azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: M365 remediation (MVAN, grabblaw, cascades), data recovery discussion

Browse Source 
- MVAN: investigated credential stuffing on Mitch VanDeveer, enforced MFA CA policy
- Grabblaw: consent flow failed, needs alternative approach
- Cascades Tucson: onboarded to remediation tool successfully
- Memory: "365 remediation tool" = Graph API app fabb3421
- Data recovery: Hitachi Deskstar firmware/service area diagnosis

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-03-31 10:23:35 -07:00
parent b26e185a80
commit a47a97219c
2 changed files with 112 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.claude/memory/feedback_365_remediation_tool.md Normal file
View File

@@ -0,0 +1,11 @@
---
name: 365 Remediation Tool Reference
description: "365 remediation tool" always means the Claude-MSP-Access Graph API app (fabb3421-8b34-484b-bc17-e46de9703418), not CIPP
type: feedback
---
When user says "365 remediation tool" or "remediation tool", they ALWAYS mean the Claude-MSP-Access Graph API application (App ID: fabb3421-8b34-484b-bc17-e46de9703418). This is NOT CIPP.
**Why:** User explicitly clarified this after I incorrectly navigated to CIPP. The remediation tool is direct Graph API access using client credentials flow against customer tenants.
**How to apply:** Authenticate directly via Graph API using the app's client secret from SOPS vault (`msp-tools/claude-msp-access-graph-api.sops.yaml`), get tenant ID from OpenID discovery for the target domain, and query Graph API endpoints directly. No browser/UI needed.

