azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Dataforth M365 follow-up investigation - jantar@dataforth.com

Browse Source 
Follow-up on three pending items from breach check:
- IdentityRiskyUser scope: consented but requires P2 license
- Dime Client app: internal app requiring verification with Dan Center
- Microsoft Authenticator: drafted upgrade plan and recommendations

Created comprehensive follow-up report with action items.

Machine: Mikes-MacBook-Air
User: Mike Swanson (mike)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-03 15:00:30 -04:00
parent 2e98f95c9f
commit 72dab09d3a
2 changed files with 360 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md Normal file
View File

@@ -0,0 +1,160 @@
# Follow-Up: Dataforth M365 Security Investigation
**Date:** 2026-05-03 (UTC)
**Analyst:** Mike Swanson (Mikes-MacBook-Air)
**Client:** Dataforth Corp
**User:** Jacque Antar (jantar@dataforth.com)
**Tenant:** dataforth.com | `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`
---
## Summary
This follow-up addresses three items flagged in the breach investigation report for jantar@dataforth.com dated 2026-05-03.
---
## 01 - IdentityRiskyUser.Read.All Scope Status
**Original Issue:** Breach check reported 403 error when querying risky users endpoint due to missing `IdentityRiskyUser.Read.All` consent.
**Investigation Result:** [OK] Scope IS Consented, BUT Licensing Issue Exists
The `IdentityRiskyUser.Read.All` permission IS currently consented for the ComputerGuru Security Investigator app in the Dataforth tenant. Verification:
- Token acquired successfully includes this role in the JWT claims
- App consent was completed (likely after the breach check)
- Service principal exists and is active in tenant
**However:** API call to Identity Protection endpoint returns:
```
403 Forbidden: "Your tenant is not licensed for this feature"
```
**Root Cause:** Dataforth tenant does NOT have **Microsoft Entra ID P2** licensing required for Identity Protection features.
**Impact:** The risky user checks cannot function regardless of app consent until Entra ID P2 licenses are assigned.
**Recommendation:**
| Priority | Action |
|---|---|
| [INFO] | If Dataforth wants Identity Protection monitoring (risky sign-ins, leaked credentials, anomaly detection), purchase and assign Entra ID P2 licenses |
| [INFO] | If NOT purchasing P2: Document that risky user checks are unavailable; rely on sign-in log analysis and conditional access instead |
---
## 02 - "Dime Client" Application Verification
**Original Issue:** Sign-in logs showed "Dime Client" as primary application (7 out of 8 successful sign-ins for jantar@dataforth.com over 30 days).
**Investigation Result:** [INFO] Internal Application - Verification Needed
Details from breach check:
- **App Name:** "Dime Client"
- **Sign-in Frequency:** 7/8 logins (primary app)
- **IP Address:** 67.206.163.122 (Salt Lake City, UT)
- **Platform:** Windows 10
- **Pattern:** Consistent single IP, no foreign logins, no impossible travel
**Assessment:**
- NOT a standard Microsoft 365 application (not Outlook, Teams, Excel, etc.)
