azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-BEAST-ROG at 2026-06-03 15:02:21

Browse Source 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-03 15:02:21
This commit is contained in:
Mike Swanson
2026-06-03 15:02:25 -07:00
parent 6de0ce6098
commit ae1ec4517a
3 changed files with 303 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
clients/sif-oidak/session-logs/2026-06-03-session.md Normal file
View File

@@ -0,0 +1,121 @@
# Session Log — 2026-06-03
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
---
## Session Summary
Howard initiated this session via Discord requesting an Office license assignment for Joshua Albert at SifOidak. The first challenge was identifying the correct tenant — the vault only held on-premises laptop credentials for this client, and the client was not present in CIPP. After checking the Syncro customer record (primary contact: deanna.cruz@tonation-nsn.gov), the domain `toua.net` was tried first based on Howard's input, but that tenant had no delegated admin access. Mike clarified the correct tenant was `sifoidak.onmicrosoft.com` (tenant ID: 568eb763-3b95-4271-8443-530c74b1c6bb).
With the tenant identified, none of the ACG MSP apps had been consented there. The correct onboarding process requires the Tenant Admin app to be consented first via a single admin-consent URL, after which `onboard-tenant.sh` programmatically consents the remaining apps (Security Investigator, Exchange Operator, User Manager) and assigns all required directory roles. Mike mistakenly consented the User Manager app first before being directed to the Tenant Admin URL. After Tenant Admin consent was confirmed, `onboard-tenant.sh` ran successfully: all four apps consented, Exchange Administrator role assigned to Security Investigator and Exchange Operator SPs, Conditional Access Administrator assigned to Tenant Admin SP, and User Administrator + Authentication Administrator assigned to User Manager SP. Two Graph permission errors on Security Investigator were a replication timing artifact (SP was just created).
With the tenant onboarded, Joshua Albert (jalbert.sod@sifoidak.onmicrosoft.com) was found to already have an O365 Business license assigned. The tenant was at 10/10 capacity. Howard then requested a password reset for Joshua to the user-chosen value `Albert#2015` (no forced change at next sign-in), which was completed via Graph API PATCH. Mike then requested creation of a new user Dwayne Ortega (Dortega.sod@sifoidak.onmicrosoft.com); the account was created, usage location set to US, and O365 Business license assigned — the tenant auto-expanded from 10 to 11 seats. Syncro ticket #32380 was created, assigned to Howard, with the initial comment emailed to the client.
---
## Key Decisions
- **Tenant Admin consent first, not User Manager:** The `onboard-tenant.sh` script requires Tenant Admin app consent first because it uses that token to programmatically create SPs and grant permissions for all other apps. Asking for User Manager consent separately was an unnecessary extra step and deviates from the intended single-consent onboarding process.
- **No forced password change for Joshua Albert:** Howard explicitly stated the user picked the password, so `forceChangePasswordNextSignIn` was set to `false`.
- **Usage location set to US before license assignment:** Graph API requires `usageLocation` to be set on a user before any license can be assigned. The PATCH returned 204 but the license call still failed once; a second attempt after confirming the property was set (via GET) succeeded.
- **Tenant seat auto-expansion accepted:** Rather than blocking on the 10/10 capacity, the license assignment to Dortega succeeded and the tenant expanded to 11 seats automatically (Microsoft 365 subscription behavior). No manual seat purchase was needed in the moment.
---
## Problems Encountered
- **CIPP DNS resolution failure (intermittent):** Initial attempts to query CIPP's tenant list returned `curl: (6) Could not resolve host: cippcanvb.azurewebsites.net`. DNS resolved shortly after. Subsequent requests returned empty bodies due to Azure Functions cold-start timing. Worked around by retrying with longer timeout and piping directly to Python.
- **Wrong tenant tried first:** `toua.net` was tried based on Howard's input before Mike clarified the correct domain was `sifoidak.onmicrosoft.com`.
