sync: auto-sync from GURU-5070 at 2026-06-10 15:18:03

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-10 15:18:03
This commit is contained in:
2026-06-10 15:18:16 -07:00
parent eb7cec8432
commit 6eea89c6bc
4 changed files with 176 additions and 10 deletions

View File

@@ -0,0 +1,73 @@
# Kittle — MFA SMS Conversions + Hayden Password Reset
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
## Session Summary
Continued post-incident M365 hardening on the Kittle tenant (kittlearizona.com). Reset the Hayden Schagel account password to a temporary value (force change at next sign-in) and added an SMS phone method, since the account had no phone methods registered at all. Then converted five users to phone-only MFA: removed the Microsoft Authenticator registration and set SMS text codes as the default second factor.
The five users were Alexis Schagel, Brandon Blazer, Jason Stubblefield, Neal Crusius, and Scott Zehner. Alexis and Scott already had a phone registered; Brandon was already phone-only; Jason and Neal had no phone, so their numbers (from the client phone roster image, KittlePhones.jpg) were added before stripping Authenticator. Alexis additionally had two duplicate "iPhone 12 Pro Max" Authenticator entries, both removed (this closes the long-standing open item on her account).
Finally, posted a public, customer-emailed note to Syncro ticket #32394 (MFA Cleanup) summarizing the SMS changes for Ken's awareness, with Hayden's temp password deliberately left out.
All M365 writes went through the ComputerGuru User Manager app (Graph). The work mirrors the established phone-only pattern previously applied to admin@/accounting@/josh@/brandon@.
## Key Decisions
- For Jason and Neal (no phone on file), added the SMS method and flipped the default to SMS BEFORE removing Authenticator — never leaving an account with zero MFA methods.
- Used the client-supplied phone roster (KittlePhones.jpg) as the authoritative source for Jason (702-234-4426) and Neal (217-502-9736); did not fabricate numbers.
- Left "SMS as default second factor" only — did NOT enable SMS-as-passwordless-sign-in (smsSignInState stays notConfigured), which is a separate tenant feature not requested.
- Omitted Hayden's temp password from the customer-emailed ticket note (deliver separately/securely).
## Problems Encountered
- **Vault path resolution failure:** the remediation-tool scripts compute CLAUDETOOLS_ROOT relative to the skill install dir (C:\Users\guru\.claude\skills\...), so they read the HOME identity.json (no vault_path) and fail with "vault_path not set ... and VAULT_ROOT_ENV env var not set". Worked around with `export VAULT_ROOT_ENV="D:/vault"`. Permanent fix: add vault_path to the home identity.json or fix root resolution.
- **signInPreferences is beta-only:** setting the default/preferred second factor returned HTTP 400 "Resource not found for the segment 'signInPreferences'" on Graph v1.0. Fixed by using the beta endpoint: PATCH https://graph.microsoft.com/beta/users/{id}/authentication/signInPreferences with {"userPreferredMethodForSecondaryAuthentication":"sms"}.
- **Cannot delete the default Authenticator:** for Jason/Neal, Graph returned "Cannot delete default method with other methods configured. Please change default method before deletion." Resolved by adding SMS and flipping the default to SMS first, then deleting Authenticator.
- **Password typo:** initially set Hayden's password to KCDTemp123! per the first instruction; corrected to KDCTemp123! (KDC) when Mike flagged the typo. Re-ran reset-password.sh with the corrected value.
## Configuration Changes
- M365 (kittlearizona.com) auth-method changes for 6 users (see Commands).
- `wiki/clients/kittle.md` — added two rows to the Remediation Actions Completed table (Hayden; bulk SMS conversion), a `[NOTE] remediation-tool skill gotchas` subsection under Patterns & Known Issues, and checked off the `alexis@ duplicate Authenticator cleanup` Active Work item.
## Credentials & Secrets
- **hayden@kittlearizona.com** temp password: `KDCTemp123!` (force change at next sign-in). Superseded earlier mistaken value `KCDTemp123!`.
- Phone numbers added to M365 auth methods (from client roster KittlePhones.jpg): Hayden 520-628-0929; Jason 702-234-4426; Neal 217-502-9736. (Alexis 520-628-0921, Brandon 520-304-8247, Scott 520-288-4444 already registered.)
- Tokens via vault `msp-tools/computerguru-user-manager.sops.yaml` (cert auth). No new secrets created.
## Infrastructure & Servers
- Tenant: kittlearizona.com / `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
- App used: ComputerGuru User Manager (appId `64fac46b-8b44-41ad-93ee-7da03927576c`); in-tenant SP `ea0277ab-497c-45f7-b88a-e2d53f54a4c7` (User Administrator + Authentication Administrator).
- Hayden object id: `aa995f8e-cd2c-49ba-8096-296c8bc6713a`.
## Commands & Outputs
```bash
export VAULT_ROOT_ENV="D:/vault" # required workaround on GURU-5070
# password reset (force-change)
./reset-password.sh kittlearizona.com hayden@kittlearizona.com 'KDCTemp123!' --force-change
# add SMS phone method
POST /v1.0/users/{upn}/authentication/phoneMethods {"phoneNumber":"+1 ...","phoneType":"mobile"}
# set SMS default (BETA endpoint)
PATCH /beta/users/{upn}/authentication/signInPreferences {"userPreferredMethodForSecondaryAuthentication":"sms"}
# remove Authenticator (only after SMS default set)
DELETE /v1.0/users/{upn}/authentication/microsoftAuthenticatorMethods/{id}
```
Final verification (all 5): phone present, authenticator=0, default=sms for alexis/Brandon/jason/Neal/scott.
## Pending / Incomplete Tasks
- None outstanding for this scope. Bulk SMS-availability for the rest of the tenant remains scoped OUT (only the named users needed it).
- Broader Kittle residual incident items unchanged (see kittle.md Active Work).
## Reference Information
- Syncro ticket: #32394 (id 112389608) — public comment id `418411503` posted (email on). Bot alert message_id `1514367312155775168`.
- Wiki: `wiki/clients/kittle.md`