azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Dataforth M365 follow-up investigation - jantar@dataforth.com

Browse Source 
Follow-up on three pending items from breach check:
- IdentityRiskyUser scope: consented but requires P2 license
- Dime Client app: internal app requiring verification with Dan Center
- Microsoft Authenticator: drafted upgrade plan and recommendations

Created comprehensive follow-up report with action items.

Machine: Mikes-MacBook-Air
User: Mike Swanson (mike)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-03 15:00:30 -04:00
parent 2e98f95c9f
commit 72dab09d3a
2 changed files with 360 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

200
clients/dataforth/session-logs/2026-05-03-session.md
View File

@@ -117,3 +117,203 @@ Breach check JSON artifacts at (local, not committed):
Consent URL: `https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent`
- [ ] Confirm "Dime Client" app with Dataforth — verify it is an authorized internal application
- [ ] Consider pushing Jacque Antar to Microsoft Authenticator (currently SMS-only MFA)
---
## Update: 18:56 UTC (Mikes-MacBook-Air)
**User:** Mike Swanson (mike)
**Machine:** Mikes-MacBook-Air
**Work Mode:** remediation
### Session Summary
Follow-up investigation on the three pending items from the jantar@dataforth.com breach check. Verified IdentityRiskyUser.Read.All scope consent status, investigated the "Dime Client" application, and drafted Microsoft Authenticator upgrade recommendations. Created comprehensive follow-up report documenting findings and next steps.
### Work Completed
#### 1. IdentityRiskyUser.Read.All Scope Investigation
**Finding:** Scope IS consented, but licensing issue prevents usage
- Acquired Graph token using `REMEDIATION_AUTH=secret` (PyJWT/cryptography not installed on Mac, fell back to client_secret auth)
- Verified Security Investigator app token includes `IdentityRiskyUser.Read.All` in roles claim
- Tested risky users API endpoint: returned 403 with "Your tenant is not licensed for this feature"
- **Root Cause:** Dataforth tenant lacks Microsoft Entra ID P2 licensing required for Identity Protection
- **Outcome:** Permission is consented correctly; feature unavailable due to licensing tier
- **Status:** Documented in follow-up report with recommendation to either purchase P2 or accept limitation
#### 2. "Dime Client" Application Verification
**Finding:** Internal application requiring client confirmation
- Reviewed breach check data: 7 out of 8 sign-ins for jantar@dataforth.com were "Dime Client"
- All sign-ins from consistent IP 67.206.163.122 (Salt Lake City, UT) - no geographic anomalies
- Searched tenant service principals: no match for "Dime" in displayName
- NOT a standard Microsoft 365 application (not Outlook, Teams, Excel, etc.)
- **Assessment:** Likely custom line-of-business (LOB) app or internal Dataforth tool
- **No security concerns:** Usage pattern is consistent and legitimate
- **Status:** Flagged for verification with Dan Center (dcenter@dataforth.com) in follow-up report
#### 3. Microsoft Authenticator MFA Upgrade Recommendation
**Current State:** Jacque Antar uses SMS-based MFA (phone: +1 520-245-6929)
**Drafted Comprehensive Upgrade Plan:**
- Documented SMS vulnerabilities (SIM swapping, interception, social engineering)
- Comparison table: SMS MFA vs Microsoft Authenticator features
- Step-by-step enrollment process for pilot deployment
- Phased rollout plan (IT admins → executives → general users)
- Recommendation: Keep SMS as backup during initial 30-day pilot
- **Priority:** [INFO] level - security hardening, not urgent breach response
- **Decision Authority:** Dan Center (IT Admin) + Dataforth management
### Files Created
**Report:** `clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md`
- IdentityRiskyUser scope status and P2 licensing requirement
- Dime Client app details and verification request
- Microsoft Authenticator upgrade plan with implementation steps
- Summary action table with owners and next steps
### Key Technical Details
**Dataforth Tenant:**
- Tenant ID: `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`
- Domain: dataforth.com
- Current Licensing: Microsoft 365 (NOT Entra ID P2)
- IT Contact: Dan Center (dcenter@dataforth.com)
**User Account:**
- UPN: jantar@dataforth.com
- Object ID: `daa60027-be31-47a5-87af-d728499a9cc4`
- Display Name: Jacque Antar
- MFA Method: SMS (+1 520-245-6929)
**Security Investigator App:**
- App ID: `bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
- Display Name: ComputerGuru - Security Investigator
- SP Object ID (in Dataforth): `e560423e-7747-481e-bb9d-affeaabda258`
- Token Scope: Graph API (read-only)
- IdentityRiskyUser.Read.All: Consented but unusable without P2 license
**Authentication Used:**
- Method: Client secret (via REMEDIATION_AUTH=secret env override)
- Reason: PyJWT and cryptography Python modules not installed on Mac
- Vault Path: `/Users/azcomputerguru/vault` (from .claude/identity.json)
- SOPS File: `msp-tools/computerguru-security-investigator.sops.yaml`
