azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-BEAST-ROG at 2026-06-03 15:02:21

Browse Source 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-03 15:02:21
This commit is contained in:
Mike Swanson
2026-06-03 15:02:25 -07:00
parent 6de0ce6098
commit ae1ec4517a
3 changed files with 303 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
wiki/clients/sif-oidak.md Normal file
View File

@@ -0,0 +1,178 @@
---
type: client
name: sif-oidak
display_name: Sif-oidak District - Tohono O'odham Nation
last_compiled: 2026-06-03
compiled_by: GURU-BEAST-ROG/claude-main
sources:
- clients/sif-oidak/session-logs/2026-05-28-session.md
- clients/sif-oidak/session-logs/2026-06-03-session.md
backlinks: []
---
# Sif-oidak District — Tohono O'odham Nation
## Overview
- **Organization type:** Tribal government / district — Sif-oidak District of the Tohono O'odham Nation
- **Contract type:** Per-incident (no prepaid block documented)
- **Billing rate:** $150/hr remote labor
- **Syncro customer ID:** 7694718
- **Primary contact:** Deanna Cruz — deanna.cruz@tonation-nsn.gov
- **Environment:** Hybrid — on-premises Active Directory domain (SifOidak.local) plus Microsoft 365 tenant
- **M365 onboarding:** Completed 2026-06-03; all four ACG MSP apps consented, roles assigned
## Contacts
| Name | Role / Notes |
|---|---|
| Deanna Cruz | Primary contact (Syncro record); email: deanna.cruz@tonation-nsn.gov |
| Joshua Albert | End user; jalbert.sod@sifoidak.onmicrosoft.com; domain account: jalbert |
| Dwayne Ortega | End user; Dortega.sod@sifoidak.onmicrosoft.com; new account created 2026-06-03 |
## Infrastructure
### On-Premises Servers
| Host | Role | Domain | GuruRMM Agent ID | Status (last seen) |
|---|---|---|---|---|
| SIF-SERVER | Primary Domain Controller | SifOidak.local | def9fdbb-020b-498d-9d3b-edf5912ba298 | Online (2026-05-28) |
| SIF-SERVER2 | Unknown — possible secondary DC or member server | SifOidak.local | 944b0c4b-048d-44b8-85e5-40da135f58d6 | Online (2026-05-28) |
| Sif-Laptop554 | Endpoint | SifOidak.local | ce868d0f-6381-444d-8fd3-94c563ddc4d9 | Offline (2026-05-28) |
| Sif-Laptop555 | Endpoint | SifOidak.local | acb14901-f659-40eb-a59c-b5954de0ba7f | Offline (2026-05-28) |
- Domain: SifOidak.local
- SIF-SERVER confirmed as primary DC (DomainRole >= 4, running `Set-ADAccountPassword` + AD cmdlets successfully)
- SIF-SERVER2 role not investigated — may be secondary DC or member server; treat as potential DC
### Network
- Internal network details not documented
- No firewall, IP ranges, or ISP information recorded
## M365 Tenant
| Field | Value |
|---|---|
| Tenant domain | sifoidak.onmicrosoft.com |
| Tenant ID | 568eb763-3b95-4271-8443-530c74b1c6bb |
| License SKU | O365 Business (cdd28e44-67e3-425e-be4c-737fab2899d3) |
| Seat count | 11/11 (auto-expanded from 10 on 2026-06-03 when Dortega was licensed) |
| CIPP status | NOT in CIPP as of 2026-06-03 — GDAP/Partner Center relationship needed |
### ACG MSP App Principals (consented 2026-06-03 via onboard-tenant.sh)
| App | Service Principal OID | Roles Assigned |
|---|---|---|
| Tenant Admin | 3cc1f0b3-6cc0-4dc3-ac8c-ac0ed94c5341 | Conditional Access Administrator |
| User Manager | 011b990a-c787-4af1-b4d5-606a5461f2e5 | User Administrator, Authentication Administrator |
