From 4bb5dd937b20a8755b48a36142d27c1faaca8197 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Tue, 21 Apr 2026 19:28:57 -0700 Subject: [PATCH] chore: clear addressed messages from for-mike.md --- .claude/messages/for-mike.md | 67 +----------------------------------- 1 file changed, 1 insertion(+), 66 deletions(-) diff --git a/.claude/messages/for-mike.md b/.claude/messages/for-mike.md index 7023cb5..9e5855a 100644 --- a/.claude/messages/for-mike.md +++ b/.claude/messages/for-mike.md @@ -1,68 +1,3 @@ # Note for Mike -## From Howard, 2026-04-19 - FOLLOW-UP (update after your approval) - -You approved it (thank you), and you/I clicked the admin-consent URL on Cascades. Microsoft redirected to `login.microsoftonline.com/common/wrongplace` (their standard "consent succeeded but no app redirect configured" landing page). - -**But it didn't actually grant the scope.** I re-ran the risky-user check and still got `Forbidden`. I decoded the JWT and confirmed the `IdentityRiskyUser.Read.All` role is not in the token's `roles` array. - -**Why:** the scope isn't in the app manifest yet. Tenant-side consent can only grant permissions the app has declared it wants. The fix has to happen on OUR side, at the app registration in our home Azure tenant: - -1. Azure Portal > Entra ID > App Registrations > **ComputerGuru - AI Remediation** (App ID `fabb3421-8b34-484b-bc17-e46de9703418`) -2. API Permissions > Add a permission > Microsoft Graph > Application permissions -3. Add `IdentityRiskyUser.Read.All` -4. Grant admin consent in our home tenant (or skip — customer tenants will each re-consent) -5. For each customer tenant we want it on, re-run the admin consent URL: - `https://login.microsoftonline.com/{tenant}/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418` - -For Cascades that URL is: -``` -https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418 -``` - -(Same URL — just needs to be clicked AGAIN after the manifest is updated, because now it'll include the new permission in the consent prompt.) - -Let me know when the manifest is updated and I'll re-test. - ---- - -## From Howard, 2026-04-19 (original ask) - -### Cascades of Tucson - M365 Remediation App - Identity Protection scope - -During today's phishing investigation on Cascades of Tucson (crystal.rodriguez, et al.), the 10-point breach check returned `Forbidden` on `/identityProtection/riskyUsers` and `/identityProtection/riskDetections` because **Claude-MSP-Access (ComputerGuru - AI Remediation, App ID `fabb3421-8b34-484b-bc17-e46de9703418`) lacks admin consent for `IdentityRiskyUser.Read.All` on the Cascades tenant.** - -**Asking before I grant:** should I go ahead and give this consent, or do you want to hold off? - -#### What the scope does - -- **Read-only.** Reads Entra ID Identity Protection signals: risky-user state (low/medium/high), and the underlying risk detections (impossible travel, anonymous IP, leaked credentials, malware-linked IP, etc.). -- **No write capability** - not `ReadWrite.All`, just `Read.All`. The app cannot reset risk state, dismiss detections, or modify anything in Identity Protection. -- **Tenant-scoped.** Consent applies only to the Cascades tenant; doesn't affect other clients. - -#### Why I want it - -- Closes a visibility gap in our standard breach-check workflow. Today I had to tell the report "this check skipped" for risky-user signals. -- Saves us from logging into the Defender / Entra portal manually during IR to cross-check. -- Cascades has Defender P1+ (based on targeted-user protection already configured), so risk data exists to read. - -#### Why you might say no - -- Every additional scope on the app = larger blast radius if the app's client secret/cert leaks. -- Scope is persistent until revoked via the portal. -- Identity Protection data can include sensitive info (IPs, geo, device hints). If our audit logging is weak, reading it leaves tracks we should be aware of. - -#### My lean - -**Allow it.** The scope is read-only, the app is narrowly controlled (only us), and we already have Mail.Read, User.Read.All, Exchange Admin, etc. — which are materially more sensitive than this. The inconsistency of "we can read full mailbox contents but not risky-user flags" doesn't match a risk-based model. - -If you say yes, consent URL is: -``` -https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418 -``` - -Takes ~30 seconds. Sign in as a GA on Cascades' tenant (sysadmin@ works), review the permission, click Accept. - -Full investigation report: `clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md` - -- Howard +Check this file at sync. Delete items after you've addressed them.