sync: auto-sync from GURU-BEAST-ROG at 2026-07-02 10:55:41

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-02 10:55:41
This commit is contained in:
Winter Williams
2026-07-02 10:56:46 -07:00
parent 26f47fdd10
commit ac23f17e23
5 changed files with 398 additions and 206 deletions

View File

@@ -0,0 +1,48 @@
# Kittle Design & Construction — P2 Security Scan
**Date:** 2026-07-02 (UTC) | **Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
**Requested by:** Mike (via Discord) | **Executed by:** ClaudeTools Discord Bot
**Scope:** Identity Protection (Entra ID P2) data + 30-day tenant sweep, read-only, investigator tier
## Identity Protection (P2)
- **Risk detections (30d):** NONE
- **Risky users:** 5 accounts with prior risk history, ALL currently `riskLevel=none / riskState=remediated`:
- wrex@ (remediated 2026-06-08), Ken@ (2026-06-09), Marco@ (2026-06-15), alexis@ (2026-04-24), scott@ (2025-07-18)
- No active risky sign-ins.
## Sign-in activity (30d)
- **Ken@kittlearizona.com: 140 failed foreign sign-in attempts** from 140 unique IPs (AU, DE, GB), 2026-06-11 → 2026-06-18. Pattern = distributed password spray. **All failed; zero successful non-US sign-ins tenant-wide.** CA non-US block is holding.
- No other accounts targeted from abroad.
## Conditional Access (all enabled)
- ACG - Require MFA for all users
- ACG - Block legacy authentication
- ACG - Block non-US sign-ins
- ACG - Block known attacker IPs
- Note: no risk-BASED CA policy exists — P2 risk signals are informational only, not enforced.
## MFA registration
- All 15 internal users MFA-registered and capable.
- Weakest methods: admin@ and scott@ are SMS-only (mobilePhone); sysadmin@ includes email as a method. Recommend Authenticator app or passkey for these.
- Several users already on passkeys (Accounting, Hayden, Joshua, Neal). Good posture.
## Items needing human review
1. **Guest invite created TODAY 2026-07-02 17:02 UTC** by Accounting@ for external user `darlenecabrera87@gmail.com` — verify this was intentional.
2. Ken@ remains a spray target (also had prior incident — see vault clients/kittle/m365-ken-schagel-incident). Consider risk-based CA or passkey for Ken.
3. admin@/scott@ SMS-only MFA.
4. Consider a report-only risk-based CA policy to actually use the P2 licensing they pay for.
## Related changes same session
- License moves: wrex@ BP removed (disabled acct); alexis@ + Ken@ moved E3 -> Business Premium. BP now 12/12. Josh.B@ + Tyrele@ still on lapsed E3 (0 purchased / 2 consumed).
Raw JSON: /tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/sweep/ (BEAST)
## Addendum — CA hardening deployed (report-only), 2026-07-02
Four new policies created via tenant-admin tier, all `enabledForReportingButNotEnforced`,
all excluding break-glass sysadmin@ (6139d1af-eee3-4e0b-b240-21e4827df756):
1. ACG - Block device code flow and auth transfer — 61e11a6b-9005-479b-a402-636e5efc8b28
2. ACG - Admins: 12h sign-in frequency, no persistent sessions — 954bee7c-0440-4f5e-bce0-fefd9752cad1
3. ACG - Block guest access to admin portals — 69a24225-132c-45df-8438-cf36ab862eb6
4. ACG - Require MFA to register security info — 70db3c98-bf29-413b-a8df-c58f538246e7
Next: review report-only impact in sign-in logs after ~5-7 days; flip to enabled only
with explicit confirmation from Mike.

