sync: auto-sync from GURU-BEAST-ROG at 2026-07-02 10:55:41
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-02 10:55:41
This commit is contained in:
48
clients/kittle/reports/2026-07-02-p2-security-scan.md
Normal file
48
clients/kittle/reports/2026-07-02-p2-security-scan.md
Normal file
@@ -0,0 +1,48 @@
|
||||
# Kittle Design & Construction — P2 Security Scan
|
||||
**Date:** 2026-07-02 (UTC) | **Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
|
||||
**Requested by:** Mike (via Discord) | **Executed by:** ClaudeTools Discord Bot
|
||||
**Scope:** Identity Protection (Entra ID P2) data + 30-day tenant sweep, read-only, investigator tier
|
||||
|
||||
## Identity Protection (P2)
|
||||
- **Risk detections (30d):** NONE
|
||||
- **Risky users:** 5 accounts with prior risk history, ALL currently `riskLevel=none / riskState=remediated`:
|
||||
- wrex@ (remediated 2026-06-08), Ken@ (2026-06-09), Marco@ (2026-06-15), alexis@ (2026-04-24), scott@ (2025-07-18)
|
||||
- No active risky sign-ins.
|
||||
|
||||
## Sign-in activity (30d)
|
||||
- **Ken@kittlearizona.com: 140 failed foreign sign-in attempts** from 140 unique IPs (AU, DE, GB), 2026-06-11 → 2026-06-18. Pattern = distributed password spray. **All failed; zero successful non-US sign-ins tenant-wide.** CA non-US block is holding.
|
||||
- No other accounts targeted from abroad.
|
||||
|
||||
## Conditional Access (all enabled)
|
||||
- ACG - Require MFA for all users
|
||||
- ACG - Block legacy authentication
|
||||
- ACG - Block non-US sign-ins
|
||||
- ACG - Block known attacker IPs
|
||||
- Note: no risk-BASED CA policy exists — P2 risk signals are informational only, not enforced.
|
||||
|
||||
## MFA registration
|
||||
- All 15 internal users MFA-registered and capable.
|
||||
- Weakest methods: admin@ and scott@ are SMS-only (mobilePhone); sysadmin@ includes email as a method. Recommend Authenticator app or passkey for these.
|
||||
- Several users already on passkeys (Accounting, Hayden, Joshua, Neal). Good posture.
|
||||
|
||||
## Items needing human review
|
||||
1. **Guest invite created TODAY 2026-07-02 17:02 UTC** by Accounting@ for external user `darlenecabrera87@gmail.com` — verify this was intentional.
|
||||
2. Ken@ remains a spray target (also had prior incident — see vault clients/kittle/m365-ken-schagel-incident). Consider risk-based CA or passkey for Ken.
|
||||
3. admin@/scott@ SMS-only MFA.
|
||||
4. Consider a report-only risk-based CA policy to actually use the P2 licensing they pay for.
|
||||
|
||||
## Related changes same session
|
||||
- License moves: wrex@ BP removed (disabled acct); alexis@ + Ken@ moved E3 -> Business Premium. BP now 12/12. Josh.B@ + Tyrele@ still on lapsed E3 (0 purchased / 2 consumed).
|
||||
|
||||
Raw JSON: /tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/sweep/ (BEAST)
|
||||
|
||||
## Addendum — CA hardening deployed (report-only), 2026-07-02
|
||||
Four new policies created via tenant-admin tier, all `enabledForReportingButNotEnforced`,
|
||||
all excluding break-glass sysadmin@ (6139d1af-eee3-4e0b-b240-21e4827df756):
|
||||
1. ACG - Block device code flow and auth transfer — 61e11a6b-9005-479b-a402-636e5efc8b28
|
||||
2. ACG - Admins: 12h sign-in frequency, no persistent sessions — 954bee7c-0440-4f5e-bce0-fefd9752cad1
|
||||
3. ACG - Block guest access to admin portals — 69a24225-132c-45df-8438-cf36ab862eb6
|
||||
4. ACG - Require MFA to register security info — 70db3c98-bf29-413b-a8df-c58f538246e7
|
||||
|
||||
Next: review report-only impact in sign-in logs after ~5-7 days; flip to enabled only
|
||||
with explicit confirmation from Mike.
|
||||
@@ -0,0 +1,132 @@
|
||||
# Kittle Design & Construction — Licensing, P2 Security Scan, CA Hardening
|
||||
|
||||
## User
|
||||
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
|
||||
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
|
||||
- **Role:** automation (acting on the requester's behalf)
|
||||
|
||||
(Thread opener: Winter. Mike (@azcomputerguru) directed the license reassignment, security
|
||||
scan, CA hardening, and ticket/billing decisions in the same thread.)