- **User Manager consented before Tenant Admin:** Mike consented User Manager first (from the URL provided), then needed a second consent click for Tenant Admin. The script handled the already-present User Manager SP gracefully ("SP already present").
- **License assignment failed with "invalid usage location":** New user created without `usageLocation`. Set to `US` via PATCH (HTTP 204), then re-attempted license assignment — first retry still failed (likely replication lag), second attempt succeeded.
- **Two Graph permission errors on Security Investigator:** `grant_app_role` failed for two roles immediately after SP creation with "Resource does not exist." Classic Graph replication delay. Roles will self-heal or can be backfilled by re-running `onboard-tenant.sh`.
---
## Configuration Changes
- Created `clients/sif-oidak/session-logs/2026-06-03-session.md` (this file)
---
## Credentials & Secrets
- **Joshua Albert temp/user-chosen password:** `Albert#2015` — set by user, not vaulted
- **Dwayne Ortega temp password:** `Temp1234!` — must change at next sign-in, not vaulted
- **Vault paths accessed:**
- `msp-tools/cipp.sops.yaml` — CIPP OAuth credentials (tenant list lookup)
- `msp-tools/computerguru-user-manager.sops.yaml` — User Manager app (user/license ops)
- `msp-tools/computerguru-tenant-admin.sops.yaml` — Tenant Admin app (onboarding)
- `msp-tools/syncro.sops.yaml` — Syncro API key (ticket creation)
- `clients/sif-oidak/laptops.sops.yaml` — context lookup only
---
## Infrastructure & Servers
| Resource | Value |
|---|---|
| Tenant domain | sifoidak.onmicrosoft.com |
| Tenant ID | 568eb763-3b95-4271-8443-530c74b1c6bb |
| Joshua Albert UPN | jalbert.sod@sifoidak.onmicrosoft.com |
| Joshua Albert user ID | 55f77ce1-20fc-44b1-a7c7-2fa42b348b76 |
| Dwayne Ortega UPN | Dortega.sod@sifoidak.onmicrosoft.com |
| Dwayne Ortega user ID | 014c1df6-444b-4502-9239-15c3ff935887 |
| License SKU | O365_BUSINESS (cdd28e44-67e3-425e-be4c-737fab2899d3) |
| Tenant seats | 11/11 (auto-expanded from 10) |
| Tenant Admin SP OID | 3cc1f0b3-6cc0-4dc3-ac8c-ac0ed94c5341 |
| User Manager SP OID | 011b990a-c787-4af1-b4d5-606a5461f2e5 |
| Security Investigator SP OID | 4b42e8e7-615d-4d67-8edf-a4166f1fd179 |
| Exchange Operator SP OID | 0d51ec52-0070-4073-98c6-2c8eb3caa8b5 |
| Syncro customer ID | 7694718 |
---
## Commands & Outputs
```bash
# Onboard tenant
bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh sifoidak.onmicrosoft.com
# [SUCCESS] All directory roles assigned; 2 Graph permission errors on Sec Investigator (replication timing)
# Reset Joshua Albert password
PATCH https://graph.microsoft.com/v1.0/users/55f77ce1-20fc-44b1-a7c7-2fa42b348b76
{"passwordProfile":{"password":"Albert#2015","forceChangePasswordNextSignIn":false}}
# -> HTTP 204
# Create Dwayne Ortega
POST https://graph.microsoft.com/v1.0/users
# -> id: 014c1df6-444b-4502-9239-15c3ff935887
# Set usage location
PATCH https://graph.microsoft.com/v1.0/users/014c1df6...
{"usageLocation":"US"}
# -> HTTP 204
# Assign license
POST https://graph.microsoft.com/v1.0/users/014c1df6.../assignLicense
{"addLicenses":[{"skuId":"cdd28e44-67e3-425e-be4c-737fab2899d3"}],"removeLicenses":[]}
# -> HTTP 200, license confirmed, tenant expanded 10->11
```
---
## Pending / Incomplete Tasks
- **Security Investigator — 2 missing Graph permissions:** `df021288` (User.Read.All) and `b0afded3` (AuditLog.Read.All) failed to grant due to replication timing. Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill. Non-blocking for current user management tasks.
