azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-15 16:41:51

Browse Source 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-15 16:41:51
This commit is contained in:
Mike Swanson
2026-05-15 16:41:54 -07:00
parent 457bcadb38
commit de8d2decdb
2 changed files with 94 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
projects/msp-tools/guru-rmm

Submodule projects/msp-tools/guru-rmm updated: a3cce0a831...09530c75eb

93
session-logs/2026-05-15-session.md
View File

@@ -735,3 +735,96 @@ cc3d4d8 fix(webhook): prevent zombie lock with thread-based build dispatch
- Platform parity matrix: `.claude/CODING_GUIDELINES.md` § "GuruRMM Agent — Platform Parity"
- Claudetools commits: `ee900fd` (token efficiency), `8c522b3` (parity rule hardening)
- GuruRMM commit: `a3cce0a` (Linux parity — temps, idle time, service checks)
---
## Update: 16:40 PT — M365 alias add (developer@azcomputerguru.com) + Exchange Operator role fix
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
- **Session span:** ~16:2016:40 PT, 2026-05-15
## Session Summary
Added `developer@azcomputerguru.com` as an email alias to the ACG Admin distribution group (`admin@azcomputerguru.com`) in the azcomputerguru.com M365 tenant. The target turned out to be a mail-enabled distribution group (not a user mailbox), which required Exchange Online cmdlets rather than Graph API to modify.
Initial attempts via Graph PATCH on the group object failed with 403 from both user-manager and tenant-admin tiers, since distribution list proxyAddresses are Exchange-managed and cannot be written via Graph. Pivoted to the exchange-op tier and the EXO admin REST API (InvokeCommand). The exchange-op token acquired successfully but InvokeCommand also returned 403, revealing the Exchange Operator service principal had zero directory roles assigned in the ACG tenant — Exchange Administrator was missing.
Assigned Exchange Administrator to the Exchange Operator SP (OID: `83c225f1-b38d-4063-9fdd-642b6b09ae8b`) using the tenant-admin tier. After an 8-second propagation wait, retried InvokeCommand with `Set-DistributionGroup`. The hash table add syntax (`{"Add": [...]}`) was rejected by the REST API with a type conversion error; resolved by passing the full flat address list as a replacement array. Change confirmed live after a 20-second Exchange replication delay.
Subsequently searched mike@azcomputerguru.com's mailbox (via investigator tier / Graph Mail.Read) for Apple emails. Found a verification email from `appleid@id.apple.com` sent to `admin@azcomputerguru.com` at 23:31 UTC — arrived minutes after the alias was added, confirming the use case. Also surfaced an Apple Developer Program enrollment thread from 2026-05-11 (enrollment ID HH5UA87LAH, currently stalled on identity verification).
Also answered a user question about the Claude Code "fan out agents" prompt — the feature that spawns parallel agents in isolated git worktrees for large parallel tasks, triggered via `/batch`.
## Key Decisions
- **Used Exchange Online InvokeCommand instead of Graph PATCH** — distribution lists (groupTypes: []) are Exchange-managed; Graph PATCH on proxyAddresses is not supported for this recipient type regardless of permission tier.
- **Passed full address list rather than hash table add syntax** — EXO REST API InvokeCommand does not support PowerShell hash table parameters (`@{Add=...}`); the only working approach was providing the complete replacement array including all existing entries.
- **Assigned Exchange Administrator role to Exchange Operator SP for ACG tenant** — the MSP apps had never been onboarded against the ACG own tenant; this was a gap. The role was assigned permanently (not PIM-managed) using tenant-admin tier.
- **Used investigator tier for mailbox search** — user-manager and exchange-op both lack Graph Mail.Read; investigator has it as part of its read-only audit scope.
