azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-03 09:33:26

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-03 09:33:26
This commit is contained in:
Howard Enos
2026-06-03 09:33:34 -07:00
parent 1163d71dc6
commit e1a0996e1a
3 changed files with 183 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
clients/cascades-tucson/session-logs/2026-06-03-session.md Normal file
View File

@@ -0,0 +1,140 @@
# Cascades — ALIS SSO failure diagnosis, admin consent granted, caregiver device allow-list staged
**Date:** 2026-06-03
**Client:** Cascades of Tucson (Syncro 20149445, Tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`)
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Investigated reports that some staff could not sign in to ALIS on non-phone devices. Pulled live Entra data via the remediation-tool Security Investigator app and found the failures were `AADSTS65001` (application not consented), not Conditional Access or network. All failing sign-ins (megan.hiatt, karen.rossini, memcarereceptionist) came from the two trusted Cascades WAN IPs with `conditionalAccessStatus: success` — CA was never the gate. The ALIS service principal (`e1cae4ad-5beb-44ca-82d4-434c9bd835ad`) had only two per-user (`Principal`) consent grants for `User.Read` and no tenant-wide admin consent, so every user except the two who had self-consented hit a hard 65001.
Established that the "two-factor" toggle that fixed login for caregivers/medtechs was ALIS's own native 2FA, not Entra MFA: the `Require multifactor authentication for all users` policy excludes `AllTrusted` locations, so Entra never prompts on the Cascades network. Walked the security model — ALIS-native 2FA and Entra are two independent doors; a non-SSO ALIS user can reach ALIS from anywhere with just ALIS credentials because Entra never sees that login. The correct control is forcing all ALIS logins through Entra SSO (SSO-only, credential fallback disabled), not relying on ALIS-native 2FA.
Reconstructed the full project design from Syncro tickets #109412123 ("Entra setup" / Syncro #32214) and #110680053 ("Domain setup-entra sync" / Syncro #32303), the migration master plan, wiki, memory, and last month's session logs (two subagents + live Entra pulls). Confirmed the caregiver side is fully built and enforced (SG-Caregivers 38 members synced; three CSC CA policies enabled; phones in SDM), while the office/privileged ALIS path is in a mixed/broken state (some SSO, some direct login + native 2FA) and the office department OUs are not yet expanded into Entra Connect sync scope.
Per Howard's direction, changed the caregiver device restriction model from compliance-based to an explicit device allow-list (phones + 5 named machines), to be easier and lower-risk while machine compliance is verified later. Allowed devices: NURSESTATION-PC plus laptops Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (confirmed 5 total, no 6th). Verified the Android enrollment token (`CSC - Android Shared Phones (Entra SDM)`, 25 devices enrolled, token expires 2027-05-08) is a join key only — its expiry does not unenroll existing devices.
Executed two authorized production changes via the Tenant Admin app: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) for the ALIS app, resolving 65001 for everyone; and created a new caregiver device allow-list CA policy in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`). The three existing enforced caregiver policies were left untouched, so nothing was weakened during the transition.
## Key Decisions
- Diagnosed root cause as missing admin consent (65001), not CA/network/password. Evidence: all failures from trusted IPs, `conditionalAccessStatus: success`, only two `Principal` consent grants on the ALIS SP.
- Chose an explicit device allow-list (CA device filter on `displayName -startsWith "CSC-"` OR `extensionAttribute1 -eq "CSCCaregiverDevice"`) over compliance-based gating, because the tenant has no Windows compliance policy and `secureByDefault=false` (no-policy devices read as compliant) — compliance-only would let any future-enrolled PC in. Allow-list prevents scope creep.
- Created a NEW report-only allow-list policy rather than editing the existing enforced `CSC - Block caregivers on non-compliant device`, so the live phone lockdown is not weakened during validation. Cutover later = enable allow-list + disable the compliance policy.
- Granted admin consent programmatically as `AllPrincipals` `User.Read` (mirrors the two per-user grants that were already working) rather than the interactive admin-consent URL.
- Mirrored break-glass exclusions from the existing CSC policies (`admin@`, `sysadmin@`) and added the `SG-CA-BreakGlass` group to the new policy.
- ALIS-native 2FA is the wrong perimeter control; the permanent model is all users on ALIS SSO + ALIS set to SSO-only + native 2FA off, with Entra doing onsite-seamless / offsite-MFA. Deferred the office/privileged standardization as a separate workstream.
