From 48f1b4b6121e02ac0026ebde3fb9d755c1043a4b Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Tue, 21 Apr 2026 17:56:24 -0700 Subject: [PATCH] =?UTF-8?q?Session=20log:=20GlazTech=20=E2=80=94=20clearcu?= =?UTF-8?q?tglass.com=20transport=20rule=20removal=20+=20M365=20security?= =?UTF-8?q?=20review?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Removed DMARC bypass transport rule for clearcutglass.com from GlazTech Exchange Online - Reviewed clearcutglass.com DNS post Team Logic IT changes; flagged SPF softfail (~all) - Communicated findings to client and IT vendor (Jordan Fox / Team Logic IT) - M365 tenant review: removed external Global Admin (tomakkglass.com guest) - Identified no MFA enforcement (Security Defaults disabled, no CA, no P1) - Created Syncro ticket #32186 for MFA implementation project - Documented MFA rollout plan and service account audit requirements Co-Authored-By: Claude Sonnet 4.6 --- .../session-logs/2026-04-21-session.md | 169 ++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 clients/glaztech/session-logs/2026-04-21-session.md diff --git a/clients/glaztech/session-logs/2026-04-21-session.md b/clients/glaztech/session-logs/2026-04-21-session.md new file mode 100644 index 0000000..043e8f5 --- /dev/null +++ b/clients/glaztech/session-logs/2026-04-21-session.md @@ -0,0 +1,169 @@ +# Session Log: 2026-04-21 + +## User +- **User:** Mike Swanson (mike) +- **Machine:** DESKTOP-0O8A1RL +- **Role:** admin + +## Session Summary + +Two distinct work items for GlazTech this session: + +1. **clearcutglass.com DMARC** — Team Logic IT (Jordan Fox) made DNS changes to clearcutglass.com to fix a DMARC rejection issue affecting email to GlazTech. Verified DNS, removed the temporary Exchange transport rule bypass we had set, communicated findings and recommendations to client and IT vendor. + +2. **M365 Security Review** — Routine check of GlazTech's 365 tenant surfaced no MFA enforcement, an external Global Admin from tomakkglass.com (Team Logic IT), and several service accounts that need to be audited before MFA rollout. External GA removed. New ticket created for MFA implementation project. Client-facing and internal comments posted. + +--- + +## Client: GlazTech +- **Syncro Customer ID:** 143932 +- **M365 Tenant ID:** 82931e3c-de7a-4f74-87f7-fe714be1f160 +- **M365 Tenant Domain:** glaztech.com / glaztechindustries.onmicrosoft.com +- **Steve Eastman:** seastman@glaztech.com — GlazTech internal IT, ~200 users, 9 locations. Desktop-level tech, guides technical direction. We implement. + +--- + +## Work Item 1: clearcutglass.com DMARC Transport Rule + +### Background +Corena Spottsville (clearcutglass.com) emails to seastman@glaztech.com and zulema@glaztech.com were being rejected with DMARC p=reject. We had set a temporary transport rule in GlazTech's Exchange Online to bypass DMARC filtering for clearcutglass.com. Team Logic IT (Jordan Fox, jfox@tlit60302.com) made DNS changes to fix clearcutglass.com's DMARC alignment. + +### DNS Review (clearcutglass.com) +``` +SPF: v=spf1 include:mailgun.org include:spf.protection.outlook.com ~all +DMARC: v=DMARC1;p=reject;rua=mailto:teamlogicit@clearcutglass.com;... +MX: clearcutglass.com.1.0001.arsmtp.com (pri 10) — AppRiver inbound filter +``` + +**Finding:** SPF uses `~all` (softfail) instead of `-all` (hardfail). With DMARC p=reject, if DKIM doesn't align DMARC will still reject. Recommended Team Logic IT change to `-all` and confirm DKIM signing is enabled in M365 for clearcutglass.com. + +### Transport Rule Removal +Rule name: `TEMP - Allow DMARC fail from clearcutglass.com` +- Matched sender domain: clearcutglass.com +- Set SCL: -1 (bypass all spam/DMARC filtering) + +Removed via EXO cmdlet invocation: +```bash +curl -X POST "https://outlook.office365.com/adminapi/beta/${TENANT}/InvokeCommand" \ + -H "Authorization: Bearer ${EXO_TOKEN}" \ + -H "Content-Type: application/json" \ + -d '{"CmdletInput": {"CmdletName": "Remove-TransportRule", "Parameters": {"Identity": "TEMP - Allow DMARC fail from clearcutglass.com", "Confirm": false}}}' +``` + +Verified via Get-TransportRule — no rules remain in tenant. + +### Syncro +- **Ticket #32176** (ID: 109216691) — "Exchange Online - DMARC override for clearcutglass.com" — Status: Invoiced +- Comment posted: "Update - Rule Removed + DNS Review" (ID: 406843369) + +### Communication +Email sent to seastman@glaztech.com, zulema@glaztech.com, CC: jfox@tlit60302.com advising: +- Transport rule removed on our end +- SPF ~all finding and recommendation to harden to -all +- Request test email to confirm clean delivery + +--- + +## Work Item 2: M365 Security Review + +### Remediation Tool Access +- **App used:** ComputerGuru Security Investigator (investigator tier) + ComputerGuru Exchange Operator (exchange-op) + ComputerGuru Tenant Admin (tenant-admin) +- **Token location:** `/tmp/remediation-tool/82931e3c-de7a-4f74-87f7-fe714be1f160/{tier}.jwt` + +### Findings + +**[DONE] External Global Admin