101
session-logs/2026-03-31-session.md
View File

@@ -129,3 +129,104 @@ If tokens expire completely: `python mcp-servers/ticktick/ticktick_auth.py` (run
### MCP Tools Available (after session restart) ### MCP Tools Available (after session restart)
All prefixed with `ticktick_`: list_projects, get_project, create_project, update_project, delete_project, create_task, update_task, complete_task, delete_task All prefixed with `ticktick_`: list_projects, get_project, create_project, update_project, delete_project, create_task, update_task, complete_task, delete_task
---
## Update: 10:10 AM - M365 Remediation & Data Recovery Discussion
### Session Summary
Mixed session covering data recovery discussion, M365 tenant investigations via Graph API (remediation tool), and cross-tenant consent troubleshooting.
### Key Decisions & Learnings
- **"365 remediation tool" = Graph API app fabb3421-8b34-484b-bc17-e46de9703418** (NOT CIPP). Memory saved for future sessions.
- **CIPP API (420cb849) returning 403** on all endpoints -- API client permissions need updating
- **Admin consent URL with tenant-specific path works for some tenants** but failed for grabblaw.com (redirected to "wrongplace")
### Work Performed
#### 1. Data Recovery Discussion (Hitachi Deskstar HDS721010KLA330)
- User has a failed 1TB Hitachi Deskstar 7K1000 (June 2008, P/N 0A37239, MLC BA2720, S/N PAK590UF)
- Symptoms: spins up, 5-7 read attempts, heads park, platter keeps spinning
- Diagnosis: firmware/service area corruption (not head crash, not platter damage)
- Discussed Pi-based DIY recovery via serial diagnostic port (4-pin header, 38400 baud 8N1, T> prompt)
- Discussed PC-3000 internals and HDDSuperTool/OpenSuperClone open source alternatives
- Data likely intact on platters -- drive can't boot its own firmware
#### 2. MVAN Enterprises (mvaninc.com) - M365 Investigation
- **Tenant ID:** 5affaf1e-de89-416b-a655-1b2cf615d5b1
- **Domains:** mvaninc.com, modernstile.com, m.mvaninc.com
- **14 users**, all enabled
- **Secure Score:** 15.43 / 64.0 (24%)
- **[WARNING] Mitch VanDeveer under active credential stuffing attack** -- 48/50 sign-ins are failures from malicious IPs (Luxembourg, Frankfurt, LA, Tokyo, Lima, Camden). Running since at least March 3. Account locking and IP blocking working correctly.
- **sysadmin@mvaninc.com** -- clean, 8 sign-ins all from expected locations (Phoenix, Oklahoma City)
- **MFA CA policy switched from report-only to ENFORCED** (policy ID: a5d04d44-c6d8-4b40-a37a-0ef16eaa3678)
- **MFA Registration:** Both Mitch and sysadmin have MFA registered (Authenticator push, phone, TOTP)
#### 3. Grabb & Durando (grabblaw.com) - Consent Failed
- **Tenant ID:** 032b383e-96e4-491b-880d-3fd3295672c3
- Admin consent URL redirected to "wrongplace" after login
- ROPC flow also failed (consent_required)
- Entra admin center approach hit browser extension isolation issues
- **Status: BLOCKED** -- needs manual consent or alternative approach
#### 4. Cascades Tucson (cascadestucson.com) - Onboarded Successfully
- **Tenant ID:** 207fa277-e9d8-4eb7-ada1-1064d2221498
- **Domain note:** User said "castadestucson.com" but actual domain is "cascadestucson.com"
- Admin consent URL worked for this tenant
- **50 users** (5 disabled), 33/34 M365 Business Premium licenses used
- **Secure Score:** 93.78 / 273.0 (34%)
- **CA Policies: 8 policies, ALL enabled** -- well configured (MFA all users, legacy auth blocked, risky sign-in detection)
- **[WARNING] Megan Hiatt** -- blocked sign-ins from Hamburg, Germany (158.94.211.16) flagged as malicious IP
- **Awaiting details from Howard** on what needs to be done in this tenant
---
### Credentials
#### Claude-MSP-Access (Graph API) - Remediation Tool
- **App ID:** fabb3421-8b34-484b-bc17-e46de9703418
- **App Name:** ComputerGuru - AI Remediation
- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
- **SOPS Vault:** msp-tools/claude-msp-access-graph-api.sops.yaml
- **Consent URL pattern:** `https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient`
#### CIPP
- **URL:** https://cippcanvb.azurewebsites.net
- **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d
- **Client ID:** 420cb849-542d-4374-9cb2-3d8ae0e1835b
- **Client Secret:** MOn8Q~otmxJPLvmL~_aCVTV8Va4t4~SrYrukGbJT
- **Status:** Auth works but API returns 403 on all endpoints (permissions issue)
#### MVAN M365
- **Admin:** sysadmin@mvaninc.com / r3tr0gradE99#
- **Tenant ID:** 5affaf1e-de89-416b-a655-1b2cf615d5b1
#### Grabblaw M365
- **Admin:** sysadmin@grabblaw.com / r3tr0gradE99!
- **Tenant ID:** 032b383e-96e4-491b-880d-3fd3295672c3
- **Status:** Consent not granted, remediation tool not functional for this tenant
#### Cascades Tucson M365
- **Admin:** sysadmin@cascadestucson.com (password not provided this session)
- **Tenant ID:** 207fa277-e9d8-4eb7-ada1-1064d2221498
- **Status:** Consented and operational
---
### Pending/Incomplete Tasks
1. **Grabblaw.com consent** -- admin consent flow broken, need alternative approach (possibly PowerShell New-AzADServicePrincipal or manual Enterprise App registration in Entra)
2. **Grabblaw full access** -- Reyna account needs full access to Jsosa mailbox (blocked by consent issue)
3. **Cascades Tucson** -- awaiting details from Howard on what needs to be done
4. **CIPP API permissions** -- 403 on all endpoints, needs API role/permission update
5. **MVAN recommendations:**
- Reset Mitch VanDeveer's password (credential stuffing ongoing)
- Enable SSPR for sysadmin and mitch accounts
- Clean up unused licenses (2x O365 Business Premium, 1x Cloud PC)
- Address low secure score (24%)
---
### Memory Updates This Session
- **New:** `feedback_365_remediation_tool.md` -- "365 remediation tool" always means Graph API app fabb3421, not CIPP