## Problems Encountered
- Sign-in log query returned HTTP 504 (gateway timeout) on an appId-only `$filter`. Resolved by adding a `createdDateTime ge` date bound and URL-encoding the filter (spaces in the raw URL broke curl).
- Investigator (Security Investigator) token lacked Intune DeviceManagement scope (403). Resolved by falling back to the intune-manager tier for `androidDeviceOwnerEnrollmentProfiles`, `deviceCompliancePolicies`, and `deviceManagement/settings`.
- `policies/mobileDeviceManagementPolicies` returned BadRequest; could not read the Windows MDM auto-enroll scope via API. Noted to confirm in the Entra portal instead.
- Memory files referenced by the wiki (`project_cascades_ca_phased_rollout.md`, etc.) did not exist at the expected paths; glob `.claude/memory/*cascade*` returned none. Subagent read the actual sources directly.
## Configuration Changes
### Entra / Conditional Access (tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`)
- **Admin consent granted** for ALIS app. New delegated grant created:
- `oauth2PermissionGrant` id `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`
- clientId `e1cae4ad-5beb-44ca-82d4-434c9bd835ad` (ALIS SP), resourceId `2c3b653a-54e0-4229-a1f2-83551ae7f9db` (Microsoft Graph SP)
- consentType `AllPrincipals`, scope `User.Read`
- **New CA policy created (report-only):**
- `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` — id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`
- state `enabledForReportingButNotEnforced`
- include group `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`)
- exclude users `sysadmin@` (`471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`, "Computer Guru Support") and `admin@` (`e20f7f21-757a-48cd-bb24-7bdeeb1497d0`, "Cascades Tenant Admin"); exclude group `SG-CA-BreakGlass` (`131e51ac-d69b-44b8-9c81-56890537a796`)
- applications: All; grant: block
- device filter: mode `exclude`, rule `(device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")`
No files in the repo were modified this session (investigation + live Entra changes only). Session log + wiki recompile are the repo changes.
## Credentials & Secrets
No new credentials created or discovered. Relevant existing references (unchanged):
- ALIS Entra app registration + ALIS install key + Inbound Basic Auth: vault `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`
- ALIS app: Application ID `d5108493-cba8-4f08-90b6-1bb0bc09eb2a`, client secret expires 2028-05-06 (rotation reminder — expiry breaks ALIS SSO tenant-wide)
- Remediation-tool app tokens sourced from `msp-tools/computerguru-*.sops.yaml` (Security Investigator, Tenant Admin, Intune Manager tiers)
Note: there are NO per-caregiver password vault entries; SSO-linked ALIS users have no usable ALIS password (auth delegated to Entra/PHS).
## Infrastructure & Servers
- Tenant ID `207fa277-e9d8-4eb7-ada1-1064d2221498` (`cascadestucson.com`)
- ALIS SP objectId `e1cae4ad-5beb-44ca-82d4-434c9bd835ad`; Microsoft Graph SP objectId `2c3b653a-54e0-4229-a1f2-83551ae7f9db`
- Named Location `Cascades` (`061c6b06-b980-40de-bff9-6a50a4071f6f`, isTrusted): `184.191.143.62/32` (primary WAN), `72.211.21.217/32` (secondary WAN, DHCP — stale risk)
- Existing enforced caregiver CA policies (unchanged this session):
- `CSC - Block caregivers off Cascades network` `e35614e1-e896-4a13-9407-076963af488f`
- `CSC - Block caregivers on non-compliant device` `ede985e2-ee7e-4521-88b2-34c847c3db20` (to be DISABLED at allow-list cutover)
- `CSC - Caregiver sign-in frequency 8h` `7d491c7a-ad90-4420-9990-40a1e676a76c`
- `Require multifactor authentication for all users` (`7e87a1c7…`): enabled, grant=mfa, excludeLocations=AllTrusted, excludeGroups=`SG-Caregivers-Pilot` (`0674f0bc…`) — STALE; should reference live `SG-Caregivers` (`8b8d9222…`). Functionally harmless today but a known bug.
- Android enrollment profile `CSC - Android Shared Phones (Entra SDM)` `9a0fcc6d-0a88-466e-aa53-44401bb74fca`: 25 devices enrolled, token expires 2027-05-08. Token = join key only; expiry does NOT unenroll devices.
- Only compliance policy in tenant: `CSC - Android Compliance` (no Windows compliance policy). `deviceManagement/settings.secureByDefault = false`.
