From 72dab09d3a6c03fdd51294f8464ecbd94ffaaf66 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Sun, 3 May 2026 15:00:30 -0400 Subject: [PATCH] Session log: Dataforth M365 follow-up investigation - jantar@dataforth.com Follow-up on three pending items from breach check: - IdentityRiskyUser scope: consented but requires P2 license - Dime Client app: internal app requiring verification with Dan Center - Microsoft Authenticator: drafted upgrade plan and recommendations Created comprehensive follow-up report with action items. Machine: Mikes-MacBook-Air User: Mike Swanson (mike) Co-Authored-By: Claude Sonnet 4.5 --- ...026-05-03-followup-jantar-investigation.md | 160 ++++++++++++++ .../session-logs/2026-05-03-session.md | 200 ++++++++++++++++++ 2 files changed, 360 insertions(+) create mode 100644 clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md diff --git a/clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md b/clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md new file mode 100644 index 0000000..8f26aed --- /dev/null +++ b/clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md @@ -0,0 +1,160 @@ +# Follow-Up: Dataforth M365 Security Investigation + +**Date:** 2026-05-03 (UTC) +**Analyst:** Mike Swanson (Mikes-MacBook-Air) +**Client:** Dataforth Corp +**User:** Jacque Antar (jantar@dataforth.com) +**Tenant:** dataforth.com | `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584` + +--- + +## Summary + +This follow-up addresses three items flagged in the breach investigation report for jantar@dataforth.com dated 2026-05-03. + +--- + +## 01 - IdentityRiskyUser.Read.All Scope Status + +**Original Issue:** Breach check reported 403 error when querying risky users endpoint due to missing `IdentityRiskyUser.Read.All` consent. + +**Investigation Result:** [OK] Scope IS Consented, BUT Licensing Issue Exists + +The `IdentityRiskyUser.Read.All` permission IS currently consented for the ComputerGuru Security Investigator app in the Dataforth tenant. Verification: + +- Token acquired successfully includes this role in the JWT claims +- App consent was completed (likely after the breach check) +- Service principal exists and is active in tenant + +**However:** API call to Identity Protection endpoint returns: +``` +403 Forbidden: "Your tenant is not licensed for this feature" +``` + +**Root Cause:** Dataforth tenant does NOT have **Microsoft Entra ID P2** licensing required for Identity Protection features. + +**Impact:** The risky user checks cannot function regardless of app consent until Entra ID P2 licenses are assigned. + +**Recommendation:** + +| Priority | Action | +|---|---| +| [INFO] | If Dataforth wants Identity Protection monitoring (risky sign-ins, leaked credentials, anomaly detection), purchase and assign Entra ID P2 licenses | +| [INFO] | If NOT purchasing P2: Document that risky user checks are unavailable; rely on sign-in log analysis and conditional access instead | + +--- + +## 02 - "Dime Client" Application Verification + +**Original Issue:** Sign-in logs showed "Dime Client" as primary application (7 out of 8 successful sign-ins for jantar@dataforth.com over 30 days). + +**Investigation Result:** [INFO] Internal Application - Verification Needed + +Details from breach check: + +- **App Name:** "Dime Client" +- **Sign-in Frequency:** 7/8 logins (primary app) +- **IP Address:** 67.206.163.122 (Salt Lake City, UT) +- **Platform:** Windows 10 +- **Pattern:** Consistent single IP, no foreign logins, no impossible travel + +**Assessment:** + +- NOT a standard Microsoft 365 application (not Outlook, Teams, Excel, etc.) +- NOT found in tenant's service principal directory with "Dime" in display name +- Likely a **custom line-of-business (LOB) application** or **internal Dataforth tool** +- No indicators of compromise - usage is consistent with legitimate work patterns + +**Recommendation:** + +| Priority | Action | Owner | +|---|---|---| +| [ACTION REQUIRED] | Verify "Dime Client" with Dataforth IT/development team | Dan Center (IT Admin) | +| [ACTION REQUIRED] | Confirm this is an authorized internal application | Dan Center | +| [INFO] | If legitimate: Document in Dataforth's authorized apps inventory | Dataforth IT | +| [WARNING] | If UNKNOWN: