diff --git a/projects/msp-tools/guru-rmm b/projects/msp-tools/guru-rmm index a3cce0a..09530c7 160000 --- a/projects/msp-tools/guru-rmm +++ b/projects/msp-tools/guru-rmm @@ -1 +1 @@ -Subproject commit a3cce0a8310ea586b31fe353604079b02bab8c22 +Subproject commit 09530c75eb97059427b4734dc55bfef8577c5dd8 diff --git a/session-logs/2026-05-15-session.md b/session-logs/2026-05-15-session.md index f9fc4cc..0492ca3 100644 --- a/session-logs/2026-05-15-session.md +++ b/session-logs/2026-05-15-session.md @@ -735,3 +735,96 @@ cc3d4d8 fix(webhook): prevent zombie lock with thread-based build dispatch - Platform parity matrix: `.claude/CODING_GUIDELINES.md` § "GuruRMM Agent — Platform Parity" - Claudetools commits: `ee900fd` (token efficiency), `8c522b3` (parity rule hardening) - GuruRMM commit: `a3cce0a` (Linux parity — temps, idle time, service checks) + +--- + +## Update: 16:40 PT — M365 alias add (developer@azcomputerguru.com) + Exchange Operator role fix + +## User +- **User:** Mike Swanson (mike) +- **Machine:** DESKTOP-0O8A1RL +- **Role:** admin +- **Session span:** ~16:20–16:40 PT, 2026-05-15 + +## Session Summary + +Added `developer@azcomputerguru.com` as an email alias to the ACG Admin distribution group (`admin@azcomputerguru.com`) in the azcomputerguru.com M365 tenant. The target turned out to be a mail-enabled distribution group (not a user mailbox), which required Exchange Online cmdlets rather than Graph API to modify. + +Initial attempts via Graph PATCH on the group object failed with 403 from both user-manager and tenant-admin tiers, since distribution list proxyAddresses are Exchange-managed and cannot be written via Graph. Pivoted to the exchange-op tier and the EXO admin REST API (InvokeCommand). The exchange-op token acquired successfully but InvokeCommand also returned 403, revealing the Exchange Operator service principal had zero directory roles assigned in the ACG tenant — Exchange Administrator was missing. + +Assigned Exchange Administrator to the Exchange Operator SP (OID: `83c225f1-b38d-4063-9fdd-642b6b09ae8b`) using the tenant-admin tier. After an 8-second propagation wait, retried InvokeCommand with `Set-DistributionGroup`. The hash table add syntax (`{"Add": [...]}`) was rejected by the REST API with a type conversion error; resolved by passing the full flat address list as a replacement array. Change confirmed live after a 20-second Exchange replication delay. + +Subsequently searched mike@azcomputerguru.com's mailbox (via investigator tier / Graph Mail.Read) for Apple emails. Found a verification email from `appleid@id.apple.com` sent to `admin@azcomputerguru.com` at 23:31 UTC — arrived minutes after the alias was added, confirming the use case. Also surfaced an Apple Developer Program enrollment thread from 2026-05-11 (enrollment ID HH5UA87LAH, currently stalled on identity verification). + +Also answered a user question about the Claude Code "fan out agents" prompt — the feature that spawns parallel agents in isolated git worktrees for large parallel tasks, triggered via `/batch`. + +## Key Decisions + +- **Used Exchange Online InvokeCommand instead of Graph PATCH** — distribution lists (groupTypes: []) are Exchange-managed; Graph PATCH on proxyAddresses is not supported for this recipient type regardless of permission tier. +- **Passed full address list rather than hash table add syntax** — EXO REST API InvokeCommand does not support PowerShell hash table parameters (`@{Add=...