sync: auto-sync from GURU-BEAST-ROG at 2026-06-02 10:44:23

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-02 10:44:23

clients/glaztech/session-logs/2026-06-02-session.md

@@ -0,0 +1,117 @@
+# Session Log — 2026-06-02 — Glaz-Tech Industries
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** GURU-BEAST-ROG
+- **Role:** admin
+
+---
+
+## Session Summary
+
+Mike requested a transport rule in the Glaztech Exchange Online tenant to allow messages from MailProtector as `noreply@azcomputerguru.com` through spam filtering. These are MailProtector quarantine digest notifications sent to Glaztech users on behalf of ACG's no-reply address.
+
+Before creating the rule, a message trace was pulled (via `Get-MessageTraceV2`) for `noreply@azcomputerguru.com` over the past 10 days to verify that messages were in fact being filtered by Microsoft. The trace confirmed the issue: the vast majority of digest messages delivered successfully, but some recipients were hitting `FilteredAsSpam` status (e.g., `tshaw@glaztech.com` on 2026-06-02 at 3:07 PM). The `gtimail@glaztech.com` address showed `Failed` status on every daily send — this is caused by the existing "GTIMail No-Reply - Reject Inbound" transport rule (Priority 1, `SentToPredicate` → `RejectMessageAction`) and is a separate, pre-existing issue noted for follow-up.
+
+Authentication to Exchange Online used the ComputerGuru Exchange Operator multi-tenant app (`b43e7342`) with certificate-based credentials from the vault. The token was acquired via `get-token.sh` for the `exchange-op` tier against the Glaztech tenant (`82931e3c-de7a-4f74-87f7-fe714be1f160`) and passed to `Connect-ExchangeOnline -AccessToken` with EXO PowerShell V3 (3.9.2).
+
+A new transport rule was created: **"SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)"** at Priority 4, condition `From: noreply@azcomputerguru.com`, action `SetSCL -1`. This bypasses all spam and junk folder filtering for these digests. The rule was verified active immediately after creation.
+
+---
+
+## Key Decisions
+
+- **SCL = -1 rather than domain-level bypass:** The sender address `noreply@azcomputerguru.com` is specific enough that setting SCL=-1 on it carries minimal risk. A domain-level bypass (`azcomputerguru.com`) was considered but rejected — too broad, would cover all ACG-origin mail.
+- **Priority 4:** Placed below the existing SCL bypass rules (Priority 2–3) since no conflict exists; priority ordering doesn't matter for non-overlapping senders. Placed above any catch-all rules that might exist in the future.
+- **Did not restrict by connector:** The "Inbound Spam Filter" connector has no SenderIPAddresses restriction (per prior decision — avoids blocking calendar invites from external M365 tenants). Adding a connector-based condition to the rule was avoided for the same reason.
+- **gtimail@glaztech.com not addressed:** The daily `Failed` delivery to `gtimail@glaztech.com` is caused by the pre-existing "GTIMail No-Reply - Reject Inbound" rule. Mike did not request any change to that rule; flagged for separate review.
+
+---
+
+## Problems Encountered
+
+- **`Get-MessageTrace` deprecated:** Initial call to `Get-MessageTrace` returned a deprecation warning and failed. Switched to `Get-MessageTraceV2`. Note: `Get-MessageTraceV2` does not accept `-PageSize` — that parameter does not exist on the V2 cmdlet.
+- **`New-TransportRule -SenderAddresses` not valid:** First attempt used `-SenderAddresses` which is not a valid parameter. Correct parameter is `-From` for explicit sender address matching.
+- **Cert not in Windows cert store:** Exchange Operator cert (`A615823DE1CAF15229027DEC075AFE32B900D82C`) is not installed in LocalMachine\My or CurrentUser\My on BEAST. Used `get-token.sh` cert-based JWT flow instead, passing the resulting bearer token to `Connect-ExchangeOnline -AccessToken`.
+
+---
+
+## Configuration Changes
+