Investigate immediately as potential unauthorized access | Dataforth IT + ACG | + +**Next Steps:** +1. Contact Dan Center (dcenter@dataforth.com) to confirm "Dime Client" identity +2. If unknown, escalate for full application investigation +3. Document outcome in Dataforth's IT asset inventory + +--- + +## 03 - Microsoft Authenticator MFA Upgrade + +**Current State:** Jacque Antar uses **SMS-based MFA** (phone: +1 520-245-6929) + +**Issue:** SMS MFA is vulnerable to: +- SIM swapping attacks +- SMS intercep tion +- Social engineering (attacker convinces carrier to port number) +- Less phishing-resistant than modern MFA methods + +**Recommendation:** Upgrade to **Microsoft Authenticator** (push notifications or TOTP) + +**Benefits:** + +| Feature | SMS MFA | Microsoft Authenticator | +|---|---|---| +| Phishing Resistance | Low | High | +| SIM Swap Protection | No | Yes | +| Number Matching | No | Yes (context-aware) | +| Offline TOTP | No | Yes | +| Compliance | Basic | Strong (meets NIST AAL2) | + +**Implementation Steps:** + +1. **Pilot User:** Jacque Antar (jantar@dataforth.com) + - Current: Password + SMS + - Target: Password + Microsoft Authenticator (push/TOTP) + +2. **Enrollment Process:** + - User downloads Microsoft Authenticator app (iOS/Android) + - Admin initiates MFA re-registration OR user self-enrolls via https://aka.ms/mfasetup + - User scans QR code to add Dataforth account + - Test push notification and TOTP code generation + - **CRITICAL:** Keep SMS as backup method during initial rollout (remove after 30 days if Authenticator stable) + +3. **Rollout Plan (if expanding beyond Jacque):** + - Phase 1: IT admins (Dan Center, others) + - Phase 2: Executive team + - Phase 3: General users + - Timeline: 2-4 weeks per phase + +**Priority:** [INFO] - Security hardening, not urgent breach response + +**Who Should Approve:** Dan Center (IT Admin) + Dataforth management + +--- + +## Summary of Actions + +| Item | Status | Next Step | Owner | +|---|---|---|---| +| **IdentityRiskyUser Scope** | [OK] Consented, but needs P2 license | Decide: Purchase P2 or document limitation | Dataforth IT | +| **Dime Client App** | [PENDING] Needs verification | Confirm with Dan Center if authorized app | Dan Center | +| **Authenticator Upgrade** | [RECOMMENDED] Optional hardening | Pilot with Jacque Antar, expand if successful | Dataforth IT | + +--- + +## Files Referenced + +- Breach Check Report: `clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md` +- Session Log (initial investigation): `clients/dataforth/session-logs/2026-05-03-session.md` + +--- + +## Contact for Questions + +**Arizona Computer Guru** +- Analyst: Mike Swanson +- Email: mike@azcomputerguru.com +- Ticket: #109790034 (Syncro) + +**Dataforth IT Contact:** +- Dan Center: dcenter@dataforth.com + +--- + +**Report Generated:** 2026-05-03 by Mike Swanson (Mikes-MacBook-Air) diff --git a/clients/dataforth/session-logs/2026-05-03-session.md b/clients/dataforth/session-logs/2026-05-03-session.md index 63a96f0..1251d7b 100644 --- a/clients/dataforth/session-logs/2026-05-03-session.md +++ b/clients/dataforth/session-logs/2026-05-03-session.md @@ -117,3 +117,203 @@ Breach check JSON artifacts at (local, not committed): Consent URL: `https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent` - [ ] Confirm "Dime Client" app with Dataforth — verify it is an authorized internal application - [ ] Consider pushing Jacque Antar to Microsoft Authenticator (currently SMS-only MFA) + +--- + +## Update: 18:56 UTC (Mikes-MacBook-Air) + +**User:** Mike Swanson (mike) +**Machine:** Mikes-MacBook-Air +**Work Mode:** remediation + +### Session Summary + +Follow-up investigation on the three pending items from the jantar@dataforth.com breach check. Verified IdentityRiskyUser.Read.All scope consent status, investigated the "Dime Client" application, and drafted Microsoft Authenticator upgrade recommendations. Created comprehensive follow-up report documenting findings and next steps. + +### Work Completed + +#### 1. IdentityRiskyUser.Read.All Scope Investigation + +**Finding:** Scope IS consented, but licensing issue prevents usage + +- Acquired Graph token using `REMEDIATION_AUTH=secret` (PyJWT/cryptography not installed on Mac, fell