- **sifoidak.onmicrosoft.com not yet in CIPP:** Tenant was onboarded into our MSP app suite but is not visible in CIPP. Consider adding it to CIPP for full MSP visibility (delegated admin relationship needed separately via Partner Center or GDAP).
- **Vault:** No M365 admin credentials vaulted for this tenant. Consider adding `clients/sif-oidak/m365-admin.sops.yaml` if they share credentials with us.
---
## Reference Information
- **Syncro Ticket:** #32380 — https://computerguru.syncromsp.com/tickets/112127922
- **Syncro Customer:** #7694718 — Sif-oidak District - Tohono O'odham Nation
- **Tenant Admin consent URL (for future re-consent):**
`https://login.microsoftonline.com/sifoidak.onmicrosoft.com/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent`
- **Discord Thread:** 1511832024971739306

178
wiki/clients/sif-oidak.md Normal file
View File

@@ -0,0 +1,178 @@
---
type: client
name: sif-oidak
display_name: Sif-oidak District - Tohono O'odham Nation
last_compiled: 2026-06-03
compiled_by: GURU-BEAST-ROG/claude-main
sources:
- clients/sif-oidak/session-logs/2026-05-28-session.md
- clients/sif-oidak/session-logs/2026-06-03-session.md
backlinks: []
---
# Sif-oidak District — Tohono O'odham Nation
## Overview
- **Organization type:** Tribal government / district — Sif-oidak District of the Tohono O'odham Nation
- **Contract type:** Per-incident (no prepaid block documented)
- **Billing rate:** $150/hr remote labor
- **Syncro customer ID:** 7694718
- **Primary contact:** Deanna Cruz — deanna.cruz@tonation-nsn.gov
- **Environment:** Hybrid — on-premises Active Directory domain (SifOidak.local) plus Microsoft 365 tenant
- **M365 onboarding:** Completed 2026-06-03; all four ACG MSP apps consented, roles assigned
## Contacts
| Name | Role / Notes |
|---|---|
| Deanna Cruz | Primary contact (Syncro record); email: deanna.cruz@tonation-nsn.gov |
| Joshua Albert | End user; jalbert.sod@sifoidak.onmicrosoft.com; domain account: jalbert |
| Dwayne Ortega | End user; Dortega.sod@sifoidak.onmicrosoft.com; new account created 2026-06-03 |
## Infrastructure
### On-Premises Servers
| Host | Role | Domain | GuruRMM Agent ID | Status (last seen) |
|---|---|---|---|---|
| SIF-SERVER | Primary Domain Controller | SifOidak.local | def9fdbb-020b-498d-9d3b-edf5912ba298 | Online (2026-05-28) |
| SIF-SERVER2 | Unknown — possible secondary DC or member server | SifOidak.local | 944b0c4b-048d-44b8-85e5-40da135f58d6 | Online (2026-05-28) |
| Sif-Laptop554 | Endpoint | SifOidak.local | ce868d0f-6381-444d-8fd3-94c563ddc4d9 | Offline (2026-05-28) |
| Sif-Laptop555 | Endpoint | SifOidak.local | acb14901-f659-40eb-a59c-b5954de0ba7f | Offline (2026-05-28) |
- Domain: SifOidak.local
- SIF-SERVER confirmed as primary DC (DomainRole >= 4, running `Set-ADAccountPassword` + AD cmdlets successfully)
- SIF-SERVER2 role not investigated — may be secondary DC or member server; treat as potential DC
### Network
- Internal network details not documented
- No firewall, IP ranges, or ISP information recorded
## M365 Tenant
| Field | Value |
|---|---|
| Tenant domain | sifoidak.onmicrosoft.com |
| Tenant ID | 568eb763-3b95-4271-8443-530c74b1c6bb |
| License SKU | O365 Business (cdd28e44-67e3-425e-be4c-737fab2899d3) |
| Seat count | 11/11 (auto-expanded from 10 on 2026-06-03 when Dortega was licensed) |
