diff --git a/.claude/memory/feedback_365_remediation_tool.md b/.claude/memory/feedback_365_remediation_tool.md
new file mode 100644
index 0000000..3960901
--- /dev/null
+++ b/.claude/memory/feedback_365_remediation_tool.md
@@ -0,0 +1,11 @@
+---
+name: 365 Remediation Tool Reference
+description: "365 remediation tool" always means the Claude-MSP-Access Graph API app (fabb3421-8b34-484b-bc17-e46de9703418), not CIPP
+type: feedback
+---
+
+When user says "365 remediation tool" or "remediation tool", they ALWAYS mean the Claude-MSP-Access Graph API application (App ID: fabb3421-8b34-484b-bc17-e46de9703418). This is NOT CIPP.
+
+**Why:** User explicitly clarified this after I incorrectly navigated to CIPP. The remediation tool is direct Graph API access using client credentials flow against customer tenants.
+
+**How to apply:** Authenticate directly via Graph API using the app's client secret from SOPS vault (`msp-tools/claude-msp-access-graph-api.sops.yaml`), get tenant ID from OpenID discovery for the target domain, and query Graph API endpoints directly. No browser/UI needed.
diff --git a/session-logs/2026-03-31-session.md b/session-logs/2026-03-31-session.md
index e82c4a9..1ac6ec0 100644
--- a/session-logs/2026-03-31-session.md
+++ b/session-logs/2026-03-31-session.md
@@ -129,3 +129,104 @@ If tokens expire completely: `python mcp-servers/ticktick/ticktick_auth.py` (run
 
 ### MCP Tools Available (after session restart)
 All prefixed with `ticktick_`: list_projects, get_project, create_project, update_project, delete_project, create_task, update_task, complete_task, delete_task
+
+---
+
+## Update: 10:10 AM - M365 Remediation & Data Recovery Discussion
+
+### Session Summary
+
+Mixed session covering data recovery discussion, M365 tenant investigations via Graph API (remediation tool), and cross-tenant consent troubleshooting.
+
+### Key Decisions & Learnings
+- **"365 remediation tool" = Graph API app fabb3421-8b34-484b-bc17-e46de9703418** (NOT CIPP). Memory saved for future sessions.
+- **CIPP API (420cb849) returning 403** on all endpoints -- API client permissions need updating
+- **Admin consent URL with tenant-specific path works for some tenants** but failed for grabblaw.com (redirected to "wrongplace")
+
+### Work Performed
+
+#### 1. Data Recovery Discussion (Hitachi Deskstar HDS721010KLA330)
+- User has a failed 1TB Hitachi Deskstar 7K1000 (June 2008, P/N 0A37239, MLC BA2720, S/N PAK590UF)
+- Symptoms: spins up, 5-7 read attempts, heads park, platter keeps spinning
+- Diagnosis: firmware/service area corruption (not head crash, not platter damage)
+- Discussed Pi-based DIY recovery via serial diagnostic port (4-pin header, 38400 baud 8N1, T> prompt)
+- Discussed PC-3000 internals and HDDSuperTool/OpenSuperClone open source alternatives
+- Data likely intact on platters -- drive can't boot its own firmware
+
+#### 2. MVAN Enterprises (mvaninc.com) - M365 Investigation
+- **Tenant ID:** 5affaf1e-de89-416b-a655-1b2cf615d5b1
+- **Domains:** mvaninc.com, modernstile.com, m.mvaninc.com
+- **14 users**, all enabled
+- **Secure Score:** 15.43 / 64.0 (24%)
+- **[WARNING] Mitch VanDeveer under active credential stuffing attack** -- 48/50 sign-ins are failures from malicious IPs (Luxembourg, Frankfurt, LA, Tokyo, Lima, Camden). Running since at least March 3. Account locking and IP blocking working correctly.
