Session log: M365 tenant onboarding — 19 done, martylryan + grabblaw re-onboarded, Cascades admin renamed/vaulted

session-logs/2026-04-21-session.md

@@ -0,0 +1,119 @@
+# Session Log: 2026-04-21
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** DESKTOP-0O8A1RL
+- **Role:** admin
+
+## Session Summary
+
+This session completed the M365 multi-tenant onboarding initiative. The goal was to onboard all 41 CIPP-managed partner tenants to the ComputerGuru app suite (Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on) with minimal customer interaction — customers click one URL (Tenant Admin consent), then the `onboard-tenant.sh` script handles all remaining programmatic consent and role assignments automatically.
+
+### Accomplishments
+
+1. **Tenant Admin manifest fix (from previous session)**: Added `AppRoleAssignment.ReadWrite.All` (GUID: `06b708a9-e830-4db3-a914-8e69da51d44f`) to Tenant Admin app. This was required for the script to programmatically grant appRoleAssignments to other SPs in customer tenants. Fixed via Management app PATCH.
+
+2. **Re-onboarded martylryan.com and grabblaw.com**: These two were consented before the manifest fix. Both needed Tenant Admin re-consent (done by Mike), then script re-run. Both now fully onboarded with all apps and directory roles.
+   - martylryan.com: All 4 apps + Exchange Admin + User Admin + Auth Admin assigned
+   - grabblaw.com: 3 apps (no MDE) + Exchange Admin + User Admin + Auth Admin assigned; Defender skipped (no MDE license)
+
+3. **Cascades Tucson GoDaddy admin account** (from previous session):
+   - Found disabled account `admin@NETORGFT4257522.onmicrosoft.com`
+   - Renamed UPN to `admin@cascadestucson.com` (domain was verified default)
+   - Enabled account, reset password to `Gptf*ttb123!@#-cs`
+   - Vaulted at `D:/vault/clients/cascades-tucson/m365-admin.sops.yaml`
+
+4. **Batch tenant sweep**: Ran `onboard-tenant.sh` against all 40 pending tenants. 17 were already fully consented and onboarded successfully. 23 still need initial Tenant Admin consent.
+
+5. **tenant-consent.html**: Updated to show only remaining pending tenants. 19 tenants now marked done (including martylryan + grabblaw post re-consent). 22 still pending.
+
+### Files Modified This Session
+
+| File | Change |
+|---|---|
+| `.claude/skills/remediation-tool/scripts/onboard-tenant.sh` | Major rewrite: programmatic consent for all 4 non-admin apps after Tenant Admin consent |
+| `.claude/skills/remediation-tool/references/tenants.md` | NEW: full 41-tenant list with display names, domains, tenant IDs, onboarding status, consent URLs |
+| `.claude/skills/remediation-tool/references/tenant-consent.html` | NEW + updated: dark-theme HTML page with clickable consent links; 19 tenants marked done |
+| `.claude/skills/remediation-tool/references/gotchas.md` | Updated: Grabblaw and martylryan marked fully onboarded with dates |
+| `D:/vault/clients/cascades-tucson/m365-admin.sops.yaml` | NEW: SOPS-encrypted admin credentials for Cascades Tucson |
+
+---
+
+## Credentials
+
+### Cascades Tucson M365 Admin
+- **Username:** admin@cascadestucson.com
+- **Password:** Gptf*ttb123!@#-cs
+- **Vault:** `D:/vault/clients/cascades-tucson/m365-admin.sops.yaml`
+- **Notes:** Renamed from admin@NETORGFT4257522.onmicrosoft.com (original GoDaddy provisioned account)
+
+---
+
+## onboard-tenant.sh Architecture
+
+### Flow
+1. Resolve domain → tenant GUID (openid-configuration)
+2. Acquire Tenant Admin token (client_credentials) to verify consent
+3. Locate resource SPs in tenant: Microsoft Graph, Exchange Online, Defender ATP
+4. For each app (Security Investigator, Exchange Operator, User Manager, Defender Add-on):
+   - Create SP if missing (`POST /servicePrincipals`) — sleep 5 after creation for replication
+   - Grant all appRoleAssignments idempotently
+5. Assign directory roles (Exchange Admin to Sec Inv SP; User Admin + Auth Admin to User Mgr SP)
+6. Print status table
+
+### Key GUIDs
+
+**Permission resource app IDs:**
+- Microsoft Graph: `00000003-0000-0000-c000-000000000000`
+- Exchange Online: `00000002-0000-0ff1-ce00-000000000000`
+- Defender ATP: `fc780465-2017-40d4-a0c5-307022471b92`
+
+**App IDs:**
+- Security Investigator: `bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
+- Exchange Operator: `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`
+- User Manager: `64fac46b-8b44-41ad-93ee-7da03927576c`
+- Tenant Admin: `709e6eed-0711-4875-9c44-2d3518c47063`
+- Defender Add-on: `dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b`
+
+**Tenant Admin manifest permissions required:**
+- `AppRoleAssignment.ReadWrite.All`: `06b708a9-e830-4db3-a914-8e69da51d44f`
+- `Application.ReadWrite.All`: `1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9`
+- `Directory.ReadWrite.All`: `19dbc75e-c2e2-444c-a770-ec69d8559fc7`
+
+### Bugs Fixed During Development
+
+1. **stdout/stderr pollution in `create_sp_if_missing`**: Human-readable status lines were going to stdout, corrupting `sp_oid=$(create_sp_if_missing ...)`. Fix: all status echoes changed to `>&2`.
