azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-12 17:02:02

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-12 17:02:02
This commit is contained in:
Howard Enos
2026-06-12 17:02:13 -07:00
parent e34d4268bc
commit 4648acbc4c
1 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
clients/cascades-tucson/session-logs/2026-06/2026-06-12-howard-shared-mailboxes-grievances-surveys.md Normal file
View File

@@ -0,0 +1,75 @@
# Cascades of Tucson — Shared Mailboxes (Grievances + Surveys) + Delegation
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Created two new shared mailboxes in the Cascades of Tucson M365 tenant (cascadestucson.com): `grievances@cascadestucson.com` and `Surveys@cascadestucson.com`. Both were delegated to Meredith Kuhn (`meredith.kuhn@cascadestucson.com`) and Ashley Jensen (`ashley.jensen@cascadestucson.com`) with Full Access (auto-mapping enabled) and Send As, so each delegate can read the mailboxes from within Outlook and send mail that originates from the shared address.
Work was done via Exchange Online PowerShell using app-only authentication (ComputerGuru Exchange Operator MSP app, cert-based). The `ExchangeOnlineManagement` PowerShell module was not present on this machine — it was installed from PSGallery (v3.10.0) after trusting the repository. An EXO-scoped access token was acquired with the remediation-tool `get-token.sh` script (tier `exchange-op`, cert assertion) and passed to `Connect-ExchangeOnline -AccessToken`, bypassing the missing-cert-in-store and interactive-MFA constraints noted in the client wiki.
Preconditions were verified before any write: both delegate UserMailboxes exist, and both target addresses (`grievances@`, `Surveys@`) were free. After creation, all eight permission grants (2 mailboxes x 2 users x [FullAccess + SendAs]) were applied and then re-verified with `Get-MailboxPermission` / `Get-RecipientPermission`. The `Surveys` mailbox emitted the standard new-mailbox replication notice ("available for logon in approximately 15 minutes") — this did not affect permission application.
Billing for 0.5h Remote was requested. A Syncro ticket-create + bill preview was produced (new ticket, since no existing ticket fit the shared-mailbox work) and is **awaiting user confirmation** — no Syncro write has been performed. The `/save` was invoked before that confirmation, so billing remains pending.
## Key Decisions
- **Send As (not Send on Behalf):** User chose Send As so outbound mail appears strictly from the shared address with no trace of the individual sender — standard for role mailboxes.
- **Full Access with auto-mapping:** delegates' Outlook auto-surfaces the mailboxes; no manual account-add needed.
- **Shared mailboxes, cloud-only:** no license consumed (shared mailboxes are free under 50GB); they do not require an on-prem AD object and are unaffected by Entra Connect sync.
- **App-only EXO via access token:** used the cert-based `get-token.sh` flow rather than interactive sign-in, consistent with the client's documented EXO MSP-app auth note.
- **New Syncro ticket for billing:** none of Cascades' open tickets map to shared-mailbox creation, so a dedicated ticket is the right home for the 0.5h.
## Problems Encountered
- **`ExchangeOnlineManagement` module missing:** `Install-Module` first failed in NonInteractive mode (untrusted PSGallery prompt). Resolved by setting TLS 1.2, bootstrapping the NuGet provider, and `Set-PSRepository -Name PSGallery -InstallationPolicy Trusted`, then re-running the install — succeeded at v3.10.0.
- **`get-token.sh` could not find vault_path:** the skill resolves identity from the user-global `~/.claude/identity.json` (which lacks `vault_path`), not the repo `.claude/identity.json`. Resolved by passing `VAULT_ROOT_ENV=D:/vault` (read from the repo identity file).
- **Vault field name:** `client_secret` lives under `credentials.client_secret` (dot notation), not a top-level field; the initial flat lookup returned `null`. Cert auth was used in the end regardless.
## Configuration Changes
- **M365 tenant cascadestucson.com (live):**
- Created shared mailbox `grievances@cascadestucson.com` (alias `Grievances`, DisplayName "Grievances").
- Created shared mailbox `Surveys@cascadestucson.com` (alias `Surveys`, DisplayName "Surveys").
