Session log: Dataforth M365 follow-up investigation - jantar@dataforth.com
Follow-up on three pending items from breach check: - IdentityRiskyUser scope: consented but requires P2 license - Dime Client app: internal app requiring verification with Dan Center - Microsoft Authenticator: drafted upgrade plan and recommendations Created comprehensive follow-up report with action items. Machine: Mikes-MacBook-Air User: Mike Swanson (mike) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,160 @@
|
||||
# Follow-Up: Dataforth M365 Security Investigation
|
||||
|
||||
**Date:** 2026-05-03 (UTC)
|
||||
**Analyst:** Mike Swanson (Mikes-MacBook-Air)
|
||||
**Client:** Dataforth Corp
|
||||
**User:** Jacque Antar (jantar@dataforth.com)
|
||||
**Tenant:** dataforth.com | `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`
|
||||
|
||||
---
|
||||
|
||||
## Summary
|
||||
|
||||
This follow-up addresses three items flagged in the breach investigation report for jantar@dataforth.com dated 2026-05-03.
|
||||
|
||||
---
|
||||
|
||||
## 01 - IdentityRiskyUser.Read.All Scope Status
|
||||
|
||||
**Original Issue:** Breach check reported 403 error when querying risky users endpoint due to missing `IdentityRiskyUser.Read.All` consent.
|
||||
|
||||
**Investigation Result:** [OK] Scope IS Consented, BUT Licensing Issue Exists
|
||||
|
||||
The `IdentityRiskyUser.Read.All` permission IS currently consented for the ComputerGuru Security Investigator app in the Dataforth tenant. Verification:
|
||||
|
||||
- Token acquired successfully includes this role in the JWT claims
|
||||
- App consent was completed (likely after the breach check)
|
||||
- Service principal exists and is active in tenant
|
||||
|
||||
**However:** API call to Identity Protection endpoint returns:
|
||||
```
|
||||
403 Forbidden: "Your tenant is not licensed for this feature"
|
||||
```
|
||||
|
||||
**Root Cause:** Dataforth tenant does NOT have **Microsoft Entra ID P2** licensing required for Identity Protection features.
|
||||
|
||||
**Impact:** The risky user checks cannot function regardless of app consent until Entra ID P2 licenses are assigned.
|
||||
|
||||
**Recommendation:**
|
||||
|
||||
| Priority | Action |
|
||||
|---|---|
|
||||
| [INFO] | If Dataforth wants Identity Protection monitoring (risky sign-ins, leaked credentials, anomaly detection), purchase and assign Entra ID P2 licenses |
|
||||
| [INFO] | If NOT purchasing P2: Document that risky user checks are unavailable; rely on sign-in log analysis and conditional access instead |
|
||||
|
||||
---
|
||||
|
||||
## 02 - "Dime Client" Application Verification
|
||||
|
||||
**Original Issue:** Sign-in logs showed "Dime Client" as primary application (7 out of 8 successful sign-ins for jantar@dataforth.com over 30 days).
|
||||
|
||||
**Investigation Result:** [INFO] Internal Application - Verification Needed
|
||||
|
||||
Details from breach check:
|
||||
|
||||
- **App Name:** "Dime Client"
|
||||
- **Sign-in Frequency:** 7/8 logins (primary app)
|
||||
- **IP Address:** 67.206.163.122 (Salt Lake City, UT)
|
||||
- **Platform:** Windows 10
|
||||
- **Pattern:** Consistent single IP, no foreign logins, no impossible travel
|
||||
|
||||
**Assessment:**
|
||||
|
||||
- NOT a standard Microsoft 365 application (not Outlook, Teams, Excel, etc.)
