sync: auto-sync from GURU-KALI at 2026-05-31 19:31:53
Author: Mike Swanson Machine: GURU-KALI Timestamp: 2026-05-31 19:31:53
This commit is contained in:
@@ -0,0 +1,123 @@
|
||||
# Rednour Law — MSP Suite Onboarding + Account Rename (emma@ → carla@)
|
||||
|
||||
**Date:** 2026-05-31 (UTC)
|
||||
**Tenant:** rednourlaw.com (`4a4ca18a-f516-478b-99da-2e0722c5dc18`)
|
||||
**Operator:** Mike Swanson (GURU-KALI)
|
||||
**Apps used:** ComputerGuru Tenant Admin, Exchange Operator, User Manager
|
||||
|
||||
## Action Summary
|
||||
|
||||
Two operations chained:
|
||||
|
||||
1. **Bootstrapped the full ComputerGuru MSP app suite** for the rednourlaw.com tenant (Tenant Admin consent followed by `onboard-tenant.sh`). Prior state: only Tenant Admin was consentable; no Exchange/User roles assigned. Triggered by HTTP 403 on Get-Mailbox during the rename attempt — the Exchange Operator SP existed but lacked Exchange Administrator role.
|
||||
2. **Renamed `emma@rednourlaw.com` → `carla@rednourlaw.com` (Carla Skinner)** in a three-call sequence: `Set-Mailbox` for EmailAddresses, Graph `PATCH /users/{id}` for identity fields, `POST /revokeSignInSessions` to invalidate any active token.
|
||||
|
||||
## Onboarding Result
|
||||
|
||||
| SP | App ID | Status | Roles assigned |
|
||||
|---|---|---|---|
|
||||
| Tenant Admin | `709e6eed-0711-4875-9c44-2d3518c47063` | Consented manually | Conditional Access Administrator |
|
||||
| Security Investigator | `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` | Programmatic | Exchange Administrator |
|
||||
| Exchange Operator | `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` | Programmatic | Exchange Administrator |
|
||||
| User Manager | `64fac46b-8b44-41ad-93ee-7da03927576c` | Programmatic | User Administrator, Authentication Administrator |
|
||||
| Defender Add-on | `dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b` | Programmatic | (none — no MDE license in this tenant) |
|
||||
|
||||
Defender Add-on consent succeeded but the tenant has no MDE license, so calling Defender ATP endpoints will return AADSTS650052. Skip the `defender` tier for this tenant.
|
||||
|
||||
Exchange Administrator role on the Exchange Operator SP propagated within ~60s (Get-Mailbox switched from 403 to 200 on the second try).
|
||||
|
||||
`references/tenants.md` row updated from `NO` to `YES` with the date and per-SP role summary.
|
||||
|
||||
## User Rename — Before
|
||||
|
||||
```
|
||||
id: 93074d1a-6db2-4794-8f7d-c84a619e4494
|
||||
UPN: emma@rednourlaw.com
|
||||
displayName: Emma - Rednour Law
|
||||
mail: emma@rednourlaw.com
|
||||
mailNickname: dgarcia
|
||||
givenName: Emma
|
||||
surname: (null)
|
||||
PrimarySmtpAddress: emma@rednourlaw.com
|
||||
EmailAddresses:
|
||||
SIP:emma@rednourlaw.com
|
||||
SMTP:emma@rednourlaw.com (primary)
|
||||
smtp:dgarcia@rednourlaw.com (legacy)
|
||||
smtp:alee@rednourlaw.com (legacy)
|
||||
smtp:dgarcia@rednourlaw.onmicrosoft.com (routing)
|
||||
SPO:SPO_f390956f-...@SPO_<tenant> (SharePoint auto)
|
||||
EmailAddressPolicyEnabled: False
|
||||
accountEnabled: true
|
||||
```
|
||||
|
||||
The mailNickname `dgarcia` and the two legacy aliases indicate this mailbox was previously inherited from earlier employees Garcia → Emma. The chain continues with the rename to Carla.