|
||||
|
||||
## Session Summary
|
||||
|
||||
Winter asked for a breakdown of Kittle Design & Construction's (kittlearizona.com, tenant
|
||||
3d073ebe-806a-4a5e-9035-3c7c4a264fc0) 12 Business Premium and 13 "Microsoft Azure Active
|
||||
Directory" license assignments. Via the remediation-tool investigator tier, produced the
|
||||
full assignment list: 11 of 12 Business Premium (no Teams) assigned, all 13 AAD Premium P2
|
||||
assigned. Flagged that disabled user Wrex Watson still held a BP seat, and that 4 users
|
||||
(Alexis Schagel, Josh Boggie, Ken Schagel, Tyrele Sandoval) were on a lapsed O365 E3 (no
|
||||
Teams) SKU (0 purchased / 4 consumed).
|
||||
|
||||
Mike directed reassignment of E3 users to Business Premium. With only 1 free BP seat (2
|
||||
after reclaiming Wrex's), Winter chose: unassign Wrex, move Alexis and Ken to BP. Executed
|
||||
via user-manager tier: Wrex's BP removed, Alexis and Ken each got BP added + E3 removed in
|
||||
one assignLicense call. Verified: BP 12/12, Wrex zero licenses, Josh Boggie + Tyrele remain
|
||||
on lapsed E3 (2 consumed / 0 purchased) pending more seats.
|
||||
|
||||
Mike then requested a P2-data security scan of all accounts. Ran tenant-sweep.sh (30d
|
||||
window) + Identity Protection queries: zero risk detections in 30 days; 5 users with prior
|
||||
remediated risk (wrex, scott, Ken, alexis, Marco); Ken was the target of a distributed
|
||||
password spray 2026-06-11 to 06-18 (140 failed foreign attempts, 140 unique IPs, AU/DE/GB)
|
||||
with zero successful non-US sign-ins tenant-wide; all 15 internal users MFA-registered
|
||||
(admin@ and scott@ SMS-only; sysadmin@ has email method); 4 ACG baseline CA policies
|
||||
enabled. Flagged a same-day guest invite (darlenecabrera87@gmail.com, invited by
|
||||
Accounting@ at 10:02 AM AZ) for human verification. Report:
|
||||
clients/kittle/reports/2026-07-02-p2-security-scan.md.
|
||||
|
||||
Mike then directed P1 CA hardening for all accounts. Created 4 new policies via
|
||||
tenant-admin tier, ALL report-only (enabledForReportingButNotEnforced), all excluding the
|
||||
break-glass account sysadmin@ (6139d1af-eee3-4e0b-b240-21e4827df756): block device code
|
||||
flow + auth transfer; admins 12h sign-in frequency + no persistent browser (9 admin roles);
|
||||
block guest access to admin portals; require MFA to register security info. Enforcement
|
||||
pending ~5-7 day sign-in log review and Mike's explicit approval.
|
||||
|
||||
Winter also set a standing rule: all reported times in Arizona time (America/Phoenix, MST,
|
||||
no DST). Applied to DISCORD_CLAUDE.md and shared memory. Finally, Mike approved a Syncro
|
||||
ticket: #32496 created with hidden internal notes only, 1.0 hr warranty labor, invoice
|
||||
#67982 ($0.00), ticket marked Invoiced, bot alert posted.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- Used assignLicense with simultaneous addLicenses (BP) + removeLicenses (E3) per user to
|
||||
avoid a licensing gap for Alexis and Ken.
|
||||
- Winter's seat allocation: reclaim Wrex's seat (disabled account), prioritize Alexis + Ken
|
||||
for the 2 available BP seats; Josh.B + Tyrele wait for purchased seats.
|
||||
- All 4 new CA policies created report-only with break-glass exclusion per the mandatory CA
|
||||
discipline; enforcement only after sign-in log impact review + explicit Mike approval.
|
||||
- Identified break-glass account from the consistent excludeUsers GUID across the 4
|
||||
existing ACG policies rather than asking.
|
||||
- Ticket notes hidden + do_not_email per Mike's "internal notes only"; warranty labor
|
||||
(1049360, Exempt Labor, $0.00) per "1hr warranty labor".
|
||||
- Drafted Syncro comment directly (not Ollama) due to security-sensitive content.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- get-token.sh could not find identity.json at ~/.claude/identity.json (it lives at
|
||||
ClaudeTools/.claude/identity.json on BEAST) — worked around with VAULT_ROOT_ENV env var.
|
||||
- Graph users?$filter=assignedLicenses/any(...) returned empty without ConsistencyLevel
|
||||
header — switched to pulling all users with $select=assignedLicenses and filtering in jq.