back to client_secret auth) +- Verified Security Investigator app token includes `IdentityRiskyUser.Read.All` in roles claim +- Tested risky users API endpoint: returned 403 with "Your tenant is not licensed for this feature" +- **Root Cause:** Dataforth tenant lacks Microsoft Entra ID P2 licensing required for Identity Protection +- **Outcome:** Permission is consented correctly; feature unavailable due to licensing tier +- **Status:** Documented in follow-up report with recommendation to either purchase P2 or accept limitation + +#### 2. "Dime Client" Application Verification + +**Finding:** Internal application requiring client confirmation + +- Reviewed breach check data: 7 out of 8 sign-ins for jantar@dataforth.com were "Dime Client" +- All sign-ins from consistent IP 67.206.163.122 (Salt Lake City, UT) - no geographic anomalies +- Searched tenant service principals: no match for "Dime" in displayName +- NOT a standard Microsoft 365 application (not Outlook, Teams, Excel, etc.) +- **Assessment:** Likely custom line-of-business (LOB) app or internal Dataforth tool +- **No security concerns:** Usage pattern is consistent and legitimate +- **Status:** Flagged for verification with Dan Center (dcenter@dataforth.com) in follow-up report + +#### 3. Microsoft Authenticator MFA Upgrade Recommendation + +**Current State:** Jacque Antar uses SMS-based MFA (phone: +1 520-245-6929) + +**Drafted Comprehensive Upgrade Plan:** +- Documented SMS vulnerabilities (SIM swapping, interception, social engineering) +- Comparison table: SMS MFA vs Microsoft Authenticator features +- Step-by-step enrollment process for pilot deployment +- Phased rollout plan (IT admins → executives → general users) +- Recommendation: Keep SMS as backup during initial 30-day pilot +- **Priority:** [INFO] level - security hardening, not urgent breach response +- **Decision Authority:** Dan Center (IT Admin) + Dataforth management + +### Files Created + +**Report:** `clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md` +- IdentityRiskyUser scope status and P2 licensing requirement +- Dime Client app details and verification request +- Microsoft Authenticator upgrade plan with implementation steps +- Summary action table with owners and next steps + +### Key Technical Details + +**Dataforth Tenant:** +- Tenant ID: `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584` +- Domain: dataforth.com +- Current Licensing: Microsoft 365 (NOT Entra ID P2) +- IT Contact: Dan Center (dcenter@dataforth.com) + +**User Account:** +- UPN: jantar@dataforth.com +- Object ID: `daa60027-be31-47a5-87af-d728499a9cc4` +- Display Name: Jacque Antar +- MFA Method: SMS (+1 520-245-6929) + +**Security Investigator App:** +- App ID: `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` +- Display Name: ComputerGuru - Security Investigator +- SP Object ID (in Dataforth): `e560423e-7747-481e-bb9d-affeaabda258` +- Token Scope: Graph API (read-only) +- IdentityRiskyUser.Read.All: Consented but unusable without P2 license + +**Authentication Used:** +- Method: Client secret (via REMEDIATION_AUTH=secret env override) +- Reason: PyJWT and cryptography Python modules not installed on Mac +- Vault Path: `/Users/azcomputerguru/vault` (from .claude/identity.json) +- SOPS File: `msp-tools/computerguru-security-investigator.sops.yaml` +- Token Cache: `/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/investigator.jwt` (55-min TTL) + +### API Calls Performed + +```bash +# Get Security Investigator service principal +GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq 'bfbc12a4-f0dd-4e12-b06d-997e7271e10c' + +# Test Identity Protection risky users endpoint +GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$top=5 +Response: 403 Forbidden - "Your tenant is not licensed for this feature" + +# Get user OAuth grants +GET https://graph.microsoft.com/v1.0/users/daa60027-be31-47a5-87af-d728499a9cc4/oauth2PermissionGrants +Found: Apple Internet Accounts (EAS) - eM Client was already removed in previous session + +# Lookup service principal by object ID +GET https://graph.microsoft.com/v1.0/servicePrincipals/85e650f8-5eec-4523-a9ef-fc1a031fb1d6 +Result: Apple Internet Accounts (appId: f8d98a96-0999-43f5-8af3-69971c7bb423) + +# Search for