|
||||
- NOT found in tenant's service principal directory with "Dime" in display name
|
||||
- Likely a **custom line-of-business (LOB) application** or **internal Dataforth tool**
|
||||
- No indicators of compromise - usage is consistent with legitimate work patterns
|
||||
|
||||
**Recommendation:**
|
||||
|
||||
| Priority | Action | Owner |
|
||||
|---|---|---|
|
||||
| [ACTION REQUIRED] | Verify "Dime Client" with Dataforth IT/development team | Dan Center (IT Admin) |
|
||||
| [ACTION REQUIRED] | Confirm this is an authorized internal application | Dan Center |
|
||||
| [INFO] | If legitimate: Document in Dataforth's authorized apps inventory | Dataforth IT |
|
||||
| [WARNING] | If UNKNOWN: Investigate immediately as potential unauthorized access | Dataforth IT + ACG |
|
||||
|
||||
**Next Steps:**
|
||||
1. Contact Dan Center (dcenter@dataforth.com) to confirm "Dime Client" identity
|
||||
2. If unknown, escalate for full application investigation
|
||||
3. Document outcome in Dataforth's IT asset inventory
|
||||
|
||||
---
|
||||
|
||||
## 03 - Microsoft Authenticator MFA Upgrade
|
||||
|
||||
**Current State:** Jacque Antar uses **SMS-based MFA** (phone: +1 520-245-6929)
|
||||
|
||||
**Issue:** SMS MFA is vulnerable to:
|
||||
- SIM swapping attacks
|
||||
- SMS intercep tion
|
||||
- Social engineering (attacker convinces carrier to port number)
|
||||
- Less phishing-resistant than modern MFA methods
|
||||
|
||||
**Recommendation:** Upgrade to **Microsoft Authenticator** (push notifications or TOTP)
|
||||
|
||||
**Benefits:**
|
||||
|
||||
| Feature | SMS MFA | Microsoft Authenticator |
|
||||
|---|---|---|
|
||||
| Phishing Resistance | Low | High |
|
||||
| SIM Swap Protection | No | Yes |
|
||||
| Number Matching | No | Yes (context-aware) |
|
||||
| Offline TOTP | No | Yes |
|
||||
| Compliance | Basic | Strong (meets NIST AAL2) |
|
||||
|
||||
**Implementation Steps:**
|
||||
|
||||
1. **Pilot User:** Jacque Antar (jantar@dataforth.com)
|
||||
- Current: Password + SMS
|
||||
- Target: Password + Microsoft Authenticator (push/TOTP)
|
||||
|
||||
2. **Enrollment Process:**
|
||||
- User downloads Microsoft Authenticator app (iOS/Android)
|
||||
- Admin initiates MFA re-registration OR user self-enrolls via https://aka.ms/mfasetup
|
||||
- User scans QR code to add Dataforth account
|
||||
- Test push notification and TOTP code generation
|
||||
- **CRITICAL:** Keep SMS as backup method during initial rollout (remove after 30 days if Authenticator stable)
|
||||
|
||||
3. **Rollout Plan (if expanding beyond Jacque):**
|
||||
- Phase 1: IT admins (Dan Center, others)
|
||||
- Phase 2: Executive team
|
||||
- Phase 3: General users
|
||||
- Timeline: 2-4 weeks per phase
|
||||
|
||||
**Priority:** [INFO] - Security hardening, not urgent breach response
|
||||
|
||||
**Who Should Approve:** Dan Center (IT Admin) + Dataforth management
|
||||
|
||||
---
|
||||
|
||||
## Summary of Actions
|
||||
|
||||
| Item | Status | Next Step | Owner |
|
||||
|---|---|---|---|
|
||||
| **IdentityRiskyUser Scope** | [OK] Consented, but needs P2 license | Decide: Purchase P2 or document limitation | Dataforth IT |
|
||||
| **Dime Client App** | [PENDING] Needs verification | Confirm with Dan Center if authorized app | Dan Center |
|
||||
| **Authenticator Upgrade** | [RECOMMENDED] Optional hardening | Pilot with Jacque Antar, expand if successful | Dataforth IT |
|
||||
|
||||
---
|
||||
|
||||
## Files Referenced
|
||||
|
||||
- Breach Check Report: `clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md`
|
||||
- Session Log (initial investigation): `clients/dataforth/session-logs/2026-05-03-session.md`
|
||||
|
||||
---
|
||||
|
||||
## Contact for Questions
|
||||
|
||||
**Arizona Computer Guru**
|
||||
- Analyst: Mike Swanson
|
||||
- Email: mike@azcomputerguru.com
|
||||
- Ticket: #109790034 (Syncro)
|
||||
|
||||
**Dataforth IT Contact:**
|
||||
- Dan Center: dcenter@dataforth.com
|
||||
|
||||
---
|
||||
|
||||
**Report Generated:** 2026-05-03 by Mike Swanson (Mikes-MacBook-Air)
|
||||
Reference in New Issue
Block a user