azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: clear addressed messages from for-mike.md

Browse Source
This commit is contained in:
Mike Swanson
2026-04-21 19:28:57 -07:00
parent cae7b63481
commit 4bb5dd937b
1 changed files with 1 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
.claude/messages/for-mike.md
View File

@@ -1,68 +1,3 @@
# Note for Mike
## From Howard, 2026-04-19 - FOLLOW-UP (update after your approval)
You approved it (thank you), and you/I clicked the admin-consent URL on Cascades. Microsoft redirected to `login.microsoftonline.com/common/wrongplace` (their standard "consent succeeded but no app redirect configured" landing page).
**But it didn't actually grant the scope.** I re-ran the risky-user check and still got `Forbidden`. I decoded the JWT and confirmed the `IdentityRiskyUser.Read.All` role is not in the token's `roles` array.
**Why:** the scope isn't in the app manifest yet. Tenant-side consent can only grant permissions the app has declared it wants. The fix has to happen on OUR side, at the app registration in our home Azure tenant:
1. Azure Portal > Entra ID > App Registrations > **ComputerGuru - AI Remediation** (App ID `fabb3421-8b34-484b-bc17-e46de9703418`)
2. API Permissions > Add a permission > Microsoft Graph > Application permissions
3. Add `IdentityRiskyUser.Read.All`
4. Grant admin consent in our home tenant (or skip — customer tenants will each re-consent)
5. For each customer tenant we want it on, re-run the admin consent URL:
`https://login.microsoftonline.com/{tenant}/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418`
For Cascades that URL is:
```
https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418
```
(Same URL — just needs to be clicked AGAIN after the manifest is updated, because now it'll include the new permission in the consent prompt.)
Let me know when the manifest is updated and I'll re-test.
---
## From Howard, 2026-04-19 (original ask)
### Cascades of Tucson - M365 Remediation App - Identity Protection scope
During today's phishing investigation on Cascades of Tucson (crystal.rodriguez, et al.), the 10-point breach check returned `Forbidden` on `/identityProtection/riskyUsers` and `/identityProtection/riskDetections` because **Claude-MSP-Access (ComputerGuru - AI Remediation, App ID `fabb3421-8b34-484b-bc17-e46de9703418`) lacks admin consent for `IdentityRiskyUser.Read.All` on the Cascades tenant.**
**Asking before I grant:** should I go ahead and give this consent, or do you want to hold off?
#### What the scope does
- **Read-only.** Reads Entra ID Identity Protection signals: risky-user state (low/medium/high), and the underlying risk detections (impossible travel, anonymous IP, leaked credentials, malware-linked IP, etc.).
- **No write capability** - not `ReadWrite.All`, just `Read.All`. The app cannot reset risk state, dismiss detections, or modify anything in Identity Protection.
- **Tenant-scoped.** Consent applies only to the Cascades tenant; doesn't affect other clients.
#### Why I want it
- Closes a visibility gap in our standard breach-check workflow. Today I had to tell the report "this check skipped" for risky-user signals.
- Saves us from logging into the Defender / Entra portal manually during IR to cross-check.
- Cascades has Defender P1+ (based on targeted-user protection already configured), so risk data exists to read.
#### Why you might say no
- Every additional scope on the app = larger blast radius if the app's client secret/cert leaks.
- Scope is persistent until revoked via the portal.
- Identity Protection data can include sensitive info (IPs, geo, device hints). If our audit logging is weak, reading it leaves tracks we should be aware of.
#### My lean
**Allow it.** The scope is read-only, the app is narrowly controlled (only us), and we already have Mail.Read, User.Read.All, Exchange Admin, etc. — which are materially more sensitive than this. The inconsistency of "we can read full mailbox contents but not risky-user flags" doesn't match a risk-based model.
If you say yes, consent URL is:
```
https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418
```
Takes ~30 seconds. Sign in as a GA on Cascades' tenant (sysadmin@ works), review the permission, click Accept.
Full investigation report: `clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md`
- Howard
Check this file at sync. Delete items after you've addressed them.