Session log: GuruRMM MSI build fix + DESIGN.md + BirthBiologic onboarding

- Fixed MSI build on Pluto (missing WixToolset.Util.wixext in install.rs)
- Created docs/DESIGN.md in gururmm repo (per-component design guide)
- Saved BirthBiologic GuruRMM site credentials to vault
- Added birth-biologic and mvan-inc client session logs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.claude/skills/remediation-tool/references/gotchas.md

@@ -120,6 +120,7 @@ If token request or API call returns AADSTS650052 referencing `WindowsDefenderAT
 | Cascades Tucson | 207fa277-e9d8-4eb7-ada1-1064d2221498 | old app only | — | — | — | — | old app only | old app only | — | IdentityRiskyUser scope still not consented as of 2026-04-16 |
 | Grabblaw | 032b383e-96e4-491b-880d-3fd3295672c3 | YES (2026-04-20) | — | YES (2026-04-20) | YES (2026-04-20) | — | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | Fully onboarded |
 | martylryan.com | (resolve via script) | YES (2026-04-20) | — | YES (old app) | YES (2026-04-20) | — | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | Fully onboarded |
+| mvaninc.com | 5affaf1e-de89-416b-a655-1b2cf615d5b1 | YES (2026-04-21) | — | YES (2026-04-21) | YES (2026-04-21) | — | — | — | — | Fully onboarded. Incident 2026-04-21: sysadmin GA account unauthorized sign-in from OKC via device PRT (MITCH-LAPTOP/JUNE). Remediated: pw reset, sessions revoked. CA policy (MFA all users) still pending — Mike to create. |
 
 **Migration note:** Valleywide, Dataforth, and Cascades still use the old deprecated app. Next visit: consent Security Investigator + assign Exchange Administrator role to new SP, then retire old app consent.
 

clients/birth-biologic/session-logs/2026-04-21-session.md

@@ -0,0 +1,50 @@
+# Session Log — BirthBiologic — 2026-04-21
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** DESKTOP-0O8A1RL
+- **Role:** admin
+
+---
+
+## Summary
+
+New client onboarded into GuruRMM. Client and site created. Vault entry saved. MSI installer ready for deployment on their server.
+
+---
+
+## Client Details
+
+- **Client name:** BirthBiologic
+- **GuruRMM client ID:** `da526b38-e832-4159-ab13-a3d94e9897a2`
+- **Site:** Main Office
+- **Site ID:** `3b20ef97-c764-4ef8-9154-79c3d5b486f8`
+- **Site code:** `BRIGHT-PEAK-5980`
+- **API key:** `grmm_1ZB1qV9Q61b9Noq8BIaZGwLNjZMfF49i`
+- **Vault:** `D:/vault/clients/birthbiologic/gururmm-site-main.sops.yaml`
+
+---
+
+## Install URLs
+
+- **Landing page (for manual install):** `https://rmm.azcomputerguru.com/install/BRIGHT-PEAK-5980`
+- **MSI download (dashboard):** `https://rmm.azcomputerguru.com/sites/3b20ef97-c764-4ef8-9154-79c3d5b486f8/installer`
+
+---
+
+## M365 Status
+
+- **Tenant:** birthbiologic.com (tenant ID unknown — not yet looked up)
+- **Security Investigator app:** consented (2026-04-21)
+- **Exchange Operator, User Manager, Tenant Admin, Defender:** NOT yet consented
+- **Note:** sysadmin@birthbiologic.com does not have a SharePoint/M365 license — app-only auth via tenant-admin with `Sites.ReadWrite.All` is the approach for SharePoint access (no user license needed for app-only)
+
+---
+
+## Pending
+
+- [ ] Install GuruRMM agent on BirthBiologic server via MSI or landing page
+- [ ] Consent remaining apps in BirthBiologic tenant (user-manager, tenant-admin minimum)
+- [ ] Datto Workplace → SharePoint migration: PowerShell script using tenant-admin app-only credentials, reads local Datto file server, uploads to SharePoint via Graph API `Sites.ReadWrite.All`
+  - BirthBiologic has 14 SharePoint sites (5 new dept sites created 2026-04-20 for Datto migration)
+  - Datto Workplace server is on-premise at their office (local file system access available once agent is installed)