## Problems Encountered
- **Graph PATCH 403 on group proxyAddresses** — both user-manager and tenant-admin returned 403; root cause was that DL proxyAddresses require Exchange Online write, not Graph directory write. Resolved by switching to InvokeCommand.
- **Exchange Operator InvokeCommand 403** — Exchange Operator SP had no directory roles in the ACG tenant (Exchange Administrator was missing). Resolved by assigning the role via tenant-admin Graph token. Side note: this gap means all previous exchange-op attempts against azcomputerguru.com would have failed the same way.
- **Set-DistributionGroup hash table parameter rejected** — `{"Add": [...]}` format caused a Newtonsoft.Json type conversion error in the EXO REST layer. Resolved by fetching current addresses via Get-DistributionGroup and passing the full array as a replacement.
- **20-second replication delay** — alias did not appear in immediate verify call; confirmed live on second check after waiting.
## Configuration Changes
None (no files modified in claudetools repo this session).
## Credentials & Secrets
None new. Existing vault entries used:
- `msp-tools/computerguru-security-investigator.sops.yaml` — cert auth
- `msp-tools/computerguru-exchange-operator.sops.yaml` — cert auth
- `msp-tools/computerguru-tenant-admin.sops.yaml` — cert auth
- `msp-tools/computerguru-user-manager.sops.yaml` — cert auth
## Infrastructure & Servers
- **Tenant:** azcomputerguru.com — tenant ID `ce61461e-81a0-4c84-bb4a-7b354a9a356d`
- **Exchange Operator SP OID (ACG tenant):** `83c225f1-b38d-4063-9fdd-642b6b09ae8b`
- **ACG Admin DL object ID (Graph groups):** `9583782e-5b76-4636-bbeb-2a559d6a599d`
- **Role assigned:** Exchange Administrator (`29232cdf-9323-42fd-ade2-1d097af3e4de`) — role assignment ID `3ywjKSOT_UKt4h0JevPk3vElwoONs2NAn91kK2sJros-1`
- **EXO endpoint used:** `https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand`
## Commands & Outputs
```bash
# Resolve tenant
bash scripts/resolve-tenant.sh azcomputerguru.com
# -> ce61461e-81a0-4c84-bb4a-7b354a9a356d
# Get group members
CmdletName: Get-DistributionGroupMember, Identity: admin@azcomputerguru.com
# -> mike@azcomputerguru.com, wwilliams@azcomputerguru.com
# Assign Exchange Administrator to Exchange Operator SP
POST /roleManagement/directory/roleAssignments
{"roleDefinitionId":"29232cdf-9323-42fd-ade2-1d097af3e4de","principalId":"83c225f1-b38d-4063-9fdd-642b6b09ae8b","directoryScopeId":"/"}
# -> HTTP 201
# Add alias (full replacement list)
CmdletName: Set-DistributionGroup
Parameters: {Identity: admin@azcomputerguru.com, EmailAddresses: [SMTP:admin@, smtp:Sifo-Office@, smtp:sifoidak@, smtp:admin_azcomputerguru.com@azcomputerguru.onmicrosoft.com, X500:..., smtp:developer@azcomputerguru.com]}
# -> HTTP 200, no warnings
# Verify (after 20s delay)
CmdletName: Get-DistributionGroup — confirmed smtp:developer@azcomputerguru.com present
```
## Pending / Incomplete Tasks
- **Apple Developer Program enrollment stalled** — enrollment ID HH5UA87LAH, identity verification failure. Email from 2026-05-11 says "We can't verify your identity." Needs follow-up action in the Apple Developer portal.
- **Apple Account verification email** — arrived at admin@azcomputerguru.com at 23:31 UTC. Verification link needs to be clicked (body not pulled this session).
- **MSP app onboarding for ACG own tenant** — Exchange Administrator was the only role confirmed missing and fixed. Full onboard-tenant.sh run against azcomputerguru.com was not done; other roles (Security Investigator Exchange Admin, User Manager User Admin + Auth Admin) may also be missing. Consider running `bash scripts/onboard-tenant.sh azcomputerguru.com` to audit.
## Reference Information
- ACG Admin DL current aliases post-change: SMTP:admin@azcomputerguru.com, smtp:Sifo-Office@, smtp:sifoidak@, smtp:admin_azcomputerguru.com@azcomputerguru.onmicrosoft.com, smtp:developer@azcomputerguru.com
- Apple D-U-N-S numbers: COMPUTER GURU = 005661506, ARIZONA COMPUTER GURU = 020317881
- Apple Developer enrollment ID: HH5UA87LAH