diff --git a/WORKITEMS.md b/WORKITEMS.md index 0a4534c..b6fcb91 100644 --- a/WORKITEMS.md +++ b/WORKITEMS.md @@ -29,6 +29,7 @@ Tag yourself to claim. Check off when done. Add new items at the bottom of the r - [ ] Cloudflare SXG — disable via dashboard (API tokens lack scope), auto-removes June 23 — @unassigned | added 2026-04-17 - [ ] GrepAI index — run `grepai watch` to build semantic search index — @unassigned | added 2026-04-16 - [ ] Change LAN subnet for ACG-DC16/NEPTUNE on Dataforth network — current 172.16.x.x collides with ACG network (172.16.x.x/22) — @unassigned | added 2026-04-18 +- [ ] Remediation-tool vault gap — 5 tiered Entra apps (investigator, exchange-operator, user-manager, tenant-admin, defender-addon) are referenced by the `remediation-tool` skill but none of the SOPS files exist at `D:/vault/msp-tools/computerguru-*.sops.yaml`. Currently falling back to legacy `claude-msp-access-graph-api` app (broad Graph RW scope). Need Mike to: (1) confirm whether the 5 apps are already registered in Entra — if yes, hand over client IDs + secrets for the vault; (2) if not registered, decide: create the tiered apps or stay on legacy app. Impact: least-privilege model not enforced, bigger blast radius on the one shared secret, and Defender-tier checks unavailable until the MDE add-on app exists. Today's Cascades license audit succeeded on the fallback path — no action required from Howard yet. — @mike | added 2026-04-21 ## Completed diff --git a/clients/cascades-tucson/reports/2026-04-21-defender-license-audit.md b/clients/cascades-tucson/reports/2026-04-21-defender-license-audit.md new file mode 100644 index 0000000..60e9f2f --- /dev/null +++ b/clients/cascades-tucson/reports/2026-04-21-defender-license-audit.md @@ -0,0 +1,70 @@ +# Cascades of Tucson — Defender Licensing Audit + +**Date:** 2026-04-21 (UTC) +**Tenant:** cascadestucson.com (`207fa277-e9d8-4eb7-ada1-1064d2221498`) +**Requested by:** Howard Enos +**Question:** Is Cascades paying for Defender via their existing license SKUs? + +--- + +## TL;DR + +**Yes — but it's not reaching any end users.** Cascades has purchased **34 seats of Microsoft 365 Business Premium (SPB)** which bundles Defender for Business (MDE_SMB) + Defender for Office 365 Plan 1 (ATP_ENTERPRISE). **Only 1 of those 34 seats is assigned**, and it's on a service account (`MDMS@`). The other 32 real users are still pinned to the older **Business Standard** subscription, which is now in **warning/grace state** (expiring) and includes **no Defender at all**. + +This looks like a stalled/forgotten license migration. The purchase order covered the whole org; the assignment step never happened. + +--- + +## Subscribed SKUs (what Cascades is paying for) + +| Part Number | Friendly Name | Seats (enabled) | Consumed | State | Notes | +|---|---|---|---|---|---| +| **SPB** | Microsoft 365 Business Premium | **34** | **1** | Enabled | Includes **MDE_SMB** (Defender for Business) + **ATP_ENTERPRISE** (Defender for O365 P1) | +| **O365_BUSINESS_PREMIUM** | Microsoft 365 Business Standard (legacy name) | 0 (warning: 34) | 32 | **Warning / grace** | **No Defender.** Past-due subscription, ~30-day grace window | +| **EXCHANGE_S_ESSENTIALS** | Exchange Essentials | 0 (suspended: 24) | 6 | **Suspended** | Old — 6 stale assignments | +| **AAD_PREMIUM_P2** | Entra ID P2 | 1 | 0 | Enabled | Paid for, nobody assigned | +| **FLOW_FREE** | Power Automate Free | 10000 | 3 | Enabled | Free — not billed | +| **STREAM** | Stream | 1000000 | 0 | Enabled | Free — not billed | + +## Defender service plans inside SPB + +Verified via Graph `/subscribedSkus` service plan list: + +- `MDE_SMB` — Defender for Business (endpoint AV/EDR) — provisioning: Success +- `ATP_ENTERPRISE` — Defender for Office 365 Plan 1 (Safe Links / Safe Attachments / anti-phish) — provisioning: Success + +Business Standard (`O365_BUSINESS_PREMIUM`) contains **zero** Defender service plans. + +## License assignments + +**SPB (Business Premium — includes Defender):** 1 assignee +- `MDMS@cascadestucson.com` (MDMS Service Account — created 2026-04-19 by Howard for MDM) + +**Business Standard (NO Defender, expiring):** 32 active users +- All 32 real end-users (Meredith Kuhn, John Trozzi, Accounting, Front Desk, HR, etc.) + +**Entra ID P2:** 0 assignees (paid seat sitting unused) + +## What this means + +1. **Cascades already owns enough Business Premium seats (34) for their whole user base.** No new purchase needed to give every user Defender. +2. **The Business Standard subscription is in `warning` state — it's past due and will suspend, then deprovision.** When it does, those 32 users lose mail, Office, Teams, everything — not just the missing Defender. +3. **Action is urgent regardless of the Defender question**: the right move is to migrate the 32 users off the expiring Business Standard onto the Business Premium seats that are already paid for and sitting idle. That simultaneously: + - Prevents loss of service when Business Standard drops + - Activates Defender for Business + MDO P1 across the org + - Gets Intune/Conditional Access coverage (also in SPB) +4. **Entra ID P2 seat (1)** — recommend assigning to an admin account (sysadmin@ or similar) so Identity Protection / PIM features are usable. + +## Recommended next steps (not executed — read-only audit) + +- [ ] Migrate 32 active users from Business Standard → Business Premium via CIPP or admin center +- [ ] Verify Business Standard subscription renewal state with Meredith — is the grace state intentional (cutover) or missed renewal? +- [ ] Assign the idle Entra P2 seat to an admin account +- [ ] Clean up 6 Exchange Essentials stale assignments (suspended subscription) +- [ ] Once SPB is broadly assigned, enable Defender for Business onboarding (MDE_SMB) + confirm MDO P1 anti-phish policies are pointed at all users + +## Data source + +- Graph API `/subscribedSkus` and `/users?$select=assignedLicenses` via the legacy `claude-msp-access-graph-api` app (client `fabb3421-...`). +- Raw JSON artifacts: `/tmp/cascades-licenses/skus.json`, `/tmp/cascades-licenses/users.json`. +- Note: the newer tiered `investigator` app is not yet wired into the SOPS vault (see separate note to Mike).