| CIPP status | NOT in CIPP as of 2026-06-03 — GDAP/Partner Center relationship needed |
### ACG MSP App Principals (consented 2026-06-03 via onboard-tenant.sh)
| App | Service Principal OID | Roles Assigned |
|---|---|---|
| Tenant Admin | 3cc1f0b3-6cc0-4dc3-ac8c-ac0ed94c5341 | Conditional Access Administrator |
| User Manager | 011b990a-c787-4af1-b4d5-606a5461f2e5 | User Administrator, Authentication Administrator |
| Security Investigator | 4b42e8e7-615d-4d67-8edf-a4166f1fd179 | Exchange Administrator (2 Graph permissions pending — see Open Items) |
| Exchange Operator | 0d51ec52-0070-4073-98c6-2c8eb3caa8b5 | Exchange Administrator |
- Onboarding required Tenant Admin app consent first, then `onboard-tenant.sh` to programmatically consent remaining apps and assign roles
- User Manager was accidentally consented first; script handled the already-present SP gracefully
- Two Graph permission grants failed on Security Investigator (`df021288` User.Read.All, `b0afded3` AuditLog.Read.All) — Graph replication timing; non-blocking
### Tenant Admin Consent URL (for future use)
```
https://login.microsoftonline.com/sifoidak.onmicrosoft.com/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
```
## Known Users / Accounts
### Joshua Albert
| Field | Value |
|---|---|
| UPN | jalbert.sod@sifoidak.onmicrosoft.com |
| M365 user ID | 55f77ce1-20fc-44b1-a7c7-2fa42b348b76 |
| AD account | jalbert (domain: SifOidak.local) |
| License | O365 Business — already assigned prior to 2026-06-03 |
| Password policy | PasswordNeverExpires was TRUE; cleared 2026-05-28 (was prerequisite for must-change flag; not restored) |
**2026-05-28 — AD password reset:** Password reset to `Temp1234!` via `Set-ADAccountPassword` on SIF-SERVER using GuruRMM remote PowerShell. Must-change flag initially applied then reversed per Mike's revised requirement. `PasswordNeverExpires` was cleared and NOT restored — improved security posture.
**2026-06-03 — M365 password reset:** Password reset to user-chosen value `Albert#2015` via Graph API PATCH. `forceChangePasswordNextSignIn: false` (Howard explicitly stated user chose the password).
### Dwayne Ortega
| Field | Value |
|---|---|
| UPN | Dortega.sod@sifoidak.onmicrosoft.com |
| M365 user ID | 014c1df6-444b-4502-9239-15c3ff935887 |
| License | O365 Business (assigned 2026-06-03) |
| Initial password | Temp1234! — must change at next sign-in |
New user created 2026-06-03. Usage location set to US before license assignment (Graph API requirement). License assignment triggered auto-expansion from 10 to 11 seats.
## On-Premises Active Directory
- **Domain:** SifOidak.local
- **Primary DC:** SIF-SERVER (GuruRMM agent ID: def9fdbb-020b-498d-9d3b-edf5912ba298)
- **Confirmed AD cmdlets available:** `Get-ADUser`, `Set-ADAccountPassword`, `Set-ADUser`
- **Execution context:** NT AUTHORITY\SYSTEM (via GuruRMM remote PowerShell)
- **Password complexity:** Standard AD complexity (upper, lower, digit, special char required — `Temp1234!` meets requirements)
- **jalbert PasswordNeverExpires:** Was `$true` prior to 2026-05-28; cleared and not restored
### AD Management Notes
- `Set-ADUser -PasswordNeverExpires $false -ChangePasswordAtLogon $true` fails in a single call — AD rejects both flags simultaneously. Use two sequential calls.
