docs(session)+rules: 2026-05-27 — Quantum M365 onboarding, IX autodiscover fix, Syncro emergency/labor/attribution rules

Session logs: root (Michael #32329 hosting offer + IX simplehost.email autodiscover DNS fix + Cascades #32332 emergency correction) + Quantum client log (M365 tenant 2fd0092b onboarding, break-glass GA, CA report-only).

Syncro rule overhaul:
- Emergency billing: prepaid -> 26184 @ hours x1.5 (was 26118); non-prepaid -> 26184 with channel rate (onsite $262.50 / remote+inshop $225)
- Never make up labor items (existing product + real name; QuickBooks sync)
- Corrections preserve original tech's user_id (commission); adding notes/labor never changes ticket owner

/remediation-tool: Conditional Access may be managed programmatically (report-only first + exclude break-glass + confirm before enforce); fabb3421 deprecated for customer tenants; Quantum tenant onboarded (gotchas table).

Memory: 4 new (no-madeup-labor, corrections-preserve-tech, ca-programmatic, quantum-godaddy-tenant) + updates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

clients/quantumwms/session-logs/2026-05-27-session.md

@@ -48,3 +48,60 @@ Posted a **customer-visible, emailed** update to #32323 acknowledging the forwar
 - Ticket: #32323 (id 111056440), customer_id 7088747 — https://computerguru.syncromsp.com/tickets/111056440 — comment id 413437310.
 - Source email: Sheila Peress (sheila@quantumwms.com), "FW: Intermedia Concern [#SR-150626]", 2026-05-27 13:55, forwarding IFG Software Support (softwaresupport@ifgsd.com).
 - Wiki: wiki/clients/quantumwms.md.
+
+---
+
+## Update: 14:49 PT — M365 migration: tenant onboarded, security baseline started
+
+### Session Summary
+
+Major progress on the Intermedia -> M365 migration (#32323). Jen Curry (IFG) called back and **approved + strongly encouraged** the move; emailed Sheila the update, set up appointments (Wed 5/27 2:00 PM with Sheila for licensing + PST backup kickoff; Thu 5/28 1:00 PM with Jen to finalize DNS for archival + sent-mail encryption), created a PST-backup TODO, and created an empty **"365 Services" recurring invoice template** (schedule 509862, Monthly, next run 2026-06-01) for Pax8 to populate.
+
+Resolved the tenant question. Pax8 reported `quantumwms.com` "attached to a tenant" — discovery found a dormant **GoDaddy-provisioned tenant** (`ddf3d2c9...`, `netorg18235235.onmicrosoft.com`, brand "quantumwms.com") that had the domain parked but unverified. Mike chose to **spin up a fresh tenant** (only 2 users; cleaner than a GoDaddy takeover). Pax8 provisioned **new tenant `2fd0092b-e9b7-474c-ad73-301f34dd6b64`** ("Quantum Wealth Management", `quantumwms.onmicrosoft.com`); `quantumwms.com` verified + primary there; `john@`/`sheila@` licensed (Business Premium); `sysadmin@` is the ACG admin (GA). The GoDaddy tenant was bypassed.
+
+Onboarded ACG management access: Pax8 **GDAP approved** (relationship "Default_Ariz_Quantum Weal_704149625747913", 180 days), then ran `onboard-tenant.sh` against `2fd0092b` — only the **Tenant Admin** app needed a manual consent click; the script programmatically consented the rest (Security Investigator, Exchange Operator, User Manager, Defender) and assigned directory roles. Verified with a live Graph read. (Hit a wrong-tenant snag first: I'd pointed consent at the GoDaddy `ddf3d2c9` and `sysadmin@` bounced — re-discovery showed the domain had since verified into the new `2fd0092b`.)
+
+Started the **security baseline** (Mike chose Conditional Access over Security Defaults — Business Premium includes Entra P1). Set John's initial password. Created a **break-glass GA** (`breakglass@quantumwms.onmicrosoft.com`, excluded from CA). Created **CA001 (MFA all) + CA002 (block legacy) in report-only** programmatically (Mike relaxed the "CA stays manual" rule given break-glass + report-only = near-zero blast radius). Emailed Sheila for the office Comcast **static IP** (for a trusted-location CA policy). Enforcement deferred until after tomorrow's mail cutover (Security Defaults covers MFA in the interim).
