sync: auto-sync from ACG-TECH03L at 2026-04-19 13:16:07

Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-19 13:16:07

.claude/messages/for-mike.md

@@ -1,6 +1,32 @@
 # Note for Mike
 
-## From Howard, 2026-04-19
+## From Howard, 2026-04-19 - FOLLOW-UP (update after your approval)
+
+You approved it (thank you), and you/I clicked the admin-consent URL on Cascades. Microsoft redirected to `login.microsoftonline.com/common/wrongplace` (their standard "consent succeeded but no app redirect configured" landing page).
+
+**But it didn't actually grant the scope.** I re-ran the risky-user check and still got `Forbidden`. I decoded the JWT and confirmed the `IdentityRiskyUser.Read.All` role is not in the token's `roles` array.
+
+**Why:** the scope isn't in the app manifest yet. Tenant-side consent can only grant permissions the app has declared it wants. The fix has to happen on OUR side, at the app registration in our home Azure tenant:
+
+1. Azure Portal > Entra ID > App Registrations > **ComputerGuru - AI Remediation** (App ID `fabb3421-8b34-484b-bc17-e46de9703418`)
+2. API Permissions > Add a permission > Microsoft Graph > Application permissions
+3. Add `IdentityRiskyUser.Read.All`
+4. Grant admin consent in our home tenant (or skip — customer tenants will each re-consent)
+5. For each customer tenant we want it on, re-run the admin consent URL:
+   `https://login.microsoftonline.com/{tenant}/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418`
+
+For Cascades that URL is:
+```
+https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418
+```
+
+(Same URL — just needs to be clicked AGAIN after the manifest is updated, because now it'll include the new permission in the consent prompt.)
+
+Let me know when the manifest is updated and I'll re-test.
+
+---
+
+## From Howard, 2026-04-19 (original ask)
 
 ### Cascades of Tucson - M365 Remediation App - Identity Protection scope