+- **Exchange Online transport rule created** in `glaztechindustries.onmicrosoft.com`:
+  - Name: `SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)`
+  - Condition: `From = noreply@azcomputerguru.com`
+  - Action: `SetSCL -1`
+  - Priority: 4
+  - State: Enabled
+  - Comments: "Bypass spam filtering for MailProtector quarantine digest emails sent as noreply@azcomputerguru.com. Created 2026-06-02 by ACG."
+
+---
+
+## Credentials & Secrets
+
+- **Vault path used:** `msp-tools/computerguru-exchange-operator.sops.yaml`
+  - App: ComputerGuru - Exchange Operator
+  - Client ID: `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`
+  - Cert thumbprint: `A615823DE1CAF15229027DEC075AFE32B900D82C`
+  - Token acquired via: `bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> exchange-op`
+
+---
+
+## Infrastructure & Servers
+
+- **Glaztech tenant:** `glaztechindustries.onmicrosoft.com`
+- **Tenant ID:** `82931e3c-de7a-4f74-87f7-fe714be1f160`
+- **Inbound mail filter:** MailProtector — `glaztech-com.inbound.emailservice.io`
+- **Inbound connector:** "Inbound Spam Filter" — Partner type, RequireTls=True, no IP restriction (intentional — preserves calendar invite delivery)
+- **EXO PowerShell module:** ExchangeOnlineManagement 3.9.2
+
+---
+
+## Commands & Outputs
+
+```powershell
+# Connect to Glaztech EXO with app-only token
+$token = bash .claude/skills/remediation-tool/scripts/get-token.sh 82931e3c-de7a-4f74-87f7-fe714be1f160 exchange-op
+Connect-ExchangeOnline -AccessToken $token -Organization 'glaztechindustries.onmicrosoft.com' -ShowBanner:$false
+
+# Message trace (last 10 days) — confirmed FilteredAsSpam occurrences
+Get-MessageTraceV2 -SenderAddress 'noreply@azcomputerguru.com' -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date)
+# Key finding: tshaw@glaztech.com → FilteredAsSpam (2026-06-02 3:07 PM)
+# Key finding: gtimail@glaztech.com → Failed daily (pre-existing rule, separate issue)
+
+# Create rule
+New-TransportRule `
+    -Name 'SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)' `
+    -From 'noreply@azcomputerguru.com' `
+    -SetSCL -1 `
+    -Priority 4 `
+    -Comments 'Bypass spam filtering for MailProtector quarantine digest emails sent as noreply@azcomputerguru.com. Created 2026-06-02 by ACG.' `
+    -Enabled $true
+```
+
+**Final transport rule list (Glaztech):**
+```
+Priority 0  Pensky Allow                                                    Enabled
+Priority 1  GTIMail No-Reply - Reject Inbound                               Enabled
+Priority 2  SCL Bypass - hartsglass + olemons (SHVSALES)                    Enabled
+Priority 3  SCL Bypass - aaaglassinc.com (SHVSALES)                         Enabled
+Priority 4  SCL Bypass - noreply@azcomputerguru.com (MailProtector digests) Enabled
+```
+
+---
+
+## Pending / Incomplete Tasks
+
+- **gtimail@glaztech.com failing daily:** The "GTIMail No-Reply - Reject Inbound" rule (Priority 1) rejects all inbound mail to `gtimail@glaztech.com`. This causes the daily MailProtector digest to fail for that address. Confirm with Steve Eastman whether `gtimail@glaztech.com` should receive digests (i.e., whether the reject rule should have an exception or be modified).
+- **Exchange Operator cert not in BEAST cert store:** If cert-based PowerShell connections are needed without `get-token.sh` (e.g., for interactive EXO sessions), the cert will need to be imported to the machine store. Not urgent — token flow works fine for bot-driven operations.
+
+---
+
+## Reference Information
+
+- **Syncro customer ID:** 143932
+- **EXO rule created:** `SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)` — Priority 4
+- **EXO PowerShell V2 deprecation note:** `Get-MessageTrace` deprecated Sept 1 2025; use `Get-MessageTraceV2` (no `-PageSize` parameter)
+- **Vault:** `msp-tools/computerguru-exchange-operator.sops.yaml`
+- **Token cache:** `/tmp/remediation-tool/82931e3c-de7a-4f74-87f7-fe714be1f160/exchange-op.jwt`