}`); the only working approach was providing the complete replacement array including all existing entries. +- **Assigned Exchange Administrator role to Exchange Operator SP for ACG tenant** — the MSP apps had never been onboarded against the ACG own tenant; this was a gap. The role was assigned permanently (not PIM-managed) using tenant-admin tier. +- **Used investigator tier for mailbox search** — user-manager and exchange-op both lack Graph Mail.Read; investigator has it as part of its read-only audit scope. + +## Problems Encountered + +- **Graph PATCH 403 on group proxyAddresses** — both user-manager and tenant-admin returned 403; root cause was that DL proxyAddresses require Exchange Online write, not Graph directory write. Resolved by switching to InvokeCommand. +- **Exchange Operator InvokeCommand 403** — Exchange Operator SP had no directory roles in the ACG tenant (Exchange Administrator was missing). Resolved by assigning the role via tenant-admin Graph token. Side note: this gap means all previous exchange-op attempts against azcomputerguru.com would have failed the same way. +- **Set-DistributionGroup hash table parameter rejected** — `{"Add": [...]}` format caused a Newtonsoft.Json type conversion error in the EXO REST layer. Resolved by fetching current addresses via Get-DistributionGroup and passing the full array as a replacement. +- **20-second replication delay** — alias did not appear in immediate verify call; confirmed live on second check after waiting. + +## Configuration Changes + +None (no files modified in claudetools repo this session). + +## Credentials & Secrets + +None new. Existing vault entries used: +- `msp-tools/computerguru-security-investigator.sops.yaml` — cert auth +- `msp-tools/computerguru-exchange-operator.sops.yaml` — cert auth +- `msp-tools/computerguru-tenant-admin.sops.yaml` — cert auth +- `msp-tools/computerguru-user-manager.sops.yaml` — cert auth + +## Infrastructure & Servers + +- **Tenant:** azcomputerguru.com — tenant ID `ce61461e-81a0-4c84-bb4a-7b354a9a356d` +- **Exchange Operator SP OID (ACG tenant):** `83c225f1-b38d-4063-9fdd-642b6b09ae8b` +- **ACG Admin DL object ID (Graph groups):** `9583782e-5b76-4636-bbeb-2a559d6a599d` +- **Role assigned:** Exchange Administrator (`29232cdf-9323-42fd-ade2-1d097af3e4de`) — role assignment ID `3ywjKSOT_UKt4h0JevPk3vElwoONs2NAn91kK2sJros-1` +- **EXO endpoint used:** `https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand` + +## Commands & Outputs + +```bash +# Resolve tenant +bash scripts/resolve-tenant.sh azcomputerguru.com +# -> ce61461e-81a0-4c84-bb4a-7b354a9a356d + +# Get group members +CmdletName: Get-DistributionGroupMember, Identity: admin@azcomputerguru.com +# -> mike@azcomputerguru.com, wwilliams@azcomputerguru.com + +# Assign Exchange Administrator to Exchange Operator SP +POST /roleManagement/directory/roleAssignments +{"roleDefinitionId":"29232cdf-9323-42fd-ade2-1d097af3e4de","principalId":"83c225f1-b38d-4063-9fdd-642b6b09ae8b","directoryScopeId":"/"} +# -> HTTP 201 + +# Add alias (full replacement list) +CmdletName: Set-DistributionGroup +Parameters: {Identity: admin@azcomputerguru.com, EmailAddresses: [SMTP:admin@, smtp:Sifo-Office@, smtp:sifoidak@, smtp:admin_azcomputerguru.com@azcomputerguru.onmicrosoft.com, X500:..., smtp:developer@azcomputerguru.com]} +# -> HTTP 200, no warnings + +# Verify (after 20s delay) +CmdletName: Get-DistributionGroup — confirmed smtp:developer@azcomputerguru.com present +``` + +## Pending / Incomplete Tasks + +- **Apple Developer Program enrollment stalled** — enrollment ID HH5UA87LAH, identity verification failure. Email from 2026-05-11 says "We can't verify your identity." Needs follow-up action in the Apple Developer portal. +- **Apple Account verification email** — arrived at admin@azcomputerguru.com at 23:31 UTC. Verification link needs to be clicked (body not pulled this session). +- **MSP app onboarding for ACG own tenant** — Exchange Administrator was the only role confirmed missing and fixed. Full onboard-tenant.sh run against azcomputerguru.com was not done; other roles (Security Investigator Exchange Admin, User Manager User Admin + Auth Admin) may also be missing. Consider running `bash scripts/onboard-tenant.sh azcomputerguru.com` to audit. + +## Reference Information + +- ACG Admin DL current aliases post-change: SMTP:admin@azcomputerguru.com, smtp:Sifo-Office@, smtp:sifoidak@, smtp:admin_azcomputerguru.com@azcomputerguru.onmicrosoft.com, smtp:developer@azcomputerguru.com +- Apple D-U-N-S numbers: COMPUTER GURU = 005661506, ARIZONA COMPUTER GURU = 020317881 +- Apple Developer enrollment ID: HH5UA87LAH