+
+### Key Decisions
+
+- **Fresh tenant, not GoDaddy takeover** — only 2 users; the GoDaddy tenant (`ddf3d2c9`) is a Managed tenant (no DNS takeover possible) and dormant, so a clean new tenant (`2fd0092b`) was simpler. The domain wasn't verified in GoDaddy's, so the new tenant claimed it.
+- **Conditional Access over Security Defaults** — they pay for Business Premium (P1); CA is granular + break-glass-excludable + audit-friendly for a compliance-sensitive financial firm.
+- **CA created in report-only, programmatically** — Mike opted to enable programmatic CA writes; safe here (break-glass excluded + report-only enforces nothing). Enforce after the mail cutover so block-legacy is observed against real mail traffic.
+- **Single GA + break-glass** — `sysadmin@` (daily) + `breakglass@` (emergency, CA-excluded, password-never-expires) to prevent lockout before enforcing CA.
+
+### Configuration Changes
+
+- Syncro #32323: appointments `5598140927` (Wed 2PM Sheila) + `5598140928` (Thu 1PM Jen); recurring schedule **509862** ("365 Services", empty); comments for migration updates.
+- M365 tenant `2fd0092b`: full ComputerGuru app suite consented + directory roles; CA001 `22cd5d4b` + CA002 `52db2b88` (report-only); break-glass GA created; John password set.
+
+### Credentials & Secrets
+
+- **M365 tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` ("Quantum Wealth Management", `quantumwms.onmicrosoft.com`, `quantumwms.com` primary). Old GoDaddy tenant `ddf3d2c9-b76c-40d9-a216-9f11a1a26f97` (`netorg18235235.onmicrosoft.com`) — dormant, bypassed.
+- **john@quantumwms.com** — initial password set 2026-05-27 by Mike: `SheilaDeena1952#` (forceChange=false; John MFA-enrolls at first sign-in). Licensed Business Premium.
+- **sysadmin@quantumwms.com** — ACG admin, Global Admin (id `003cacd2-dc29-4fb6-9da4-756927c91e16`).
+- **breakglass@quantumwms.onmicrosoft.com** — emergency GA (id `ad4a7a5c-a030-4e6f-bcd6-a0e7c7630f99`), cloud-only, password-never-expires, excluded from all CA. Password VAULTED at `clients/quantumwms/m365-breakglass.sops.yaml` (vault commit f08f339).
+- **GDAP:** Pax8 US, relationship "Default_Ariz_Quantum Weal_704149625747913", Approved, 180 days.
+
+### Infrastructure & Servers
+
+- Email today: Intermedia HEX (`*.exch090.serverdata.net`), migrating to M365 tenant `2fd0092b`. License SKU: **SPB** (Business Premium) ×2.
+- CA policies (report-only): CA001 Require MFA all users (`22cd5d4b-5e6a-4fbe-ad50-e57555b12d8d`), CA002 Block legacy auth (`52db2b88-55bf-4e7d-b060-ea4b14a253e2`), both exclude break-glass. Security Defaults still ON (interim).
+
+### Commands & Outputs
+
+- Onboard: `bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh 2fd0092b-...` → [SUCCESS] (re-ran once to clear Graph replication-lag perm errors).
+- Tenant discovery: `getuserrealm`/`openid-config` for quantumwms.com → first "Unknown"/not-found (GoDaddy parked), later Managed → `2fd0092b`.
+- CA create: `POST /identity/conditionalAccess/policies` (tenant-admin token, `state: enabledForReportingButNotEnforced`).
+
+### Pending / Incomplete Tasks
+
+- **Thu 5/28 1:00 PM:** Jen Curry (IFG) — finalize DNS (archival + sent-mail encryption), then mail cutover ~1 PM.
+- **PST backups** of John + Sheila mailboxes before cutover (todo `d3623023`) — Intermedia has no server-side export.
+- **CA enforcement** (todo `6be618e1`): after mail cutover, disable Security Defaults + flip CA001/CA002 to enabled; add office static-IP named-location policy once Sheila sends the Comcast IP (requested).
+- **Defender for Business** onboarding (BP-included, app consented).
+- John Velez consent / Sheila's static IP reply.
+
+### Reference Information
+
+- Tenant `2fd0092b`; GoDaddy `ddf3d2c9`. GDAP "Default_Ariz_Quantum Weal_704149625747913" (Pax8). CA001 `22cd5d4b`, CA002 `52db2b88`. Schedule `509862`. Appts `5598140927`/`5598140928`. Todos `d3623023` (PST), `6be618e1` (CA baseline), `06c16144` is RMM (unrelated). Break-glass id `ad4a7a5c`. Memory: `project_quantum_godaddy_m365_tenant.md`.