| Security Investigator | 4b42e8e7-615d-4d67-8edf-a4166f1fd179 | Exchange Administrator (2 Graph permissions pending — see Open Items) |
| Exchange Operator | 0d51ec52-0070-4073-98c6-2c8eb3caa8b5 | Exchange Administrator |
- Onboarding required Tenant Admin app consent first, then `onboard-tenant.sh` to programmatically consent remaining apps and assign roles
- User Manager was accidentally consented first; script handled the already-present SP gracefully
- Two Graph permission grants failed on Security Investigator (`df021288` User.Read.All, `b0afded3` AuditLog.Read.All) — Graph replication timing; non-blocking
### Tenant Admin Consent URL (for future use)
```
https://login.microsoftonline.com/sifoidak.onmicrosoft.com/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
```
## Known Users / Accounts
### Joshua Albert
| Field | Value |
|---|---|
| UPN | jalbert.sod@sifoidak.onmicrosoft.com |
| M365 user ID | 55f77ce1-20fc-44b1-a7c7-2fa42b348b76 |
| AD account | jalbert (domain: SifOidak.local) |
| License | O365 Business — already assigned prior to 2026-06-03 |
| Password policy | PasswordNeverExpires was TRUE; cleared 2026-05-28 (was prerequisite for must-change flag; not restored) |
**2026-05-28 — AD password reset:** Password reset to `Temp1234!` via `Set-ADAccountPassword` on SIF-SERVER using GuruRMM remote PowerShell. Must-change flag initially applied then reversed per Mike's revised requirement. `PasswordNeverExpires` was cleared and NOT restored — improved security posture.
**2026-06-03 — M365 password reset:** Password reset to user-chosen value `Albert#2015` via Graph API PATCH. `forceChangePasswordNextSignIn: false` (Howard explicitly stated user chose the password).
### Dwayne Ortega
| Field | Value |
|---|---|
| UPN | Dortega.sod@sifoidak.onmicrosoft.com |
| M365 user ID | 014c1df6-444b-4502-9239-15c3ff935887 |
| License | O365 Business (assigned 2026-06-03) |
| Initial password | Temp1234! — must change at next sign-in |
New user created 2026-06-03. Usage location set to US before license assignment (Graph API requirement). License assignment triggered auto-expansion from 10 to 11 seats.
## On-Premises Active Directory
- **Domain:** SifOidak.local
- **Primary DC:** SIF-SERVER (GuruRMM agent ID: def9fdbb-020b-498d-9d3b-edf5912ba298)
- **Confirmed AD cmdlets available:** `Get-ADUser`, `Set-ADAccountPassword`, `Set-ADUser`
- **Execution context:** NT AUTHORITY\SYSTEM (via GuruRMM remote PowerShell)
- **Password complexity:** Standard AD complexity (upper, lower, digit, special char required — `Temp1234!` meets requirements)
- **jalbert PasswordNeverExpires:** Was `$true` prior to 2026-05-28; cleared and not restored
### AD Management Notes
- `Set-ADUser -PasswordNeverExpires $false -ChangePasswordAtLogon $true` fails in a single call — AD rejects both flags simultaneously. Use two sequential calls.
- `Set-ADUser -ChangePasswordAtLogon $true` may fail even after clearing `PasswordNeverExpires` in the same command string (possible replication delay). Use `net user <user> /logonpasswordchg:yes /domain` instead — more reliable.
- ADSI path with single quotes inside double-quoted JSON strings causes PowerShell parse errors in GuruRMM command payloads. Use `DirectorySearcher` with double-quoted ADSI path for AD verification.