|
||||
- Wrex's license removal showed stale assignedLicenses immediately after the call
|
||||
(replication lag); confirmed removed on re-query.
|
||||
- reports/getMailboxUsageDetail returned S2SUnauthorized (investigator app lacks
|
||||
Reports.Read.All) — could not verify Alexis/Ken mailbox sizes before the E3->BP downgrade
|
||||
(E3=100GB, BP=50GB). Flagged as a watch item.
|
||||
- Winter reported the first license-report Discord message never rendered on her end —
|
||||
reposted as plain numbered list.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- kittlearizona.com tenant: licenses — wrex@ BP removed; alexis@ + Ken@ E3 removed, BP added.
|
||||
- kittlearizona.com tenant: 4 new CA policies (report-only):
|
||||
- ACG - Block device code flow and auth transfer — 61e11a6b-9005-479b-a402-636e5efc8b28
|
||||
- ACG - Admins: 12h sign-in frequency, no persistent sessions — 954bee7c-0440-4f5e-bce0-fefd9752cad1
|
||||
- ACG - Block guest access to admin portals — 69a24225-132c-45df-8438-cf36ab862eb6
|
||||
- ACG - Require MFA to register security info — 70db3c98-bf29-413b-a8df-c58f538246e7
|
||||
- projects/discord-bot/DISCORD_CLAUDE.md — Arizona-time reporting rule added; rolling-log
|
||||
timestamp format PT -> AZ (takes effect at next bot restart).
|
||||
- .claude/memory/feedback_timezone_arizona_reporting.md created + MEMORY.md index line.
|
||||
- clients/kittle/reports/2026-07-02-p2-security-scan.md created (scan + CA addendum).
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- No new credentials created. Vault paths accessed (read-only): MSP app certs via
|
||||
get-token.sh (msp-tools/computerguru-security-investigator, -user-manager,
|
||||
-tenant-admin). Syncro API key: Mike's per-user token (baked into /syncro skill).
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- Tenant: kittlearizona.com = 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
|
||||
- Break-glass: sysadmin@kittlearizona.com = 6139d1af-eee3-4e0b-b240-21e4827df756
|
||||
- SKUs: BP (no Teams) 00e1ec7b-e4a3-40d1-9441-b69b597ab222 (12/12); AAD_PREMIUM_P2
|
||||
84a661c4-e949-4bd2-a560-ed7766fcaf2b (13/13); E3 (no Teams)
|
||||
46c3a859-c90d-40b3-9551-6178a48d5c18 (2 consumed / 0 purchased — lapsed)
|
||||
- Syncro customer: Kittle Design & Construction LLC = 32460233 (no prepay block)
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- `get-token.sh <tenant> investigator|user-manager|tenant-admin` with
|
||||
`VAULT_ROOT_ENV=C:/Users/guru/vault` (identity.json path workaround)
|
||||
- License moves: `POST /users/{upn}/assignLicense` (add BP / remove E3)
|
||||
- Sweep: `tenant-sweep.sh kittlearizona.com` — key finding: Ken 140 failed foreign
|
||||
attempts, 140 IPs, AU/DE/GB, 6/11-6/18, all blocked
|
||||
- CA creates: `POST /identity/conditionalAccess/policies` x4 — all returned IDs, verified
|
||||
by GET (list initially showed 6 of 8 — replication lag)
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- ~2026-07-09: review report-only CA policy impact in sign-in logs; flip to enabled only
|
||||
on Mike's explicit YES. Consider adding P2 risk-based CA policies (offered, no decision).
|
||||
- Josh Boggie + Tyrele Sandoval still on lapsed E3 — need 2 BP seats purchased or a plan.
|
||||
- Verify guest invite darlenecabrera87@gmail.com (created by Accounting@ 7/2 10:02 AM AZ).
|
||||
- Watch for over-quota mailbox warnings from Alexis/Ken post-downgrade (sizes unverified).
|
||||
- admin@ + scott@ SMS-only MFA; consider Authenticator/passkey. Ken = repeat spray target;
|
||||
passkey recommended.
|
||||
- Bot restart (nssm restart ClaudeToolsDiscordBot) will pick up the AZ-time instruction edit.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Syncro ticket #32496 (id 113335896): https://computerguru.syncromsp.com/tickets/113335896
|
||||
- Invoice #67982 (id 1650928145), $0.00, warranty
|
||||
- Report: clients/kittle/reports/2026-07-02-p2-security-scan.md
|
||||
- Discord thread: 1522275102509629602 (#botmagic)
|
||||
- Vault: clients/kittle/m365-ken-schagel-incident.sops.yaml (prior Ken incident context)
|
||||
Reference in New Issue
Block a user