clients/mvan-inc/reports/2026-04-21-risky-signins.md

@@ -0,0 +1,87 @@
+# Risky Sign-In Investigation — MVAN Inc
+**Date:** 2026-04-21 UTC  
+**Tenant:** mvaninc.com (`5affaf1e-de89-416b-a655-1b2cf615d5b1`)  
+**Requested by:** Mike Swanson  
+**Scope:** Identity Protection risky users review
+
+---
+
+## Summary
+
+Three accounts with active or recent risk events. Two are already remediated. One (`alisha.p@mvaninc.com`) remains atRisk with no action taken. The most concerning event is our own `sysadmin@mvaninc.com` (Global Admin) being flagged and remediated by password reset just 4 days ago (2026-04-17).
+
+---
+
+## Active Risks
+
+### alisha.p@mvaninc.com — LOW / atRisk (OPEN)
+- **Display name:** Alisha Park
+- **Risk level:** Low
+- **Risk state:** atRisk (no remediation performed)
+- **Risk first detected:** 2025-12-01
+- **Last password change:** 2025-11-13 (before risk event — password reset has NOT occurred)
+- **Admin roles:** None
+- **Recommendation:** Force password reset or dismiss if confirmed false positive
+
+---
+
+## Recently Remediated (past 90 days)
+
+### sysadmin@mvaninc.com — REMEDIATED 2026-04-17 [PRIORITY]
+- **Display name:** Computer Guru (our managed service account)
+- **Risk state:** Remediated via `userPerformedSecuredPasswordReset`
+- **Remediation date:** 2026-04-17T17:33:21Z (4 days ago)
+- **Admin roles:** Global Administrator, Intune Administrator, Cloud Device Administrator
+- **Last password change:** 2026-04-17T17:33:21Z (matches remediation)
+- **Notes:** This is a high-privilege account. Cannot determine what triggered the risk detection without AuditLog.Read.All. The password reset was performed — determine who initiated it and whether any suspicious activity occurred before remediation.
+
+### mitch.v@mvaninc.com — REMEDIATED 2026-04-07
+- **Display name:** Mitch VanDeveer (client's primary admin)
+- **Risk state:** Remediated via `userPerformedSecuredPasswordReset`
+- **Remediation date:** 2026-04-07T13:12:55Z (~2 weeks ago)
+- **Admin roles:** Global Administrator, Windows 365 Administrator
+- **Last password change:** 2026-04-07T13:12:55Z (matches remediation)
+
+---
+
+## Historical / Other
+
+| Account | Risk State | Level | Detail | Last Updated |
+|---|---|---|---|---|
+| mitch@mvan.onmicrosoft.com | remediated | none | passwordReset | 2025-10-24 |
+| june.b@mvaninc.com | remediated | none | passwordReset | 2026-01-27 |
+| j.bradford@modernstile.com | atRisk | medium | none | 2020-12-25 (stale — different domain) |
+| june@jemaenterprises.com | dismissed | none | — | 2022-04-26 |
+
+---
+
+## Global Admin Inventory (6 accounts — excessive)
+
+| Account | Notes |
+|---|---|
+| mitch.v@mvaninc.com | Client owner |
+| admin@mvan.onmicrosoft.com | Break-glass / legacy |
+| mitch@mvan.onmicrosoft.com | Alternate admin account |
+| june.b@mvaninc.com | Non-admin user with GA role |
+| sysadmin@mvaninc.com | Our managed service account |
+| ryan@mvan.onmicrosoft.com | Unknown |
+
+6 Global Admins is excessive for a tenant this size. Recommend reducing to 2-3 and using dedicated roles where possible.
+
+---
+
+## Recommended Actions
+
+1. **[URGENT]** Investigate what triggered the risk on `sysadmin@mvaninc.com` — review in Entra ID > Identity Protection > Risk detections portal. Confirm no unauthorized access occurred before the 2026-04-17 reset.
+2. **[ACTION REQUIRED]** Remediate `alisha.p@mvaninc.com` — force password reset or dismiss with documented justification.
+3. **[ADVISORY]** Review MFA registration status for all 6 Global Admins — confirm MFA is enforced.
+4. **[ADVISORY]** Reduce Global Admin count. `june.b@mvaninc.com` and `ryan@mvan.onmicrosoft.com` should be reviewed for necessity.
+5. **[MISSING VISIBILITY]** Add `AuditLog.Read.All` to the Security Investigator app manifest to enable sign-in log and risk detection queries in future investigations.
+
+---
+
+## Tool Limitations This Run
+
+- `AuditLog.Read.All` not in investigator app manifest: could not pull sign-in logs or risk detection details (IP addresses, geolocations, detection types)
+- `IdentityRiskEvent.Read.All` not in investigator app manifest: could not pull riskDetections endpoint
+- Used `identityProtection/riskyUsers` (requires `IdentityRiskyUser.Read.All`) — available