azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-03 09:56:24

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-03 09:56:24
This commit is contained in:
Howard Enos
2026-06-03 09:56:31 -07:00
parent e1a0996e1a
commit c693dc1e24
2 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
clients/cascades-tucson/session-logs/2026-06-03-session.md
View File

@@ -138,3 +138,22 @@ curl -s -X POST -H "Authorization: Bearer $TOK_TA" -H "Content-Type: application
- Migration master plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
- Remediation skill: `.claude/skills/remediation-tool/` (get-token.sh tiers: investigator, intune-manager, tenant-admin)
- New CA policy id: `1b7fd025-1aad-47c8-9274-c32c3e0b163c` ; consent grant id: `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`
## Update: 09:55 MST — Crystal Rodriguez SSO fixed (per-user ALIS Email = UPN confirmed)
Diagnosed why Megan Hiatt could use the ALIS "Sign in with Microsoft" option but Crystal Rodriguez could not. Both are identical on every dimension that could matter: cloud-only Entra accounts (`onPremisesSyncEnabled = null`), enabled, neither in `SG-Caregivers`, and **both have their own per-user `Principal` consent grant** (Megan `b8de0859`, Crystal `ac1799f6`). So it was not the security group, not consent, not identity, not sync state.
The real difference was the **login path**: Megan had 10 ALIS sign-in events through the Entra/Microsoft login (most recent `errorCode 0` = success), while Crystal had **zero** ALIS/Entra sign-in events in 14 days — she had never come through the Microsoft login at all. Her ALIS staff record was not SSO-linked because the **Email field on her ALIS record did not match her Entra UPN** (`crystal.rodriguez@cascadestucson.com`), so "Sign in with Microsoft" could not resolve her to a staff record, and she fell back to direct ALIS credential login.
**Resolution (Howard):** added Crystal's email to her ALIS staff record → SSO worked immediately.
### Confirmed procedure — enable ALIS SSO for one user
1. User must have a valid Entra identity (synced or cloud-only — both work).
2. Tenant-wide admin consent for the ALIS app must exist — **done globally 2026-06-03**, so this is a one-time prerequisite, not per-user.
3. In ALIS admin → Staff → user's record, set the **Email field = the user's exact Entra UPN** (e.g. `crystal.rodriguez@cascadestucson.com`). This is the per-user SSO join key.
4. User signs in via **"Sign in with Microsoft"** (not the ALIS username/password box).
5. Turn off **ALIS-native 2FA** on that user's account (Entra is the second factor; native 2FA conflicts and was what locked out Karen Rossini on 2026-05-29).
Symptom signature: a user with zero ALIS app sign-in events in the Entra logs is on the old direct-login path (not SSO) — the fix is the ALIS Email match, not anything in Entra.
Sweep target: apply this to all office/clinical users (Karen Rossini, MemCare reception, etc.) to standardize everyone onto SSO.