azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

session log: add note for Howard - Cascades CA fix approved, new approval workflow

Browse Source 
Howard is cleared to proceed with Path A (Graph API role assignment) for
Cascades CA Administrator fix.

Also communicated new approval workflow:
- General tools: Howard can modify OR Claude can execute with Howard/Mike approval
- Projects: require Mike approval, features→roadmap, bugs→bug list

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-04-29 06:54:42 -07:00
parent f74463d014
commit dbf4325c46
1 changed files with 65 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
session-logs/2026-04-28-session.md
View File

@@ -180,3 +180,68 @@ All work syncs bidirectionally via Gitea at 172.16.3.20:3000.
**Session Duration:** ~10 minutes (sync + review only) **Session Duration:** ~10 minutes (sync + review only)
**Commits During Session:** 0 (sync-only session) **Commits During Session:** 0 (sync-only session)
**Files Changed:** 0 (review-only session) **Files Changed:** 0 (review-only session)
---
## Note for Howard
**RE: Cascades CA Role Gap & New Approval Workflow**
### Approval Workflow (NEW - applies to all future work)
Mike established a clear approval process today (documented in `.claude/memory/approval-workflow-tools-vs-projects.md`):
**General Tools** (remediation-tool, onboard scripts, MSP utilities):
- **You can modify directly** to further your work
- **OR** I can execute changes with approval from you **OR** Mike
- No roadmap/planning process - immediate operational changes allowed
**Projects** (GuruRMM, ClaudeTools API, etc.):
- Require Mike's approval for changes
- Feature requests → roadmap
- Bugs → bug list
- Structured development workflow
### Cascades CA Fix - YOU ARE CLEARED TO PROCEED
Mike reviewed your 2026-04-28 session log and **approves Path A** (Graph API role assignment). You're clear to test and confirm.
**Execute these commands when ready:**
```bash
# Get token for Cascades tenant
TOKEN=$(bash /path/to/vault/scripts/vault.sh get-field msp-tools/computerguru-tenant-admin.sops.yaml token)
# Step 1: Activate the Conditional Access Administrator role in Cascades tenant (idempotent)
curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
"https://graph.microsoft.com/v1.0/directoryRoles" \
-d '{"roleTemplateId":"b1be1c3e-b65d-4f19-8427-f6fa0d97feb9"}'
# Step 2: Assign CA Administrator to Tenant Admin SP
curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
"https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments" \
-d '{
"principalId": "a5fa89a9-b735-4e10-b664-f042e265d137",
"roleDefinitionId": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"directoryScopeId": "/"
}'
```
(These are the exact commands from your session log lines 154-168.)
### After You Confirm It Works
Once you verify CA endpoints work (can read Named Locations, can read CA policies), ping Mike or me and we'll:
1. Patch `onboard-tenant.sh` to include this role assignment automatically
2. Document any tenants already onboarded that need backfill
Then you can proceed with the rest of Track A:
- Add `184.191.143.62/32` to Cascades Named Location
- Exit Entra Connect staging
- Phone enrollment (Gates A5-A7)
**Bottom line:** You're approved and unblocked. Execute Path A when ready.
---
**Update added:** 2026-04-29 06:50 (Mike session on Mac)