Session log: GuruRMM MSI build fix + DESIGN.md + BirthBiologic onboarding
- Fixed MSI build on Pluto (missing WixToolset.Util.wixext in install.rs) - Created docs/DESIGN.md in gururmm repo (per-component design guide) - Saved BirthBiologic GuruRMM site credentials to vault - Added birth-biologic and mvan-inc client session logs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
87
clients/mvan-inc/reports/2026-04-21-risky-signins.md
Normal file
87
clients/mvan-inc/reports/2026-04-21-risky-signins.md
Normal file
@@ -0,0 +1,87 @@
|
||||
# Risky Sign-In Investigation — MVAN Inc
|
||||
**Date:** 2026-04-21 UTC
|
||||
**Tenant:** mvaninc.com (`5affaf1e-de89-416b-a655-1b2cf615d5b1`)
|
||||
**Requested by:** Mike Swanson
|
||||
**Scope:** Identity Protection risky users review
|
||||
|
||||
---
|
||||
|
||||
## Summary
|
||||
|
||||
Three accounts with active or recent risk events. Two are already remediated. One (`alisha.p@mvaninc.com`) remains atRisk with no action taken. The most concerning event is our own `sysadmin@mvaninc.com` (Global Admin) being flagged and remediated by password reset just 4 days ago (2026-04-17).
|
||||
|
||||
---
|
||||
|
||||
## Active Risks
|
||||
|
||||
### alisha.p@mvaninc.com — LOW / atRisk (OPEN)
|
||||
- **Display name:** Alisha Park
|
||||
- **Risk level:** Low
|
||||
- **Risk state:** atRisk (no remediation performed)
|
||||
- **Risk first detected:** 2025-12-01
|
||||
- **Last password change:** 2025-11-13 (before risk event — password reset has NOT occurred)
|
||||
- **Admin roles:** None
|
||||
- **Recommendation:** Force password reset or dismiss if confirmed false positive
|
||||
|
||||
---
|
||||
|
||||
## Recently Remediated (past 90 days)
|
||||
|
||||
### sysadmin@mvaninc.com — REMEDIATED 2026-04-17 [PRIORITY]
|
||||
- **Display name:** Computer Guru (our managed service account)
|
||||
- **Risk state:** Remediated via `userPerformedSecuredPasswordReset`
|
||||
- **Remediation date:** 2026-04-17T17:33:21Z (4 days ago)
|
||||
- **Admin roles:** Global Administrator, Intune Administrator, Cloud Device Administrator
|
||||
- **Last password change:** 2026-04-17T17:33:21Z (matches remediation)
|
||||
- **Notes:** This is a high-privilege account. Cannot determine what triggered the risk detection without AuditLog.Read.All. The password reset was performed — determine who initiated it and whether any suspicious activity occurred before remediation.
|
||||
|
||||
### mitch.v@mvaninc.com — REMEDIATED 2026-04-07
|
||||
- **Display name:** Mitch VanDeveer (client's primary admin)
|
||||
- **Risk state:** Remediated via `userPerformedSecuredPasswordReset`
|
||||
- **Remediation date:** 2026-04-07T13:12:55Z (~2 weeks ago)
|
||||
- **Admin roles:** Global Administrator, Windows 365 Administrator
|
||||
- **Last password change:** 2026-04-07T13:12:55Z (matches remediation)
|
||||
|
||||
---
|
||||
|
||||
## Historical / Other
|
||||
|
||||
| Account | Risk State | Level | Detail | Last Updated |
|
||||
|---|---|---|---|---|
|
||||
| mitch@mvan.onmicrosoft.com | remediated | none | passwordReset | 2025-10-24 |
|
||||
| june.b@mvaninc.com | remediated | none | passwordReset | 2026-01-27 |
|
||||
| j.bradford@modernstile.com | atRisk | medium | none | 2020-12-25 (stale — different domain) |
|
||||
| june@jemaenterprises.com | dismissed | none | — | 2022-04-26 |
|
||||
|
||||
---
|
||||
|
||||
## Global Admin Inventory (6 accounts — excessive)
|
||||
|
||||
| Account | Notes |
|
||||
|---|---|
|
||||
| mitch.v@mvaninc.com | Client owner |
|
||||
| admin@mvan.onmicrosoft.com | Break-glass / legacy |
|
||||
| mitch@mvan.onmicrosoft.com | Alternate admin account |
|
||||
| june.b@mvaninc.com | Non-admin user with GA role |
|
||||
| sysadmin@mvaninc.com | Our managed service account |
|
||||
| ryan@mvan.onmicrosoft.com | Unknown |
|
||||
|
||||
6 Global Admins is excessive for a tenant this size. Recommend reducing to 2-3 and using dedicated roles where possible.
|
||||
|
||||
---
|
||||
|
||||
## Recommended Actions
|
||||
|
||||
1. **[URGENT]** Investigate what triggered the risk on `sysadmin@mvaninc.com` — review in Entra ID > Identity Protection > Risk detections portal. Confirm no unauthorized access occurred before the 2026-04-17 reset.
|
||||
2. **[ACTION REQUIRED]** Remediate `alisha.p@mvaninc.com` — force password reset or dismiss with documented justification.
|
||||
3. **[ADVISORY]** Review MFA registration status for all 6 Global Admins — confirm MFA is enforced.
|
||||
4. **[ADVISORY]** Reduce Global Admin count. `june.b@mvaninc.com` and `ryan@mvan.onmicrosoft.com` should be reviewed for necessity.
|
||||
5. **[MISSING VISIBILITY]** Add `AuditLog.Read.All` to the Security Investigator app manifest to enable sign-in log and risk detection queries in future investigations.
|
||||
|
||||
---
|
||||
|
||||
## Tool Limitations This Run
|
||||
|
||||
- `AuditLog.Read.All` not in investigator app manifest: could not pull sign-in logs or risk detection details (IP addresses, geolocations, detection types)
|
||||
- `IdentityRiskEvent.Read.All` not in investigator app manifest: could not pull riskDetections endpoint
|
||||
- Used `identityProtection/riskyUsers` (requires `IdentityRiskyUser.Read.All`) — available
|
||||
Reference in New Issue
Block a user