removed** +- `glaztechadmin_tomakkglass.com#EXT#@glaztechindustries.onmicrosoft.com` (Glaztech Admin, object ID: 517a22b0-cf46-4b60-8d8d-893fb9bc4698) had Global Administrator rights +- tomakkglass.com = Team Logic IT's domain +- Removed via DELETE `/directoryRoles/{roleId}/members/{userId}/$ref` using tenant-admin token +- GA Role ID: 67ea6bf1-dc3c-418f-b151-817936d65a52 +- Verified: only `admin@glaztechindustries.onmicrosoft.com` (ACG admin) remains as GA + +**[CRITICAL] Security Defaults: DISABLED** +- No Entra ID P1 license — no Conditional Access policies +- No MFA enforcement of any kind on the tenant +- ~160 users signing in with password only + +**[INFO] No Conditional Access policies** — tenant is on basic M365 licensing + +**[INFO] No Identity Protection** — requires P1, not licensed + +**[INFO] Mailbox forwarding — internal only, low risk** +- `Payroll@glaztech.com` → `carmen@glaztech.com` (DeliverToMailboxAndForward: true) +- `TUCCSR@glaztech.com` → `bryce@glaztech.com` (DeliverToMailboxAndForward: true) + +**[PENDING] Unlicensed enabled accounts — awaiting Steve confirmation** +- `Chauntelle@glaztech.com` +- `Denouser1@glaztech.com` (Den OUser1) +- `Gti-FaxFinder@glaztech.com` + +**[PENDING] Service accounts to audit before MFA rollout** +- Shoretel@glaztech.com — phone system +- mitel@glaztech.com — phone system +- Gti-FaxFinder@glaztech.com — fax-to-email relay +- GTIMail@glaztech.com +- GTIQUOTE@glaztech.com +- CAS1944@glaztechindustries.onmicrosoft.com +- clerk@glaztech.com +- Need to confirm: are any still using SMTP basic auth / password-only flows? + +**[INFO] 38 OAuth consent grants** — not audited this session + +### MFA Rollout Plan (Internal) + +**Phase 1 — Communication (Week 1)** +- All-user notice: MFA is being enabled, install Microsoft Authenticator +- Set enforcement date ~2 weeks out + +**Phase 2 — Enable Security Defaults (Week 2)** +- Free tier, no P1 required +- 14-day grace period for users to register before enforcement +- Cannot exclude specific accounts — service accounts must be migrated or excluded via alternative + +**Phase 3 — Follow-up (Week 3+)** +- Identify non-registered users, assist stragglers + +**Phase 4 — Conditional Access (Future, requires Entra P1)** +- Location-based policies (trusted office IPs bypass MFA) +- Service account exclusions +- Per-group policies for executives vs. general staff +- Requires Entra ID P1 — included in M365 Business Premium (~$22/user/mo) +- Recommendation: upgrade ~20-25 key accounts (execs, finance, HR, IT, admins) to Business Premium rather than full org + +**Licensing options presented to Steve:** +1. Security Defaults — free, no exclusions possible +2. Per-user MFA — free, legacy, can exclude service accounts +3. Conditional Access (P1/Business Premium) — recommended long-term + +### Syncro +- **Ticket #32186** (ID: 109276671) — "M365 Security Review - MFA Implementation & Account Audit" — Status: In Progress, assigned Mike (1735) +- Comment 1 (client): "M365 Account Review - Questions for Steve" — unlicensed accounts, forwarding confirmation, MFA heads-up, CA location question (ID: 406845279) +- Comment 2 (client): "Service Account Review + MFA Licensing Options" — service account audit request, 3 licensing options explained (ID: 406846347) +- Comment 3 (internal/hidden): Full findings + MFA rollout plan (ID: 406845343) + +--- + +## Tone Correction (feedback saved to memory) + +Comments to Steve were written too much like first-visit intake ("can you tell us about your setup"). ACG has managed GlazTech for ~15 years. Steve is their internal IT guy who guides direction, we implement. Future comments should lead with what we know, state findings and actions, and ask only one targeted specific question when genuinely needed. Not open-ended discovery. + +Also: ALL Syncro comments require a preview and explicit confirmation before posting. No exceptions. + +--- + +## Pending / Next Steps + +1. **Steve reply needed** — service account auth methods, unlicensed account disposition, licensing preference (Security Defaults vs. per-user MFA vs. CA/P1) +2. **MFA rollout** — pending Steve's input. Do not enable Security Defaults until service accounts are confirmed safe. +3. **clearcutglass.com** — await test email from Jordan Fox / Corena confirming clean delivery after transport rule removal +4. **OAuth consent grants** — 38 grants not audited; worth reviewing in a future session +5. **GlazTech ticket #32186** — no billing yet, waiting on Steve response to scope the MFA work + +--- + +## Files Modified + +- `D:\claudetools\clients\glaztech\session-logs\2026-04-21-session.md` — this file +- `C:\Users\guru\.claude\projects\D--claudetools\memory\feedback_client_tone.md` — new memory: expert partner tone with clients +- `C:\Users\guru\.claude\projects\D--claudetools\memory\feedback_syncro_billing.md` — updated: always preview ALL comments before posting +- `C:\Users\guru\.claude\projects\D--claudetools\memory\MEMORY.md` — updated index