- NOT found in tenant's service principal directory with "Dime" in display name
- Likely a **custom line-of-business (LOB) application** or **internal Dataforth tool**
- No indicators of compromise - usage is consistent with legitimate work patterns
**Recommendation:**
| Priority | Action | Owner |
|---|---|---|
| [ACTION REQUIRED] | Verify "Dime Client" with Dataforth IT/development team | Dan Center (IT Admin) |
| [ACTION REQUIRED] | Confirm this is an authorized internal application | Dan Center |
| [INFO] | If legitimate: Document in Dataforth's authorized apps inventory | Dataforth IT |
| [WARNING] | If UNKNOWN: Investigate immediately as potential unauthorized access | Dataforth IT + ACG |
**Next Steps:**
1. Contact Dan Center (dcenter@dataforth.com) to confirm "Dime Client" identity
2. If unknown, escalate for full application investigation
3. Document outcome in Dataforth's IT asset inventory
---
## 03 - Microsoft Authenticator MFA Upgrade
**Current State:** Jacque Antar uses **SMS-based MFA** (phone: +1 520-245-6929)
**Issue:** SMS MFA is vulnerable to:
- SIM swapping attacks
- SMS intercep tion
- Social engineering (attacker convinces carrier to port number)
- Less phishing-resistant than modern MFA methods
**Recommendation:** Upgrade to **Microsoft Authenticator** (push notifications or TOTP)
**Benefits:**
| Feature | SMS MFA | Microsoft Authenticator |
|---|---|---|
| Phishing Resistance | Low | High |
| SIM Swap Protection | No | Yes |
| Number Matching | No | Yes (context-aware) |
| Offline TOTP | No | Yes |
| Compliance | Basic | Strong (meets NIST AAL2) |
**Implementation Steps:**
1. **Pilot User:** Jacque Antar (jantar@dataforth.com)
- Current: Password + SMS
- Target: Password + Microsoft Authenticator (push/TOTP)
2. **Enrollment Process:**
- User downloads Microsoft Authenticator app (iOS/Android)
- Admin initiates MFA re-registration OR user self-enrolls via https://aka.ms/mfasetup
- User scans QR code to add Dataforth account
- Test push notification and TOTP code generation
- **CRITICAL:** Keep SMS as backup method during initial rollout (remove after 30 days if Authenticator stable)
3. **Rollout Plan (if expanding beyond Jacque):**
- Phase 1: IT admins (Dan Center, others)
- Phase 2: Executive team
- Phase 3: General users
- Timeline: 2-4 weeks per phase
**Priority:** [INFO] - Security hardening, not urgent breach response
**Who Should Approve:** Dan Center (IT Admin) + Dataforth management
---
## Summary of Actions
| Item | Status | Next Step | Owner |
|---|---|---|---|
| **IdentityRiskyUser Scope** | [OK] Consented, but needs P2 license | Decide: Purchase P2 or document limitation | Dataforth IT |
| **Dime Client App** | [PENDING] Needs verification | Confirm with Dan Center if authorized app | Dan Center |
| **Authenticator Upgrade** | [RECOMMENDED] Optional hardening | Pilot with Jacque Antar, expand if successful | Dataforth IT |
---
## Files Referenced
- Breach Check Report: `clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md`
- Session Log (initial investigation): `clients/dataforth/session-logs/2026-05-03-session.md`
---
## Contact for Questions
**Arizona Computer Guru**
- Analyst: Mike Swanson
- Email: mike@azcomputerguru.com
- Ticket: #109790034 (Syncro)
**Dataforth IT Contact:**
- Dan Center: dcenter@dataforth.com
---
**Report Generated:** 2026-05-03 by Mike Swanson (Mikes-MacBook-Air)

200
clients/dataforth/session-logs/2026-05-03-session.md
View File

@@ -117,3 +117,203 @@ Breach check JSON artifacts at (local, not committed):
Consent URL: `https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent`
- [ ] Confirm "Dime Client" app with Dataforth — verify it is an authorized internal application
- [ ] Consider pushing Jacque Antar to Microsoft Authenticator (currently SMS-only MFA)
---
## Update: 18:56 UTC (Mikes-MacBook-Air)
**User:** Mike Swanson (mike)
**Machine:** Mikes-MacBook-Air
**Work Mode:** remediation
### Session Summary
Follow-up investigation on the three pending items from the jantar@dataforth.com breach check. Verified IdentityRiskyUser.Read.All scope consent status, investigated the "Dime Client" application, and drafted Microsoft Authenticator upgrade recommendations. Created comprehensive follow-up report documenting findings and next steps.
