d097af3e4de) +- Verified via Graph API: memberOf confirms role assignment + +--- + +## Exchange REST API Access - PENDING PROPAGATION + +**Current Status:** HTTP 401 Unauthorized + +**Reason:** Exchange Online role assignment propagation typically takes 15-30 minutes. The Graph API confirms the role is assigned, but Exchange REST API has not yet recognized the permission. + +**Next Steps:** + +1. **Wait 15-30 minutes** for propagation +2. **Re-test Exchange REST access:** + ```bash + TOKEN=$(REMEDIATION_AUTH=secret bash scripts/get-token.sh 207fa277-e9d8-4eb7-ada1-1064d2221498 investigator-exo 2>/dev/null) + + curl -s -X POST \ + -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + "https://outlook.office365.com/adminapi/beta/207fa277-e9d8-4eb7-ada1-1064d2221498/InvokeCommand" \ + -d '{"CmdletInput":{"CmdletName":"Get-Mailbox","Parameters":{"Identity":"test@cascadestucson.com"}}}' + ``` + +3. **If still 401 after 30 minutes:** + - Verify role assignment in Entra portal: https://entra.microsoft.com → Roles and administrators → Exchange Administrator + - Check for Conditional Access policies blocking service principal sign-ins + - Verify Exchange Online license assigned to tenant + +4. **Once access works:** Re-run Britney Thompson litigation hold check + +--- + +## Validation Tests Passed + +- [x] Tenant Admin token acquisition +- [x] All 5 apps consented successfully +- [x] API permissions granted (0 errors) +- [x] Exchange Administrator role assigned +- [x] Role assignment verified via Graph API +- [ ] Exchange REST API access (pending propagation) + +--- + +## Onboarding Command Used + +```bash +cd /Users/azcomputerguru/ClaudeTools/.claude/skills/remediation-tool +REMEDIATION_AUTH=secret bash scripts/onboard-tenant.sh cascadestucson.com +``` + +**Authentication method:** client_secret (PyJWT not available on macOS) + +--- + +## Service Principal IDs (Cascades Tenant) + +| App | Object ID | +|-----|-----------| +| Tenant Admin | a5fa89a9-b735-4e10-b664-f042e265d137 | +| Security Investigator | c64ee5c1-a607-46cb-81b8-42de3de98d48 | +| Exchange Operator | 1c3bcfe9-6b4b-4273-852c-09d90f9ad146 | +| User Manager | 531becbb-af9b-489c-b8d4-11b1d04d0b42 | +| Defender Add-on | 6e08c11e-e096-4455-8991-46a4d3ccea0e | + +--- + +## What This Enables + +**Remediation Tool Capabilities:** +- `/remediation-tool` slash command now works for Cascades +- User breach checks (sign-in logs, risky users, OAuth consents) +- Tenant sweeps (all users, MFA status, admin roles) +- Exchange investigations (after propagation): + - Inbox rules (including hidden) + - Mailbox permissions and delegates + - Forwarding rules + - Litigation hold status + - SendAs / FullAccess permissions + +**M365 Security Operations:** +- Automated breach investigation workflows +- Compliance auditing (litigation hold, retention policies) +- Identity Protection queries +- Conditional Access policy review +- Defender for Endpoint integration (if licensed) + +--- + +## Related Work + +This onboarding was triggered by the need to verify Britney Thompson's litigation hold status for HIPAA compliance (§164.308(a)(3)(ii)(C) + §164.316(b)(2)). + +See: `clients/cascades-tucson/reports/2026-05-07-britney-thompson-litigation-hold-check.md` + +--- + +**Status:** Onboarding complete. Exchange REST access pending propagation (15-30 min). +**Next action:** Re-test Exchange REST API after 09:30 AM MST (15 minutes from now).