sync: auto-sync from HOWARD-HOME at 2026-04-21 18:50:48

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-21 18:50:48

WORKITEMS.md

@@ -29,6 +29,7 @@ Tag yourself to claim. Check off when done. Add new items at the bottom of the r
 - [ ] Cloudflare SXG — disable via dashboard (API tokens lack scope), auto-removes June 23 — @unassigned | added 2026-04-17
 - [ ] GrepAI index — run `grepai watch` to build semantic search index — @unassigned | added 2026-04-16
 - [ ] Change LAN subnet for ACG-DC16/NEPTUNE on Dataforth network — current 172.16.x.x collides with ACG network (172.16.x.x/22) — @unassigned | added 2026-04-18
+- [ ] Remediation-tool vault gap — 5 tiered Entra apps (investigator, exchange-operator, user-manager, tenant-admin, defender-addon) are referenced by the `remediation-tool` skill but none of the SOPS files exist at `D:/vault/msp-tools/computerguru-*.sops.yaml`. Currently falling back to legacy `claude-msp-access-graph-api` app (broad Graph RW scope). Need Mike to: (1) confirm whether the 5 apps are already registered in Entra — if yes, hand over client IDs + secrets for the vault; (2) if not registered, decide: create the tiered apps or stay on legacy app. Impact: least-privilege model not enforced, bigger blast radius on the one shared secret, and Defender-tier checks unavailable until the MDE add-on app exists. Today's Cascades license audit succeeded on the fallback path — no action required from Howard yet. — @mike | added 2026-04-21
 
 ## Completed
 

clients/cascades-tucson/reports/2026-04-21-defender-license-audit.md

@@ -0,0 +1,70 @@
+# Cascades of Tucson — Defender Licensing Audit
+
+**Date:** 2026-04-21 (UTC)
+**Tenant:** cascadestucson.com (`207fa277-e9d8-4eb7-ada1-1064d2221498`)
+**Requested by:** Howard Enos
+**Question:** Is Cascades paying for Defender via their existing license SKUs?
+
+---
+
+## TL;DR
+
+**Yes — but it's not reaching any end users.** Cascades has purchased **34 seats of Microsoft 365 Business Premium (SPB)** which bundles Defender for Business (MDE_SMB) + Defender for Office 365 Plan 1 (ATP_ENTERPRISE). **Only 1 of those 34 seats is assigned**, and it's on a service account (`MDMS@`). The other 32 real users are still pinned to the older **Business Standard** subscription, which is now in **warning/grace state** (expiring) and includes **no Defender at all**.
+
+This looks like a stalled/forgotten license migration. The purchase order covered the whole org; the assignment step never happened.
+
+---
+
+## Subscribed SKUs (what Cascades is paying for)
+
+| Part Number | Friendly Name | Seats (enabled) | Consumed | State | Notes |
+|---|---|---|---|---|---|
+| **SPB** | Microsoft 365 Business Premium | **34** | **1** | Enabled | Includes **MDE_SMB** (Defender for Business) + **ATP_ENTERPRISE** (Defender for O365 P1) |
+| **O365_BUSINESS_PREMIUM** | Microsoft 365 Business Standard (legacy name) | 0 (warning: 34) | 32 | **Warning / grace** | **No Defender.** Past-due subscription, ~30-day grace window |
+| **EXCHANGE_S_ESSENTIALS** | Exchange Essentials | 0 (suspended: 24) | 6 | **Suspended** | Old — 6 stale assignments |
+| **AAD_PREMIUM_P2** | Entra ID P2 | 1 | 0 | Enabled | Paid for, nobody assigned |
+| **FLOW_FREE** | Power Automate Free | 10000 | 3 | Enabled | Free — not billed |
+| **STREAM** | Stream | 1000000 | 0 | Enabled | Free — not billed |
+
+## Defender service plans inside SPB
+
+Verified via Graph `/subscribedSkus` service plan list:
+
+- `MDE_SMB` — Defender for Business (endpoint AV/EDR) — provisioning: Success
+- `ATP_ENTERPRISE` — Defender for Office 365 Plan 1 (Safe Links / Safe Attachments / anti-phish) — provisioning: Success
+
+Business Standard (`O365_BUSINESS_PREMIUM`) contains **zero** Defender service plans.
+
+## License assignments
+
+**SPB (Business Premium — includes Defender):** 1 assignee
+- `MDMS@cascadestucson.com` (MDMS Service Account — created 2026-04-19 by Howard for MDM)
+
+**Business Standard (NO Defender, expiring):** 32 active users
+- All 32 real end-users (Meredith Kuhn, John Trozzi, Accounting, Front Desk, HR, etc.)
+
+**Entra ID P2:** 0 assignees (paid seat sitting unused)
+
+## What this means
+
+1. **Cascades already owns enough Business Premium seats (34) for their whole user base.** No new purchase needed to give every user Defender.
+2. **The Business Standard subscription is in `warning` state — it's past due and will suspend, then deprovision.** When it does, those 32 users lose mail, Office, Teams, everything — not just the missing Defender.
+3. **Action is urgent regardless of the Defender question**: the right move is to migrate the 32 users off the expiring Business Standard onto the Business Premium seats that are already paid for and sitting idle. That simultaneously:
+   - Prevents loss of service when Business Standard drops
+   - Activates Defender for Business + MDO P1 across the org
+   - Gets Intune/Conditional Access coverage (also in SPB)
+4. **Entra ID P2 seat (1)** — recommend assigning to an admin account (sysadmin@ or similar) so Identity Protection / PIM features are usable.
+
+## Recommended next steps (not executed — read-only audit)
+
+- [ ] Migrate 32 active users from Business Standard → Business Premium via CIPP or admin center
+- [ ] Verify Business Standard subscription renewal state with Meredith — is the grace state intentional (cutover) or missed renewal?
+- [ ] Assign the idle Entra P2 seat to an admin account
+- [ ] Clean up 6 Exchange Essentials stale assignments (suspended subscription)
+- [ ] Once SPB is broadly assigned, enable Defender for Business onboarding (MDE_SMB) + confirm MDO P1 anti-phish policies are pointed at all users
+
+## Data source
+
+- Graph API `/subscribedSkus` and `/users?$select=assignedLicenses` via the legacy `claude-msp-access-graph-api` app (client `fabb3421-...`).
+- Raw JSON artifacts: `/tmp/cascades-licenses/skus.json`, `/tmp/cascades-licenses/users.json`.
+- Note: the newer tiered `investigator` app is not yet wired into the SOPS vault (see separate note to Mike).