sync: auto-sync from GURU-5070 at 2026-06-10 15:18:03

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-10 15:18:03
This commit is contained in:
2026-06-10 15:18:16 -07:00
parent eb7cec8432
commit 6eea89c6bc
4 changed files with 176 additions and 10 deletions

View File

@@ -378,6 +378,8 @@ Kittle confirmed it has no relationship with Foam Factory Incorporated.
| FIDO2/passkeys ENABLED tenant-wide (Authentication Methods policy `fido2` state -> enabled) | 2026-06-10 | [OK] — phishing-resistant method now available to all users (targets `all_users`, self-service reg on, no attestation/key restrictions, deviceBound+synced). Triggered by Darline hitting "passkey not enabled for the organization" during re-enrollment. Tenant still `policyMigrationState: migrationInProgress` — SMS/voice/Authenticator remain governed by legacy MFA settings. |
| Auth Methods policy migration — Step 1 of 3: enabled `microsoftAuthenticator`, `sms`, `voice`, `softwareOath` in the converged policy (all `all_users`, additive) | 2026-06-10 | [OK] — replicates legacy MFA method set into the new policy ahead of migration; `policyMigrationState` deliberately LEFT at `migrationInProgress` (legacy still backing). NEXT: verification window (watch sign-in MFA failures), then Step 3 = PATCH `policyMigrationState: migrationComplete` only on explicit go. Tenant overdue (Microsoft retired legacy MFA mgmt Sept 2025; auto-complete risk). |
| joshua@ (Josh Sutherland) + Brandon@ (Brandon Blazer) MFA reset to phone-only: added SMS (Josh +1 520-664-4785, Brandon +1 520-304-8247) as default, removed Authenticator (Josh iPad Pro, Brandon SM-F741U) | 2026-06-10 | [OK] — same pattern as admin@/accounting@. Cell numbers from client-supplied roster (KittlePhones.jpg). Bulk SMS-availability for the rest of the tenant was scoped OUT at Mike's direction (only Josh/Brandon needed now); accounting@ left as-is (work # +1 520-763-3091, re-registered Authenticator SM-S731U left in place). |
| hayden@ (Hayden Schagel) password reset (force-change) + SMS phone added | 2026-06-10 | [OK] — via User Manager app. Account had NO phone methods prior; added SMS +1 520-628-0929 (from client roster). Password set/corrected to a temp value with forceChangePasswordNextSignIn=true. |
| Bulk phone-only MFA conversion: alexis@, Brandon@, jason@, Neal@, scott@ — SMS set as default 2nd-factor, Microsoft Authenticator removed | 2026-06-10 | [OK] — via User Manager app. Phones from client roster (KittlePhones): Alexis 520-628-0921 (existing), Brandon 520-304-8247 (existing), Jason 702-234-4426 (ADDED), Neal 217-502-9736 (ADDED), Scott 520-288-4444 (existing). Alexis: BOTH duplicate "iPhone 12 Pro Max" Authenticator entries (7365a870, c927402a) removed. Jason (SM-X218U) + Neal (iPhone 16 Pro) had no phone — added SMS first, flipped default to SMS, THEN removed Authenticator (cannot delete the default method otherwise). Brandon/Scott already phone-only. SMS-as-passwordless-signin (smsSignInState) still notConfigured/not enabled tenant-wide — this changes the default 2nd-factor only. |
### Incident Evidence (preserved by ACG)
@@ -444,6 +446,14 @@ Lori Schagel had 10 admin roles including Global Administrator as a pre-existing
**Rule:** Small-business tenants should have exactly one active GA account (or two, with the second being a break-glass with a very strong password and no MFA registration, NOT a named-user account). Review GA assignments at every breach check. Strip and downscope unnecessary GA on sight.
### [NOTE] remediation-tool skill gotchas (observed 2026-06-10 during the MFA conversions)
Tooling quirks hit while running the User Manager (remediation-tool) scripts against this tenant — apply fleet-wide, not Kittle-specific:
1. **Vault path resolution reads the wrong identity.json.** The scripts compute `CLAUDETOOLS_ROOT` relative to the skill install dir (`C:\Users\guru\.claude\skills\remediation-tool\...`), so on GURU-5070 they read the *home* `~/.claude/identity.json` (which has no `vault_path`) and fail: `ERROR: vault_path not set ... and VAULT_ROOT_ENV env var not set`. Workaround: `export VAULT_ROOT_ENV="D:/vault"` before calling `get-token.sh`/`reset-password.sh`. Permanent fix: add `vault_path` to the home identity.json or fix root resolution.
2. **`signInPreferences` is beta-only.** Setting a user's default/preferred second factor must go to `PATCH https://graph.microsoft.com/beta/users/{id}/authentication/signInPreferences` with `{"userPreferredMethodForSecondaryAuthentication":"sms"}`. The v1.0 path returns HTTP 400 `Resource not found for the segment 'signInPreferences'`.
3. **Can't delete the default Authenticator while it IS the default.** Graph returns `Cannot delete default method with other methods configured. Please change default method before deletion.` Correct order for a phone-only conversion: (a) add the SMS phone method, (b) PATCH signInPreferences to `sms` (beta), (c) THEN DELETE the Authenticator method. Never strip the only/last MFA method before the replacement is in place.
### [WARNING] IMAP/POP/EAS still enabled tenant-wide
Legacy protocols remain enabled as of 2026-06-09. The CA `Block legacy authentication` policy now blocks sign-in via legacy auth, but the protocols themselves are still enabled and could represent residual risk (e.g., if the CA policy is ever accidentally disabled). Disable IMAP/POP/EAS at the mailbox level tenant-wide as defense in depth.
@@ -474,7 +484,7 @@ Do not migrate or decommission SERVER without a proper QuickBooks migration plan
- [ ] **Disable IMAP/POP/EAS tenant-wide** — CA now blocks legacy auth, but protocols remain enabled. Defense-in-depth: disable at mailbox level.
- [ ] **Confirm bank freeze calls completed** (Truist 844-487-8478 / Enterprise Fraud Mgmt 866-802-4955; First State Bank fraud 866-372-1275; Chase Global Bank Recoveries 866-954-3718 opt 4 / gb.fraud.recovery@jpmorgan.com).
- [ ] **Re-add appropriate admin role to Ken** — all 10 stripped during containment; Ken is owner/GA by function. Re-add Global Administrator + Exchange Administrator once incident is formally closed.
- [ ] **alexis@ duplicate Authenticator cleanup**entry `c927402a-75c6-4a55-840a-86d1eea43a9b` ("iPhone 12 Pro Max", app ver 6.8.40). Confirm with Alexis how many Kittle accounts are on her phone; remove if only one. Also review OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused.
- [x] **alexis@ duplicate Authenticator cleanup**DONE 2026-06-10: both "iPhone 12 Pro Max" Authenticator entries (`7365a870-4809-4fdc-9e9b-dcd76eddb8ef` and `c927402a-75c6-4a55-840a-86d1eea43a9b`) removed during the bulk phone-only MFA conversion; Alexis now SMS-only (+1 520-628-0921, default). OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` not touched — review/remove if confirmed unused.
- [ ] **Wrex license removal** — mailbox converted to shared, user disabled; free the Business Standard license.
- [ ] **Christina Micek inbox rule on Ken** — confirmed benign during 6/8 sweep (copy rule, no suppression). Still worth Ken confirming explicitly for documentation closure.
- [ ] **Warn Ken's phished external contacts** — 740+ recipients received the "Ken Schagel shared a file with you" phishing email; link was `flowinnactuators.com/work.html` (credential harvesting). Formal notification recommended.