sync: auto-sync from GURU-5070 at 2026-07-01 09:32:17
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-07-01 09:32:17
This commit is contained in:
@@ -200,3 +200,4 @@
|
||||
- [GuruScan verification IN TEST / paused](project_guruscan_in_test_paused.md) — multi-engine scanner verify on DESKTOP-MS42HNC paused 2026-06-22 (VM rebooted mid-Emsisoft run); HitmanPro done (36 removed), Emsisoft full-scan unverified; resume `guruscan-agent-test.sh DESKTOP-MS42HNC scan-one Emsisoft`; Defender RTP/Tamper still off on VM
|
||||
- [GuruRMM fleet dispatch-hang fix](project_gururmm_dispatch_hang_fix.md) — blocking send_to on a full bounded channel to one black-holed agent wedged ALL command dispatch; fixed with try_send (9dae20c, deployed); proper black-hole eviction still missing (was reverted in 80df458) — finish it if it recurs
|
||||
- [Windows won't-boot / offline DISM repair playbook](windows-offline-dism-repair-gotchas.md) — Automatic Repair loop = boot-critical fault (disk/registry/wedged update), NOT shell/appx store corruption (that's a symptom); `FaultyPackageInProgress` + 100s of Install/Uninstall-Pending packages = wedged CU -> RevertPendingActions or clean install. Offline DISM rejects `wim:` source (0x800f082e) -> MOUNT the wim, source `\Windows`. Ventoy breaks WIM mount (0xc1420134) -> use Rufus. 25H2(26200)=24H2(26100)+enablement, so match 26100 media. First hit: Four Paws AvImark #32447.
|
||||
- [Remediation-tool has full M365 access (incl. SharePoint)](reference_remediation_tool_365_access.md) — the app suite covers Graph/EXO/Defender/SharePoint; don't declare "no access" on an accessDenied. SharePoint app-only needs a CERT (secret = "Unsupported app only token"); use get-token.sh `sharepoint`/`sharepoint-admin` tiers + CSOM admin API (Graph /admin/sharepoint/settings scope not held). Full map: skill references/app-permissions-and-sharepoint.md.
|
||||
|
||||
32
.claude/memory/reference_remediation_tool_365_access.md
Normal file
32
.claude/memory/reference_remediation_tool_365_access.md
Normal file
@@ -0,0 +1,32 @@
|
||||
---
|
||||
name: reference_remediation_tool_365_access
|
||||
description: The remediation-tool app suite has full M365 access (incl. SharePoint via cert); don't declare "no access" on an accessDenied
|
||||
metadata:
|
||||
type: reference
|
||||
---
|
||||
|
||||
The ComputerGuru remediation-tool apps collectively have **broad, working access across ALL of
|
||||
M365** — Graph, Exchange Online, Defender, AND SharePoint Online. When a call fails it's almost
|
||||
always wrong-tier / wrong-endpoint / not-consented / the SharePoint cert gotcha — **not** a real
|
||||
lack of access. Do NOT tell the user "the tool can't do X" without checking the live permission
|
||||
map first (decode the token `roles` claim).
|
||||
|
||||
Key facts:
|
||||
- **SharePoint app-only requires a CERTIFICATE.** A `client_secret` token is rejected on every
|
||||
SharePoint endpoint (REST `/_api` and CSOM `/_vti_bin/client.svc/ProcessQuery`) with
|
||||
`"Unsupported app only token"`. The Tenant Admin app has a cert in the vault and holds
|
||||
SharePoint-resource `Sites.FullControl.All`.
|
||||
- `get-token.sh` now has **`sharepoint`** (content) and **`sharepoint-admin`** (tenant admin)
|
||||
tiers — cert-forced, tenant resource auto-resolved from Graph `/sites/root`
|
||||
(override `SP_RESOURCE_ENV`). Added 2026-07-01.
|
||||
- Graph `GET /admin/sharepoint/settings` needs `SharePointTenantSettings.Read.All`, which NO app
|
||||
holds → that route 403s. Read/write SharePoint tenant settings via the **CSOM admin API**
|
||||
(`sharepoint-admin` tier) instead. Tenant settings live on the Tenant object
|
||||
(TypeId `{268004ae-ef6b-4e9b-8425-127220d84719}`) — e.g. `SelfServiceSiteCreationDisabled`.
|
||||
- Restricting employee SharePoint site creation = `SelfServiceSiteCreationDisabled=true` (CSOM)
|
||||
AND restrict M365 Group creation (Entra `Group.Unified` directory setting via `user-manager`);
|
||||
neither affects edit rights on existing sites.
|
||||
|
||||
Full detail (live per-tier permission map + CSOM examples):
|
||||
`.claude/skills/remediation-tool/references/app-permissions-and-sharepoint.md`. Surfaced by
|
||||
Syncro #32492 (Birth Biologic). See also [[feedback_syncro_billing]].
|
||||
Reference in New Issue
Block a user