+2. **Graph replication delay**: Newly created SPs need ~5s before appRoleAssignments can be granted. Fix: `sleep 5` after successful SP creation.
+3. **jq null iterator**: `[.value[] | select(...)]` threw on fresh SPs with null appRoleAssignments. Fix: `[.value[]? | select(...)]`.
+
+---
+
+## Onboarding Status (as of 2026-04-21)
+
+### Done (19 tenants)
+andysmobilefuel.com, tedards.net, cascadestucson.com, cclac.net, cobaltfinearts.com, dataforth.com, glaztech.com, heieck.org, jemaenterprises.com, mvan.onmicrosoft.com, bestmassageintucson.com, rednourlaw.com, reliantpump.services, ridgetopgroup.com, safesitellc.com, sonorangreenllc.com, valleywideplastering.com, martylryan.com, grabblaw.com
+
+### Pending — Needs Tenant Admin Consent (22 tenants)
+Brian Kahn (briankahn.onmicrosoft.com), cuadro.design, Curtis Plumbing (cparizona.onmicrosoft.com), cwconcretellc.com, Feline Ltd (felineltd.onmicrosoft.com), ICE INC (iceinc.us.com), Instrumental Music (instrumentalmusic.onmicrosoft.com), JR Kennedy (jrkco.com), Khalsa Montessori (khalsamontessorischools.onmicrosoft.com), Kittle Design (kittlearizona.com), LeeAnn Parkinson (lamaddux.com), Patient Care Advocates (pcatucson.com), Putt Land Surveying (puttsurveying.com), Rincon Vista Vet (rinconvistavet.onmicrosoft.com), Russo Law (rrs-law.com), SANDTEKO (SANDTEKOMACHINERY.com), Shave Kevin (az2son.com), Starr Pass Realty (starrpass.com), The Dumpster Guys (dumpsterguys.onmicrosoft.com), The Prairie Schooner (theprairieschooner.onmicrosoft.com), Tucson Golden Corral (tucsongoldencorral.onmicrosoft.com), Tucson Mountain Motors (tucsonmountainmotors.com), Von's Carstar (vonscarstar.com)
+
+### Not in CIPP (needs investigation)
+- Len's Auto Brokerage (tenant: 5ba99b55-...) — Mike accidentally opened Brian Kahn consent URL logged in as admin@lensautobrokerage.onmicrosoft.com; Len's may not be in CIPP partner list
+
+---
+
+## Pending / Next Steps
+
+1. **22 tenants need initial Tenant Admin consent** — use `tenant-consent.html` to send links or open directly; after each consent, run `onboard-tenant.sh <domain>`
+2. **Len's Auto Brokerage** — check if in CIPP, add if not, then onboard
+3. **Brian Kahn** — needs Brian Kahn's own Global Admin to click consent URL (not admin@lensautobrokerage.onmicrosoft.com)
+4. **Tenant-consent.html UUID tenants** — three entries show GUIDs not domains (f5f86b40, dfee2224, and cparizona/felineltd/etc use onmicrosoft.com domains) — verify display names in tenants.md match
+
+---
+
+## Reference
+
+- **Consent HTML:** `D:/claudetools/.claude/skills/remediation-tool/references/tenant-consent.html`
+- **Tenant list:** `D:/claudetools/.claude/skills/remediation-tool/references/tenants.md`
+- **Onboarding script:** `D:/claudetools/.claude/skills/remediation-tool/scripts/onboard-tenant.sh`
+- **Gotchas:** `D:/claudetools/.claude/skills/remediation-tool/references/gotchas.md`
+- **Cascades vault:** `D:/vault/clients/cascades-tucson/m365-admin.sops.yaml`