+- **sysadmin@mvaninc.com** -- clean, 8 sign-ins all from expected locations (Phoenix, Oklahoma City)
+- **MFA CA policy switched from report-only to ENFORCED** (policy ID: a5d04d44-c6d8-4b40-a37a-0ef16eaa3678)
+- **MFA Registration:** Both Mitch and sysadmin have MFA registered (Authenticator push, phone, TOTP)
+
+#### 3. Grabb & Durando (grabblaw.com) - Consent Failed
+- **Tenant ID:** 032b383e-96e4-491b-880d-3fd3295672c3
+- Admin consent URL redirected to "wrongplace" after login
+- ROPC flow also failed (consent_required)
+- Entra admin center approach hit browser extension isolation issues
+- **Status: BLOCKED** -- needs manual consent or alternative approach
+
+#### 4. Cascades Tucson (cascadestucson.com) - Onboarded Successfully
+- **Tenant ID:** 207fa277-e9d8-4eb7-ada1-1064d2221498
+- **Domain note:** User said "castadestucson.com" but actual domain is "cascadestucson.com"
+- Admin consent URL worked for this tenant
+- **50 users** (5 disabled), 33/34 M365 Business Premium licenses used
+- **Secure Score:** 93.78 / 273.0 (34%)
+- **CA Policies: 8 policies, ALL enabled** -- well configured (MFA all users, legacy auth blocked, risky sign-in detection)
+- **[WARNING] Megan Hiatt** -- blocked sign-ins from Hamburg, Germany (158.94.211.16) flagged as malicious IP
+- **Awaiting details from Howard** on what needs to be done in this tenant
+
+---
+
+### Credentials
+
+#### Claude-MSP-Access (Graph API) - Remediation Tool
+- **App ID:** fabb3421-8b34-484b-bc17-e46de9703418
+- **App Name:** ComputerGuru - AI Remediation
+- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
+- **SOPS Vault:** msp-tools/claude-msp-access-graph-api.sops.yaml
+- **Consent URL pattern:** `https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient`
+
+#### CIPP
+- **URL:** https://cippcanvb.azurewebsites.net
+- **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d
+- **Client ID:** 420cb849-542d-4374-9cb2-3d8ae0e1835b
+- **Client Secret:** MOn8Q~otmxJPLvmL~_aCVTV8Va4t4~SrYrukGbJT
+- **Status:** Auth works but API returns 403 on all endpoints (permissions issue)
+
+#### MVAN M365
+- **Admin:** sysadmin@mvaninc.com / r3tr0gradE99#
+- **Tenant ID:** 5affaf1e-de89-416b-a655-1b2cf615d5b1
+
+#### Grabblaw M365
+- **Admin:** sysadmin@grabblaw.com / r3tr0gradE99!
+- **Tenant ID:** 032b383e-96e4-491b-880d-3fd3295672c3
+- **Status:** Consent not granted, remediation tool not functional for this tenant
+
+#### Cascades Tucson M365
+- **Admin:** sysadmin@cascadestucson.com (password not provided this session)
+- **Tenant ID:** 207fa277-e9d8-4eb7-ada1-1064d2221498
+- **Status:** Consented and operational
+
+---
+
+### Pending/Incomplete Tasks
+
+1. **Grabblaw.com consent** -- admin consent flow broken, need alternative approach (possibly PowerShell New-AzADServicePrincipal or manual Enterprise App registration in Entra)
+2. **Grabblaw full access** -- Reyna account needs full access to Jsosa mailbox (blocked by consent issue)
+3. **Cascades Tucson** -- awaiting details from Howard on what needs to be done
+4. **CIPP API permissions** -- 403 on all endpoints, needs API role/permission update
+5. **MVAN recommendations:**
+   - Reset Mitch VanDeveer's password (credential stuffing ongoing)
+   - Enable SSPR for sysadmin and mitch accounts
+   - Clean up unused licenses (2x O365 Business Premium, 1x Cloud PC)
+   - Address low secure score (24%)
+
+---
+
+### Memory Updates This Session
+- **New:** `feedback_365_remediation_tool.md` -- "365 remediation tool" always means Graph API app fabb3421, not CIPP