- Granted FullAccess (InheritanceType All, AutoMapping $true) on both to `meredith.kuhn@` and `ashley.jensen@`.
- Granted SendAs on both to `meredith.kuhn@` and `ashley.jensen@`.
- **This machine (Howard-Home):** installed PowerShell module `ExchangeOnlineManagement` 3.10.0 (CurrentUser scope); set PSGallery InstallationPolicy = Trusted.
- No repo files modified beyond this session log.
## Credentials & Secrets
- No new credentials created. EXO auth used the existing **ComputerGuru Exchange Operator** MSP app (`b43e7342-5b4b-492f-890f-bb5a4f7f40e9`), cert-based, vault `msp-tools/computerguru-exchange-operator.sops.yaml` (cert thumbprint `A615823DE1CAF15229027DEC075AFE32B900D82C`, cert expires 2028-04-30).
- Transient EXO access token cached at `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/exchange-op.jwt` (55-min TTL) and staged to `%TEMP%\exo.jwt` for the PowerShell session — ephemeral, not a secret to retain.
## Infrastructure & Servers
- **Tenant:** cascadestucson.com — Tenant ID `207fa277-e9d8-4eb7-ada1-1064d2221498`
- **Exchange Operator app:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` (home tenant ce61461e-81a0-4c84-bb4a-7b354a9a356d)
- **New shared mailboxes:** `grievances@cascadestucson.com`, `Surveys@cascadestucson.com` (both SharedMailbox)
- **Delegates:** `meredith.kuhn@cascadestucson.com` (Meredith Kuhn), `ashley.jensen@cascadestucson.com` (Ashley Jensen)
- **Syncro customer:** Cascades of Tucson, ID 20149445; prepay block 56.25h (live pull 2026-06-12)
## Commands & Outputs
- Token: `VAULT_ROOT_ENV="D:/vault" bash .../remediation-tool/scripts/get-token.sh 207fa277-e9d8-4eb7-ada1-1064d2221498 exchange-op` -> `auth=cert`, 2219-byte JWT.
- Connect: `Connect-ExchangeOnline -AccessToken $token -Organization 'cascadestucson.com' -ShowBanner:$false` -> CONNECTED.
- Create: `New-Mailbox -Shared -Name <Name> -DisplayName <Display> -PrimarySmtpAddress <smtp>` — both created (Surveys threw the benign "available for logon in ~15 minutes" replication notice).
- Permissions: `Add-MailboxPermission -AccessRights FullAccess -InheritanceType All -AutoMapping $true` and `Add-RecipientPermission -AccessRights SendAs` — all 8 succeeded.
- Verify: `Get-MailboxPermission` / `Get-RecipientPermission` confirmed both delegates hold FullAccess + SendAs on both mailboxes.
- Module install (after fix): `Set-PSRepository -Name PSGallery -InstallationPolicy Trusted` then `Install-Module ExchangeOnlineManagement -Scope CurrentUser` -> INSTALLED 3.10.0.
## Pending / Incomplete Tasks
- **Billing NOT yet executed (awaiting confirmation):** create Syncro ticket for Cascades (20149445), subject "M365 - Create shared mailboxes Grievances + Surveys, delegate to Meredith & Ashley (Remote)", Issue Type Email, tech Howard (1750), no contact (Cascades rule). Bill 0.5h Remote (product 1190473, $150/hr) — prepaid, invoice nets $0.00, block 56.25 -> 55.75. Then invoice, mark Invoiced, post #bot-alerts.
- Outlook auto-mapping for delegates may take up to ~1h to surface; immediately usable via OWA.
## Reference Information
- Client wiki: `wiki/clients/cascades-tucson.md`
- EXO MSP-app auth note (cert-not-in-store -> access-token flow): see client wiki "Email & Identity" / "EXO / Message Trace" sections.
- Remediation skill scripts: `C:\Users\Howard\.claude\skills\remediation-tool\scripts\` (`get-token.sh` tier `exchange-op`).
- Vault root on this machine: `D:/vault` (from `.claude/identity.json` `vault_path`).
- Syncro remote labor product: 1190473 ("Labor - Remote Business", $150.00).