- `Set-ADUser -ChangePasswordAtLogon $true` may fail even after clearing `PasswordNeverExpires` in the same command string (possible replication delay). Use `net user <user> /logonpasswordchg:yes /domain` instead — more reliable.
- ADSI path with single quotes inside double-quoted JSON strings causes PowerShell parse errors in GuruRMM command payloads. Use `DirectorySearcher` with double-quoted ADSI path for AD verification.
## Syncro
| Field | Value |
|---|---|
| Customer ID | 7694718 |
| Customer name | Sif-oidak District - Tohono O'odham Nation |
| Billing rate | $150/hr remote |
### Tickets
| Ticket | Date | Summary | Status |
|---|---|---|---|
| #32341 | 2026-05-28 | jalbert domain password reset via GuruRMM | Invoiced ($75.00, 0.5h) |
| #32380 | 2026-06-03 | M365 onboarding, Joshua Albert license/password, Dwayne Ortega new user | Created, assigned to Howard |
- Invoice #1650451827 — $75.00 (ticket #32341)
- Ticket #32380: https://computerguru.syncromsp.com/tickets/112127922
- Ticket #32341: https://computerguru.syncromsp.com/tickets/111395067
## Vault
- **On-prem credentials:** `clients/sif-oidak/laptops.sops.yaml` — local admin / standard user creds for Sif-Laptop554/555
- **M365 admin credentials:** NOT vaulted — no shared admin credentials recorded for this tenant
## Patterns / Notes
- **Tenant identification was non-obvious:** Initial attempt used `toua.net` (Tohono O'odham Nation parent org) before Mike confirmed the correct tenant is `sifoidak.onmicrosoft.com`. Always use the client's specific subdomain, not the tribal parent. The Syncro primary contact (deanna.cruz@tonation-nsn.gov) uses the parent org domain — that does not indicate the correct M365 tenant.
- **ACG MSP app onboarding order matters:** Tenant Admin must be consented first. `onboard-tenant.sh` then handles all other app SPs and role assignments. Do not skip directly to User Manager or Exchange Operator.
- **Seat auto-expansion accepted without manual purchase:** Microsoft 365 auto-expanded from 10 to 11 seats when Dortega's license was assigned. No manual action required in the moment, but billing implications should be verified with client if they have a fixed-seat contract.
- **Graph permission replication timing:** Two Security Investigator Graph permissions failed immediately after SP creation — standard replication lag. Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill. Non-blocking for user management operations.
- **SIF-SERVER2 role unknown:** Not investigated. Do not assume it is just a member server — it may be a secondary DC. Verify role before any domain-level operations that assume a single DC.
- **PasswordNeverExpires cleared on jalbert:** Pre-2026-05-28 state was `PasswordNeverExpires = $true`. This was cleared as a prerequisite for must-change and was not restored at Mike's direction. If this account is a service account or has special policy exemption, re-enabling may be needed — confirm at next contact.
- **Client not yet in CIPP:** Tenant is onboarded into ACG MSP apps but has no GDAP / Partner Center delegated admin relationship. For full MSP visibility and CIPP inclusion, a Partner Center delegated admin request is needed.
## Open Items
- [ ] Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill 2 missing Security Investigator Graph permissions (`User.Read.All`, `AuditLog.Read.All`)
- [ ] Add `clients/sif-oidak/m365-admin.sops.yaml` if client shares admin credentials with ACG
- [ ] Clarify SIF-SERVER2 role (secondary DC or member server?)
- [ ] Determine if jalbert's `PasswordNeverExpires` should be restored (was cleared 2026-05-28)
- [ ] Consider GDAP / Partner Center delegated admin relationship to get tenant into CIPP
## History
### 2026-05-28 — jalbert AD password reset (GuruRMM)
Howard requested a remote password reset for domain user `jalbert` (Joshua Albert) on SIF-SERVER. ACG used GuruRMM remote PowerShell (no RDP). SIF-SERVER confirmed online (agent def9fdbb), execution context NT AUTHORITY\SYSTEM. Password reset to `Temp1234!` via `Set-ADAccountPassword`. Must-change flag applied then reversed per Mike's direction. `PasswordNeverExpires` cleared and not restored. Syncro ticket #32341 created, 0.5h billed at $150/hr ($75.00), invoice #1650451827.