View File

@@ -0,0 +1,132 @@
# Kittle Design & Construction — Licensing, P2 Security Scan, CA Hardening
## User
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
- **Role:** automation (acting on the requester's behalf)
(Thread opener: Winter. Mike (@azcomputerguru) directed the license reassignment, security
scan, CA hardening, and ticket/billing decisions in the same thread.)
## Session Summary
Winter asked for a breakdown of Kittle Design & Construction's (kittlearizona.com, tenant
3d073ebe-806a-4a5e-9035-3c7c4a264fc0) 12 Business Premium and 13 "Microsoft Azure Active
Directory" license assignments. Via the remediation-tool investigator tier, produced the
full assignment list: 11 of 12 Business Premium (no Teams) assigned, all 13 AAD Premium P2
assigned. Flagged that disabled user Wrex Watson still held a BP seat, and that 4 users
(Alexis Schagel, Josh Boggie, Ken Schagel, Tyrele Sandoval) were on a lapsed O365 E3 (no
Teams) SKU (0 purchased / 4 consumed).
Mike directed reassignment of E3 users to Business Premium. With only 1 free BP seat (2
after reclaiming Wrex's), Winter chose: unassign Wrex, move Alexis and Ken to BP. Executed
via user-manager tier: Wrex's BP removed, Alexis and Ken each got BP added + E3 removed in
one assignLicense call. Verified: BP 12/12, Wrex zero licenses, Josh Boggie + Tyrele remain
on lapsed E3 (2 consumed / 0 purchased) pending more seats.
Mike then requested a P2-data security scan of all accounts. Ran tenant-sweep.sh (30d
window) + Identity Protection queries: zero risk detections in 30 days; 5 users with prior
remediated risk (wrex, scott, Ken, alexis, Marco); Ken was the target of a distributed
password spray 2026-06-11 to 06-18 (140 failed foreign attempts, 140 unique IPs, AU/DE/GB)
with zero successful non-US sign-ins tenant-wide; all 15 internal users MFA-registered
(admin@ and scott@ SMS-only; sysadmin@ has email method); 4 ACG baseline CA policies
enabled. Flagged a same-day guest invite (darlenecabrera87@gmail.com, invited by
Accounting@ at 10:02 AM AZ) for human verification. Report:
clients/kittle/reports/2026-07-02-p2-security-scan.md.
Mike then directed P1 CA hardening for all accounts. Created 4 new policies via
tenant-admin tier, ALL report-only (enabledForReportingButNotEnforced), all excluding the
break-glass account sysadmin@ (6139d1af-eee3-4e0b-b240-21e4827df756): block device code
flow + auth transfer; admins 12h sign-in frequency + no persistent browser (9 admin roles);
block guest access to admin portals; require MFA to register security info. Enforcement
pending ~5-7 day sign-in log review and Mike's explicit approval.
Winter also set a standing rule: all reported times in Arizona time (America/Phoenix, MST,
no DST). Applied to DISCORD_CLAUDE.md and shared memory. Finally, Mike approved a Syncro
ticket: #32496 created with hidden internal notes only, 1.0 hr warranty labor, invoice
#67982 ($0.00), ticket marked Invoiced, bot alert posted.
## Key Decisions
- Used assignLicense with simultaneous addLicenses (BP) + removeLicenses (E3) per user to
avoid a licensing gap for Alexis and Ken.
- Winter's seat allocation: reclaim Wrex's seat (disabled account), prioritize Alexis + Ken
for the 2 available BP seats; Josh.B + Tyrele wait for purchased seats.
- All 4 new CA policies created report-only with break-glass exclusion per the mandatory CA
discipline; enforcement only after sign-in log impact review + explicit Mike approval.
- Identified break-glass account from the consistent excludeUsers GUID across the 4
existing ACG policies rather than asking.
- Ticket notes hidden + do_not_email per Mike's "internal notes only"; warranty labor
(1049360, Exempt Labor, $0.00) per "1hr warranty labor".
- Drafted Syncro comment directly (not Ollama) due to security-sensitive content.
## Problems Encountered
- get-token.sh could not find identity.json at ~/.claude/identity.json (it lives at