|
||||
|
||||
## User Rename — After
|
||||
|
||||
```
|
||||
id: 93074d1a-6db2-4794-8f7d-c84a619e4494 (unchanged)
|
||||
UPN: carla@rednourlaw.com
|
||||
displayName: Carla Skinner
|
||||
mail: carla@rednourlaw.com
|
||||
mailNickname: carla
|
||||
givenName: Carla
|
||||
surname: Skinner
|
||||
PrimarySmtpAddress: carla@rednourlaw.com
|
||||
EmailAddresses:
|
||||
SIP:emma@rednourlaw.com (will auto-regen to carla@ on next sync)
|
||||
SMTP:carla@rednourlaw.com (new primary)
|
||||
smtp:emma@rednourlaw.com (alias — Emma's old mail still routes here)
|
||||
smtp:dgarcia@rednourlaw.com (legacy — kept per operator)
|
||||
smtp:alee@rednourlaw.com (legacy — kept per operator)
|
||||
smtp:dgarcia@rednourlaw.onmicrosoft.com (existing routing — Exchange chose not to swap to carla@)
|
||||
SPO:SPO_f390956f-...@SPO_<tenant> (unchanged)
|
||||
accountEnabled: true
|
||||
```
|
||||
|
||||
## Sign-in Session Revocation
|
||||
|
||||
`POST /users/93074d1a-.../revokeSignInSessions` returned `200 {"value": true}`. All refresh tokens and active sessions under the previous UPN are invalidated; next access requires re-authentication as `carla@rednourlaw.com`.
|
||||
|
||||
## Decisions Made During Execution
|
||||
|
||||
- **Kept both legacy aliases (`dgarcia@`, `alee@`)** — operator's explicit choice. If those external addresses are confirmed dormant in the future, revisit removing them.
|
||||
- **No password reset** — operator confirmed this is a name change, not a personnel handoff; Carla already knows the password.
|
||||
- **Sessions revoked unconditionally** — standard practice after any UPN change.
|
||||
- **SP role/consent strategy** — bootstrapped the full suite (not just Exchange Operator) since onboarding was already incomplete. Future operations against this tenant now have the full toolset available.
|
||||
|
||||
## Two Cosmetic Items That Did Not Apply
|
||||
|
||||
1. `SIP:emma@rednourlaw.com` persisted instead of updating to `SIP:carla@rednourlaw.com`. Exchange auto-derives SIP from UPN — should self-heal on next mail-flow event or Teams sign-in.
|
||||
2. `smtp:carla@rednourlaw.onmicrosoft.com` was not added; Exchange kept the existing `smtp:dgarcia@rednourlaw.onmicrosoft.com` routing entry. Tenant routing through `*.onmicrosoft.com` still resolves to the right mailbox regardless of the local-part, so mail flow is unaffected.
|
||||
|
||||
Neither is blocking. If they bother you, a single follow-up `Set-Mailbox` call can rewrite EmailAddresses with the cleaned list.
|
||||
|
||||
## Raw Artifacts
|
||||
|
||||
Preserved under `/tmp/remediation-tool/4a4ca18a-f516-478b-99da-2e0722c5dc18/rednour-rename/`:
|
||||
- `get-mailbox-before.json` — pre-rename state
|
||||
- `set-mailbox-resp.json` — Set-Mailbox response (empty value collection + warnings array — normal)
|
||||
- `get-mailbox-after.json` — first verify (stale due to replication)
|
||||
- `get-mailbox-after2.json`, `get-mailbox-final.json` — converged verifies
|
||||
|
||||
## API Calls Executed (audit trail)
|
||||
|
||||
```
|
||||
POST /adminconsent (client_id=Tenant Admin, manual click by Global Admin)
|
||||
bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh rednourlaw.com
|
||||
POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand
|
||||
CmdletName=Set-Mailbox
|
||||
Identity=93074d1a-6db2-4794-8f7d-c84a619e4494
|
||||
EmailAddresses=[SMTP:carla@..., smtp:emma@..., smtp:dgarcia@..., smtp:alee@..., smtp:carla@*.onmicrosoft.com, SIP:carla@..., SPO:...]
|
||||
WindowsEmailAddress=carla@rednourlaw.com
|
||||
PATCH https://graph.microsoft.com/v1.0/users/93074d1a-...
|
||||
{userPrincipalName, displayName, mailNickname, givenName, surname}
|
||||
POST https://graph.microsoft.com/v1.0/users/93074d1a-.../revokeSignInSessions
|
||||
```
|
||||
|
||||
## Reference
|
||||
|
||||
- Tenant ID: `4a4ca18a-f516-478b-99da-2e0722c5dc18`
|
||||
- User object ID (unchanged through rename): `93074d1a-6db2-4794-8f7d-c84a619e4494`
|
||||
- Onboarding script: `.claude/skills/remediation-tool/scripts/onboard-tenant.sh`
|
||||
- Updated tenants.md row: line 39
|
||||
Reference in New Issue
Block a user