Dime Client +GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith(displayName,'Dime') +Result: Empty array - not found + +# Attempted sign-in queries (timed out) +GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq 'jantar@dataforth.com' +Result: Connection timeouts - relied on breach check report data instead +``` + +### Problems Encountered + +**PyJWT/cryptography Missing on Mac:** +- Certificate-based authentication requires PyJWT and cryptography Python modules +- Not installed on Mikes-MacBook-Air (only on GURU-BEAST-ROG) +- **Resolution:** Used `REMEDIATION_AUTH=secret` environment override to force client_secret authentication +- **Impact:** None - client_secret works identically for this read-only investigation +- **Future:** Consider installing PyJWT/cryptography on Mac or continue using secret auth + +**Sign-In Log API Timeouts:** +- Multiple attempts to query auditLogs/signIns endpoint timed out after 2-3 seconds +- Tried various filters and query simplifications - all timed out +- **Resolution:** Relied on sign-in data from breach check report (already collected on GURU-BEAST-ROG) +- **Impact:** None - breach report contained sufficient sign-in detail for analysis + +### Recommendations for Dataforth + +**Immediate Actions (Dan Center):** +1. [ACTION REQUIRED] Verify "Dime Client" app identity - confirm it is authorized internal application +2. [ACTION REQUIRED] Decide on Entra ID P2 licensing: + - Purchase P2 if Identity Protection monitoring needed + - OR document that risky user checks are unavailable, rely on sign-in log analysis + +**Optional Security Hardening:** +1. [RECOMMENDED] Pilot Microsoft Authenticator with Jacque Antar +2. [RECOMMENDED] Expand Authenticator to IT team, then executives, then general users (2-4 weeks per phase) +3. [RECOMMENDED] Document "Dime Client" in Dataforth's authorized apps inventory + +### Syncro Ticket Reference + +**Ticket #109790034** (created in previous session on GURU-BEAST-ROG) +- Subject: M365 Security Investigation - jantar@dataforth.com +- Status: Resolved +- Labor: 1.0 hr billed against prepaid block +- Prepaid Balance: 46.5 hrs remaining +- Contact: Dan Center (id: 2774091) + +**Note:** Follow-up work in THIS session is informational/analysis only. No additional Syncro ticket created. If Dan Center requests implementation of Authenticator upgrade or further investigation, create new ticket. + +### Next Steps + +**For Dataforth (Dan Center to action):** +1. Review follow-up report: `clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md` +2. Confirm Dime Client app is authorized +3. Decide on P2 licensing (purchase or accept limitation) +4. Approve/decline Microsoft Authenticator pilot + +**For Arizona Computer Guru:** +1. Wait for Dan Center's response on Dime Client verification +2. If Authenticator pilot approved: schedule enrollment session with Jacque Antar +3. If P2 licensing purchased: re-test Identity Protection APIs and document capabilities + +### Files Modified + +| File | Action | +|---|---| +| `clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md` | Created - comprehensive follow-up report | +| `clients/dataforth/session-logs/2026-05-03-session.md` | Updated - this section appended | + +--- + +## Credentials Reference + +**SOPS Vault Path:** `/Users/azcomputerguru/vault` +**Identity File:** `/Users/azcomputerguru/ClaudeTools/.claude/identity.json` + +**Remediation Tool Tiers:** +- investigator: Graph read-only (Security Investigator app) +- investigator-exo: Exchange Online read (Security Investigator app) +- user-manager: Graph user/group write (User Manager app) +- tenant-admin: Graph high-privilege (Tenant Admin app) + +**Authentication Methods:** +- Preferred: Certificate (requires PyJWT + cryptography) +- Fallback: Client secret (via REMEDIATION_AUTH=secret) +- Token cache: `/tmp/remediation-tool/{tenant-id}/{tier}.jwt` (55-min TTL) + +**Vault Files:** +- Security Investigator: `msp-tools/computerguru-security-investigator.sops.yaml` +- User Manager: `msp-tools/computerguru-user-manager.sops.yaml` +- Tenant Admin: `msp-tools/computerguru-tenant-admin.sops.yaml` + +--- + +**Session Duration:** ~25 minutes +**Total Tasks Completed:** 3/3 follow-up items investigated and documented