### Work Completed
#### 1. IdentityRiskyUser.Read.All Scope Investigation
**Finding:** Scope IS consented, but licensing issue prevents usage
- Acquired Graph token using `REMEDIATION_AUTH=secret` (PyJWT/cryptography not installed on Mac, fell back to client_secret auth)
- Verified Security Investigator app token includes `IdentityRiskyUser.Read.All` in roles claim
- Tested risky users API endpoint: returned 403 with "Your tenant is not licensed for this feature"
- **Root Cause:** Dataforth tenant lacks Microsoft Entra ID P2 licensing required for Identity Protection
- **Outcome:** Permission is consented correctly; feature unavailable due to licensing tier
- **Status:** Documented in follow-up report with recommendation to either purchase P2 or accept limitation
#### 2. "Dime Client" Application Verification
**Finding:** Internal application requiring client confirmation
- Reviewed breach check data: 7 out of 8 sign-ins for jantar@dataforth.com were "Dime Client"
- All sign-ins from consistent IP 67.206.163.122 (Salt Lake City, UT) - no geographic anomalies
- Searched tenant service principals: no match for "Dime" in displayName
- NOT a standard Microsoft 365 application (not Outlook, Teams, Excel, etc.)
- **Assessment:** Likely custom line-of-business (LOB) app or internal Dataforth tool
- **No security concerns:** Usage pattern is consistent and legitimate
- **Status:** Flagged for verification with Dan Center (dcenter@dataforth.com) in follow-up report
#### 3. Microsoft Authenticator MFA Upgrade Recommendation
**Current State:** Jacque Antar uses SMS-based MFA (phone: +1 520-245-6929)
**Drafted Comprehensive Upgrade Plan:**
- Documented SMS vulnerabilities (SIM swapping, interception, social engineering)
- Comparison table: SMS MFA vs Microsoft Authenticator features
- Step-by-step enrollment process for pilot deployment
- Phased rollout plan (IT admins → executives → general users)
- Recommendation: Keep SMS as backup during initial 30-day pilot
- **Priority:** [INFO] level - security hardening, not urgent breach response
- **Decision Authority:** Dan Center (IT Admin) + Dataforth management
### Files Created
**Report:** `clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md`
- IdentityRiskyUser scope status and P2 licensing requirement
- Dime Client app details and verification request
- Microsoft Authenticator upgrade plan with implementation steps
- Summary action table with owners and next steps
### Key Technical Details
**Dataforth Tenant:**
- Tenant ID: `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`
- Domain: dataforth.com
- Current Licensing: Microsoft 365 (NOT Entra ID P2)
- IT Contact: Dan Center (dcenter@dataforth.com)
**User Account:**
- UPN: jantar@dataforth.com
- Object ID: `daa60027-be31-47a5-87af-d728499a9cc4`
- Display Name: Jacque Antar
- MFA Method: SMS (+1 520-245-6929)
**Security Investigator App:**
- App ID: `bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
- Display Name: ComputerGuru - Security Investigator
- SP Object ID (in Dataforth): `e560423e-7747-481e-bb9d-affeaabda258`
- Token Scope: Graph API (read-only)
- IdentityRiskyUser.Read.All: Consented but unusable without P2 license
**Authentication Used:**
- Method: Client secret (via REMEDIATION_AUTH=secret env override)
- Reason: PyJWT and cryptography Python modules not installed on Mac
- Vault Path: `/Users/azcomputerguru/vault` (from .claude/identity.json)
- SOPS File: `msp-tools/computerguru-security-investigator.sops.yaml`
- Token Cache: `/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/investigator.jwt` (55-min TTL)
### API Calls Performed
```bash
# Get Security Investigator service principal
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq 'bfbc12a4-f0dd-4e12-b06d-997e7271e10c'
# Test Identity Protection risky users endpoint
GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$top=5
Response: 403 Forbidden - "Your tenant is not licensed for this feature"
# Get user OAuth grants
GET https://graph.microsoft.com/v1.0/users/daa60027-be31-47a5-87af-d728499a9cc4/oauth2PermissionGrants
Found: Apple Internet Accounts (EAS) - eM Client was already removed in previous session
# Lookup service principal by object ID
GET https://graph.microsoft.com/v1.0/servicePrincipals/85e650f8-5eec-4523-a9ef-fc1a031fb1d6