ClaudeTools/.claude/identity.json on BEAST) — worked around with VAULT_ROOT_ENV env var.
- Graph users?$filter=assignedLicenses/any(...) returned empty without ConsistencyLevel
header — switched to pulling all users with $select=assignedLicenses and filtering in jq.
- Wrex's license removal showed stale assignedLicenses immediately after the call
(replication lag); confirmed removed on re-query.
- reports/getMailboxUsageDetail returned S2SUnauthorized (investigator app lacks
Reports.Read.All) — could not verify Alexis/Ken mailbox sizes before the E3->BP downgrade
(E3=100GB, BP=50GB). Flagged as a watch item.
- Winter reported the first license-report Discord message never rendered on her end —
reposted as plain numbered list.
## Configuration Changes
- kittlearizona.com tenant: licenses — wrex@ BP removed; alexis@ + Ken@ E3 removed, BP added.
- kittlearizona.com tenant: 4 new CA policies (report-only):
- ACG - Block device code flow and auth transfer — 61e11a6b-9005-479b-a402-636e5efc8b28
- ACG - Admins: 12h sign-in frequency, no persistent sessions — 954bee7c-0440-4f5e-bce0-fefd9752cad1
- ACG - Block guest access to admin portals — 69a24225-132c-45df-8438-cf36ab862eb6
- ACG - Require MFA to register security info — 70db3c98-bf29-413b-a8df-c58f538246e7
- projects/discord-bot/DISCORD_CLAUDE.md — Arizona-time reporting rule added; rolling-log
timestamp format PT -> AZ (takes effect at next bot restart).
- .claude/memory/feedback_timezone_arizona_reporting.md created + MEMORY.md index line.
- clients/kittle/reports/2026-07-02-p2-security-scan.md created (scan + CA addendum).
## Credentials & Secrets
- No new credentials created. Vault paths accessed (read-only): MSP app certs via
get-token.sh (msp-tools/computerguru-security-investigator, -user-manager,
-tenant-admin). Syncro API key: Mike's per-user token (baked into /syncro skill).
## Infrastructure & Servers
- Tenant: kittlearizona.com = 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
- Break-glass: sysadmin@kittlearizona.com = 6139d1af-eee3-4e0b-b240-21e4827df756
- SKUs: BP (no Teams) 00e1ec7b-e4a3-40d1-9441-b69b597ab222 (12/12); AAD_PREMIUM_P2
84a661c4-e949-4bd2-a560-ed7766fcaf2b (13/13); E3 (no Teams)
46c3a859-c90d-40b3-9551-6178a48d5c18 (2 consumed / 0 purchased — lapsed)
- Syncro customer: Kittle Design & Construction LLC = 32460233 (no prepay block)
## Commands & Outputs
- `get-token.sh <tenant> investigator|user-manager|tenant-admin` with
`VAULT_ROOT_ENV=C:/Users/guru/vault` (identity.json path workaround)
- License moves: `POST /users/{upn}/assignLicense` (add BP / remove E3)
- Sweep: `tenant-sweep.sh kittlearizona.com` — key finding: Ken 140 failed foreign
attempts, 140 IPs, AU/DE/GB, 6/11-6/18, all blocked
- CA creates: `POST /identity/conditionalAccess/policies` x4 — all returned IDs, verified
by GET (list initially showed 6 of 8 — replication lag)
## Pending / Incomplete Tasks
- ~2026-07-09: review report-only CA policy impact in sign-in logs; flip to enabled only
on Mike's explicit YES. Consider adding P2 risk-based CA policies (offered, no decision).
- Josh Boggie + Tyrele Sandoval still on lapsed E3 — need 2 BP seats purchased or a plan.
- Verify guest invite darlenecabrera87@gmail.com (created by Accounting@ 7/2 10:02 AM AZ).
- Watch for over-quota mailbox warnings from Alexis/Ken post-downgrade (sizes unverified).
- admin@ + scott@ SMS-only MFA; consider Authenticator/passkey. Ken = repeat spray target;
passkey recommended.
- Bot restart (nssm restart ClaudeToolsDiscordBot) will pick up the AZ-time instruction edit.
## Reference Information
- Syncro ticket #32496 (id 113335896): https://computerguru.syncromsp.com/tickets/113335896
- Invoice #67982 (id 1650928145), $0.00, warranty
- Report: clients/kittle/reports/2026-07-02-p2-security-scan.md
- Discord thread: 1522275102509629602 (#botmagic)
- Vault: clients/kittle/m365-ken-schagel-incident.sops.yaml (prior Ken incident context)