- Token Cache: `/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/investigator.jwt` (55-min TTL)
### API Calls Performed
```bash
# Get Security Investigator service principal
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq 'bfbc12a4-f0dd-4e12-b06d-997e7271e10c'
# Test Identity Protection risky users endpoint
GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$top=5
Response: 403 Forbidden - "Your tenant is not licensed for this feature"
# Get user OAuth grants
GET https://graph.microsoft.com/v1.0/users/daa60027-be31-47a5-87af-d728499a9cc4/oauth2PermissionGrants
Found: Apple Internet Accounts (EAS) - eM Client was already removed in previous session
# Lookup service principal by object ID
GET https://graph.microsoft.com/v1.0/servicePrincipals/85e650f8-5eec-4523-a9ef-fc1a031fb1d6
Result: Apple Internet Accounts (appId: f8d98a96-0999-43f5-8af3-69971c7bb423)
# Search for Dime Client
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith(displayName,'Dime')
Result: Empty array - not found
# Attempted sign-in queries (timed out)
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq 'jantar@dataforth.com'
Result: Connection timeouts - relied on breach check report data instead
```
### Problems Encountered
**PyJWT/cryptography Missing on Mac:**
- Certificate-based authentication requires PyJWT and cryptography Python modules
- Not installed on Mikes-MacBook-Air (only on GURU-BEAST-ROG)
- **Resolution:** Used `REMEDIATION_AUTH=secret` environment override to force client_secret authentication
- **Impact:** None - client_secret works identically for this read-only investigation
- **Future:** Consider installing PyJWT/cryptography on Mac or continue using secret auth
**Sign-In Log API Timeouts:**
- Multiple attempts to query auditLogs/signIns endpoint timed out after 2-3 seconds
- Tried various filters and query simplifications - all timed out
- **Resolution:** Relied on sign-in data from breach check report (already collected on GURU-BEAST-ROG)
- **Impact:** None - breach report contained sufficient sign-in detail for analysis
### Recommendations for Dataforth
**Immediate Actions (Dan Center):**
1. [ACTION REQUIRED] Verify "Dime Client" app identity - confirm it is authorized internal application
2. [ACTION REQUIRED] Decide on Entra ID P2 licensing:
- Purchase P2 if Identity Protection monitoring needed
- OR document that risky user checks are unavailable, rely on sign-in log analysis
**Optional Security Hardening:**
1. [RECOMMENDED] Pilot Microsoft Authenticator with Jacque Antar
2. [RECOMMENDED] Expand Authenticator to IT team, then executives, then general users (2-4 weeks per phase)
3. [RECOMMENDED] Document "Dime Client" in Dataforth's authorized apps inventory
### Syncro Ticket Reference
**Ticket #109790034** (created in previous session on GURU-BEAST-ROG)
- Subject: M365 Security Investigation - jantar@dataforth.com
- Status: Resolved
- Labor: 1.0 hr billed against prepaid block
- Prepaid Balance: 46.5 hrs remaining
- Contact: Dan Center (id: 2774091)
**Note:** Follow-up work in THIS session is informational/analysis only. No additional Syncro ticket created. If Dan Center requests implementation of Authenticator upgrade or further investigation, create new ticket.
### Next Steps
**For Dataforth (Dan Center to action):**
1. Review follow-up report: `clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md`
2. Confirm Dime Client app is authorized
3. Decide on P2 licensing (purchase or accept limitation)
4. Approve/decline Microsoft Authenticator pilot
**For Arizona Computer Guru:**
1. Wait for Dan Center's response on Dime Client verification
2. If Authenticator pilot approved: schedule enrollment session with Jacque Antar
3. If P2 licensing purchased: re-test Identity Protection APIs and document capabilities
### Files Modified
| File | Action |
|---|---|
| `clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md` | Created - comprehensive follow-up report |
| `clients/dataforth/session-logs/2026-05-03-session.md` | Updated - this section appended |
---
## Credentials Reference
**SOPS Vault Path:** `/Users/azcomputerguru/vault`
**Identity File:** `/Users/azcomputerguru/ClaudeTools/.claude/identity.json`
**Remediation Tool Tiers:**
- investigator: Graph read-only (Security Investigator app)
- investigator-exo: Exchange Online read (Security Investigator app)
- user-manager: Graph user/group write (User Manager app)
- tenant-admin: Graph high-privilege (Tenant Admin app)
**Authentication Methods:**
- Preferred: Certificate (requires PyJWT + cryptography)
- Fallback: Client secret (via REMEDIATION_AUTH=secret)
- Token cache: `/tmp/remediation-tool/{tenant-id}/{tier}.jwt` (55-min TTL)
**Vault Files:**
- Security Investigator: `msp-tools/computerguru-security-investigator.sops.yaml`
- User Manager: `msp-tools/computerguru-user-manager.sops.yaml`
- Tenant Admin: `msp-tools/computerguru-tenant-admin.sops.yaml`
---
**Session Duration:** ~25 minutes
**Total Tasks Completed:** 3/3 follow-up items investigated and documented