### 2026-06-03 — M365 tenant onboarding + user provisioning
Howard initiated via Discord requesting an O365 license for Joshua Albert. Tenant `sifoidak.onmicrosoft.com` was not in CIPP and had no ACG MSP app consent. Tenant identified by Mike after `toua.net` was tried first (wrong). Onboarded via admin consent + `onboard-tenant.sh`: Tenant Admin, User Manager, Security Investigator, and Exchange Operator all consented; directory roles assigned. Joshua Albert found to already have O365 Business license. Password reset to user-chosen value `Albert#2015`. New user Dwayne Ortega created (Dortega.sod@sifoidak.onmicrosoft.com), usage location set to US, O365 Business license assigned — tenant auto-expanded 10 → 11 seats. Syncro ticket #32380 created, assigned to Howard.
## Backlinks
- *(none yet)*

6
wiki/index.md
View File

@@ -1,7 +1,7 @@
# Wiki Index
Last updated: 2026-06-01
Compiled by: GURU-5070/claude-main
Last updated: 2026-06-03
Compiled by: GURU-BEAST-ROG/claude-main
This wiki is LLM-maintained. Do not edit articles manually — run `/wiki-compile` to update.
Run `/wiki-lint` to check for stale entries and broken backlinks.
@@ -48,6 +48,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| [AT Trebesch](clients/attrebesch.md) | Residential, Tucson AZ; Syncro 238740; GuruRMM enrolled (DESKTOP-QNP3ON5, SWIFT-LION-2892); PST contact recovery imported (~660 contacts, emails populating, one Gleason); 4 source PSTs re-mounted after accidental unmount; Suggested Contacts (639) cleared (not reversible); pending Howard clarification before next step; Syncro #31953 open | 2026-06-02 |
| [Deere Park Development, LLC](clients/deere-park-development.md) | Property development ("Glabman"); Syncro 7088463; per-incident, no prepaid block; no tax rate assigned (must fix before billing); active estimate #7190 (ticket #32366) — UniFi WiFi 7 deployment (4x U7 Pro + 2x U7 Mesh + UCG Ultra + USW-Flex-2.5G-8-PoE), $2,816.70, Fresh | 2026-06-02 |
| [Universal Cryogenics](clients/ucryo.md) | New client onboarded 2026-06-02; ucryo.local DC (UC2-SERVER), 8 agents, 2019 TrickBot remediated, Backblaze TLS backup fix | 2026-06-02 |
| [Sif-oidak District - Tohono O'odham Nation](clients/sif-oidak.md) | Tribal government; SifOidak.local AD domain; SIF-SERVER (primary DC) + SIF-SERVER2 + 2 laptops GuruRMM enrolled; M365 sifoidak.onmicrosoft.com onboarded 2026-06-03 (all 4 ACG MSP apps; 11/11 seats); not yet in CIPP; Syncro 7694718 | 2026-06-03 |
## Projects
@@ -105,6 +106,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Khalsa | DC TROUT (10.11.12.254); two sites (Camden, River) | — |
| Anaise | DESKTOP-O8GF4SD; single-workstation | — |
| ACG Website | IX Web Hosting (cPanel); Astro static site | — |
| Sif-oidak District | SIF-SERVER (DC, SifOidak.local, GuruRMM enrolled), SIF-SERVER2 (role unknown, GuruRMM enrolled), Sif-Laptop554/555 (GuruRMM enrolled); M365 sifoidak.onmicrosoft.com | GuruRMM |
| BG Builders LLC | M365 bgbuildersllc.com; no on-prem infra documented | — |
| Kittle Design & Construction | M365 kittlearizona.com; no on-prem infra documented | — |
| Horseshoe Management | APC Smart-UPS 1350; no server/network detail documented | — |