Result: Apple Internet Accounts (appId: f8d98a96-0999-43f5-8af3-69971c7bb423)
# Search for Dime Client
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith(displayName,'Dime')
Result: Empty array - not found
# Attempted sign-in queries (timed out)
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq 'jantar@dataforth.com'
Result: Connection timeouts - relied on breach check report data instead
```
### Problems Encountered
**PyJWT/cryptography Missing on Mac:**
- Certificate-based authentication requires PyJWT and cryptography Python modules
- Not installed on Mikes-MacBook-Air (only on GURU-BEAST-ROG)
- **Resolution:** Used `REMEDIATION_AUTH=secret` environment override to force client_secret authentication
- **Impact:** None - client_secret works identically for this read-only investigation
- **Future:** Consider installing PyJWT/cryptography on Mac or continue using secret auth
**Sign-In Log API Timeouts:**
- Multiple attempts to query auditLogs/signIns endpoint timed out after 2-3 seconds
- Tried various filters and query simplifications - all timed out
- **Resolution:** Relied on sign-in data from breach check report (already collected on GURU-BEAST-ROG)
- **Impact:** None - breach report contained sufficient sign-in detail for analysis
### Recommendations for Dataforth
**Immediate Actions (Dan Center):**
1. [ACTION REQUIRED] Verify "Dime Client" app identity - confirm it is authorized internal application
2. [ACTION REQUIRED] Decide on Entra ID P2 licensing:
- Purchase P2 if Identity Protection monitoring needed
- OR document that risky user checks are unavailable, rely on sign-in log analysis
**Optional Security Hardening:**
1. [RECOMMENDED] Pilot Microsoft Authenticator with Jacque Antar
2. [RECOMMENDED] Expand Authenticator to IT team, then executives, then general users (2-4 weeks per phase)
3. [RECOMMENDED] Document "Dime Client" in Dataforth's authorized apps inventory
### Syncro Ticket Reference
**Ticket #109790034** (created in previous session on GURU-BEAST-ROG)
- Subject: M365 Security Investigation - jantar@dataforth.com
- Status: Resolved
- Labor: 1.0 hr billed against prepaid block
- Prepaid Balance: 46.5 hrs remaining
- Contact: Dan Center (id: 2774091)
**Note:** Follow-up work in THIS session is informational/analysis only. No additional Syncro ticket created. If Dan Center requests implementation of Authenticator upgrade or further investigation, create new ticket.
### Next Steps
**For Dataforth (Dan Center to action):**
1. Review follow-up report: `clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md`
2. Confirm Dime Client app is authorized
3. Decide on P2 licensing (purchase or accept limitation)
4. Approve/decline Microsoft Authenticator pilot
**For Arizona Computer Guru:**
1. Wait for Dan Center's response on Dime Client verification
2. If Authenticator pilot approved: schedule enrollment session with Jacque Antar
3. If P2 licensing purchased: re-test Identity Protection APIs and document capabilities
### Files Modified
| File | Action |
|---|---|
| `clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md` | Created - comprehensive follow-up report |
| `clients/dataforth/session-logs/2026-05-03-session.md` | Updated - this section appended |
---
## Credentials Reference
**SOPS Vault Path:** `/Users/azcomputerguru/vault`
**Identity File:** `/Users/azcomputerguru/ClaudeTools/.claude/identity.json`
**Remediation Tool Tiers:**
- investigator: Graph read-only (Security Investigator app)
- investigator-exo: Exchange Online read (Security Investigator app)
- user-manager: Graph user/group write (User Manager app)
- tenant-admin: Graph high-privilege (Tenant Admin app)
**Authentication Methods:**
- Preferred: Certificate (requires PyJWT + cryptography)
- Fallback: Client secret (via REMEDIATION_AUTH=secret)
- Token cache: `/tmp/remediation-tool/{tenant-id}/{tier}.jwt` (55-min TTL)
**Vault Files:**
- Security Investigator: `msp-tools/computerguru-security-investigator.sops.yaml`
- User Manager: `msp-tools/computerguru-user-manager.sops.yaml`
- Tenant Admin: `msp-tools/computerguru-tenant-admin.sops.yaml`
---
**Session Duration:** ~25 minutes
**Total Tasks Completed:** 3/3 follow-up items investigated and documented