azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from ACG-TECH03L at 2026-04-19 12:50:13

Browse Source 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-19 12:50:13
This commit is contained in:
Howard Enos
2026-04-19 12:50:15 -07:00
parent c44a01f5dd
commit c4fdb5a233
13 changed files with 2238 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
.claude/messages/for-mike.md Normal file
View File

@@ -0,0 +1,42 @@
# Note for Mike
## From Howard, 2026-04-19
### Cascades of Tucson - M365 Remediation App - Identity Protection scope
During today's phishing investigation on Cascades of Tucson (crystal.rodriguez, et al.), the 10-point breach check returned `Forbidden` on `/identityProtection/riskyUsers` and `/identityProtection/riskDetections` because **Claude-MSP-Access (ComputerGuru - AI Remediation, App ID `fabb3421-8b34-484b-bc17-e46de9703418`) lacks admin consent for `IdentityRiskyUser.Read.All` on the Cascades tenant.**
**Asking before I grant:** should I go ahead and give this consent, or do you want to hold off?
#### What the scope does
- **Read-only.** Reads Entra ID Identity Protection signals: risky-user state (low/medium/high), and the underlying risk detections (impossible travel, anonymous IP, leaked credentials, malware-linked IP, etc.).
- **No write capability** - not `ReadWrite.All`, just `Read.All`. The app cannot reset risk state, dismiss detections, or modify anything in Identity Protection.
- **Tenant-scoped.** Consent applies only to the Cascades tenant; doesn't affect other clients.
#### Why I want it
- Closes a visibility gap in our standard breach-check workflow. Today I had to tell the report "this check skipped" for risky-user signals.
- Saves us from logging into the Defender / Entra portal manually during IR to cross-check.
- Cascades has Defender P1+ (based on targeted-user protection already configured), so risk data exists to read.
#### Why you might say no
- Every additional scope on the app = larger blast radius if the app's client secret/cert leaks.
- Scope is persistent until revoked via the portal.
- Identity Protection data can include sensitive info (IPs, geo, device hints). If our audit logging is weak, reading it leaves tracks we should be aware of.
#### My lean
**Allow it.** The scope is read-only, the app is narrowly controlled (only us), and we already have Mail.Read, User.Read.All, Exchange Admin, etc. — which are materially more sensitive than this. The inconsistency of "we can read full mailbox contents but not risky-user flags" doesn't match a risk-based model.
If you say yes, consent URL is:
```
https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418
```
Takes ~30 seconds. Sign in as a GA on Cascades' tenant (sysadmin@ works), review the permission, click Accept.
Full investigation report: `clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md`
- Howard