## Syncro
| Field | Value |
|---|---|
| Customer ID | 7694718 |
| Customer name | Sif-oidak District - Tohono O'odham Nation |
| Billing rate | $150/hr remote |
### Tickets
| Ticket | Date | Summary | Status |
|---|---|---|---|
| #32341 | 2026-05-28 | jalbert domain password reset via GuruRMM | Invoiced ($75.00, 0.5h) |
| #32380 | 2026-06-03 | M365 onboarding, Joshua Albert license/password, Dwayne Ortega new user | Created, assigned to Howard |
- Invoice #1650451827 — $75.00 (ticket #32341)
- Ticket #32380: https://computerguru.syncromsp.com/tickets/112127922
- Ticket #32341: https://computerguru.syncromsp.com/tickets/111395067
## Vault
- **On-prem credentials:** `clients/sif-oidak/laptops.sops.yaml` — local admin / standard user creds for Sif-Laptop554/555
- **M365 admin credentials:** NOT vaulted — no shared admin credentials recorded for this tenant
## Patterns / Notes
- **Tenant identification was non-obvious:** Initial attempt used `toua.net` (Tohono O'odham Nation parent org) before Mike confirmed the correct tenant is `sifoidak.onmicrosoft.com`. Always use the client's specific subdomain, not the tribal parent. The Syncro primary contact (deanna.cruz@tonation-nsn.gov) uses the parent org domain — that does not indicate the correct M365 tenant.
- **ACG MSP app onboarding order matters:** Tenant Admin must be consented first. `onboard-tenant.sh` then handles all other app SPs and role assignments. Do not skip directly to User Manager or Exchange Operator.
- **Seat auto-expansion accepted without manual purchase:** Microsoft 365 auto-expanded from 10 to 11 seats when Dortega's license was assigned. No manual action required in the moment, but billing implications should be verified with client if they have a fixed-seat contract.
- **Graph permission replication timing:** Two Security Investigator Graph permissions failed immediately after SP creation — standard replication lag. Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill. Non-blocking for user management operations.
- **SIF-SERVER2 role unknown:** Not investigated. Do not assume it is just a member server — it may be a secondary DC. Verify role before any domain-level operations that assume a single DC.
- **PasswordNeverExpires cleared on jalbert:** Pre-2026-05-28 state was `PasswordNeverExpires = $true`. This was cleared as a prerequisite for must-change and was not restored at Mike's direction. If this account is a service account or has special policy exemption, re-enabling may be needed — confirm at next contact.
- **Client not yet in CIPP:** Tenant is onboarded into ACG MSP apps but has no GDAP / Partner Center delegated admin relationship. For full MSP visibility and CIPP inclusion, a Partner Center delegated admin request is needed.
## Open Items
- [ ] Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill 2 missing Security Investigator Graph permissions (`User.Read.All`, `AuditLog.Read.All`)
- [ ] Add `clients/sif-oidak/m365-admin.sops.yaml` if client shares admin credentials with ACG
- [ ] Clarify SIF-SERVER2 role (secondary DC or member server?)
- [ ] Determine if jalbert's `PasswordNeverExpires` should be restored (was cleared 2026-05-28)
- [ ] Consider GDAP / Partner Center delegated admin relationship to get tenant into CIPP
## History
### 2026-05-28 — jalbert AD password reset (GuruRMM)
Howard requested a remote password reset for domain user `jalbert` (Joshua Albert) on SIF-SERVER. ACG used GuruRMM remote PowerShell (no RDP). SIF-SERVER confirmed online (agent def9fdbb), execution context NT AUTHORITY\SYSTEM. Password reset to `Temp1234!` via `Set-ADAccountPassword`. Must-change flag applied then reversed per Mike's direction. `PasswordNeverExpires` cleared and not restored. Syncro ticket #32341 created, 0.5h billed at $150/hr ($75.00), invoice #1650451827.
### 2026-06-03 — M365 tenant onboarding + user provisioning
Howard initiated via Discord requesting an O365 license for Joshua Albert. Tenant `sifoidak.onmicrosoft.com` was not in CIPP and had no ACG MSP app consent. Tenant identified by Mike after `toua.net` was tried first (wrong). Onboarded via admin consent + `onboard-tenant.sh`: Tenant Admin, User Manager, Security Investigator, and Exchange Operator all consented; directory roles assigned. Joshua Albert found to already have O365 Business license. Password reset to user-chosen value `Albert#2015`. New user Dwayne Ortega created (Dortega.sod@sifoidak.onmicrosoft.com), usage location set to US, O365 Business license assigned — tenant auto-expanded 10 → 11 seats. Syncro ticket #32380 created, assigned to Howard.
## Backlinks
- *(none yet)*