### Caregiver-allowed device list (target — 5 devices)
| Device | OS | GuruRMM agent | Enroll path |
|---|---|---|---|
| NURSESTATION-PC | Win 11 | `8164c6fa-62e7-4aa5-88e4-624f2f656932` | Hybrid Entra Join (domain-joined) |
| Laptop2 | Win 11 | `dc8daf71-a2e6-4181-8cf2-c463c95dcd7d` | Entra join (RMM pending install) |
| LAPTOP-8P7HDSEI | Win 10 (EOL — upgrade) | `9b74852c-623a-4d4a-bdda-1709ee75ae44` | Entra join |
| LAPTOP-DRQ5L558 | Win 11 | `f9e25b3b-da63-40ff-94a6-8cec3b9a19ce` | Entra join |
| LAPTOP-E0STJJE8 | Win 11 | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` | Entra join |
## Commands & Outputs
```bash
# Token (read-only investigator) then ALIS sign-in failures (note date bound + URL-encode to avoid 504)
TOK=$(bash scripts/get-token.sh $TEN investigator)
curl -s -G -H "Authorization: Bearer $TOK" \
--data-urlencode "\$filter=appId eq 'd5108493-...' and createdDateTime ge 2026-05-27T..Z" \
--data-urlencode "\$top=100" "https://graph.microsoft.com/v1.0/auditLogs/signIns"
# -> errorCode 65001 (AADSTS65001 not consented); conditionalAccessStatus success; IPs all trusted
# Grant admin consent (tenant-admin tier)
curl -s -X POST -H "Authorization: Bearer $TOK_TA" -H "Content-Type: application/json" \
-d '{"clientId":"e1cae4ad-...","consentType":"AllPrincipals","resourceId":"2c3b653a-...","scope":"User.Read"}' \
https://graph.microsoft.com/v1.0/oauth2PermissionGrants # -> HTTP 201
# Create report-only allow-list CA policy -> HTTP 201, id 1b7fd025-1aad-47c8-9274-c32c3e0b163c
```
- Intune scope requires `intune-manager` tier (investigator 403s on `deviceManagement`).
- Device filter operators used: `-startsWith`, `-eq`, `-or` (mode `exclude`).
## Pending / Incomplete Tasks
### Caregiver device allow-list rollout
- [ ] Confirm Windows MDM auto-enroll scope in portal: Entra → Devices → Mobility (MDM and MAM) → Microsoft Intune → MDM user scope = All.
- [ ] Entra-join + Intune-enroll the 4 laptops (Howard). Verify each appears in Intune.
- [ ] NURSESTATION-PC: needs Hybrid Entra Join (Entra Connect device-sync/SCP config) — confirm whether already enabled; separate task.
- [ ] After enrollment, tag each device `extensionAttribute1 = CSCCaregiverDevice` (Claude, via Graph).
- [ ] Review report-only results in sign-in logs (phones + tagged = allowed; else = would-block).
- [ ] CUTOVER (needs Howard OK): set `CSC - Caregivers: allow-listed devices only` to `enabled` AND disable `CSC - Block caregivers on non-compliant device`.
- [ ] LAPTOP-8P7HDSEI: upgrade Win 10 → Win 11 before PHI use.
- [ ] Optional: create `CSC - Windows Compliance` policy for the PHI laptops once allow-list is stable.
### ALIS / office-privileged standardization (separate workstream)
- [ ] Verify ALIS is set to SSO-only (credential fallback disabled) for linked users — closes the "ALIS from home with just ALIS creds" hole.
- [ ] Move office/managers/directors/nurses onto ALIS SSO; set each ALIS staff Email = Entra UPN; turn off ALIS-native 2FA per user.
- [ ] Once all on SSO, disable ALIS-native 2FA globally.
### Known fixes / hygiene
- [ ] Fix stale exclude-group on `Require multifactor authentication for all users` (`SG-Caregivers-Pilot``SG-Caregivers`).
- [ ] Expand Entra Connect sync to office department OUs + add `cascadestucson.com` UPN suffix (from #32303).
- [ ] Per-caregiver ALIS Email=UPN for several (Esperance; add Kasey Flores, Jahmeka Clarke, Gloria Williford).
- [ ] 38 Business Premium licenses; ALIS (Medtelligent) BAA; break-glass FIDO2 accounts.
## Reference Information
- Syncro tickets: #109412123 = Syncro #32214 "Entra setup"; #110680053 = Syncro #32303 "Domain setup-entra sync"
- ALIS tenant: https://cascadestucson.alisonline.com ; ALIS support 888-404-ALIS / support@go-alis.com
- Entra: https://entra.microsoft.com ; Intune: https://intune.microsoft.com
- Admin consent URL (fallback, not used — granted via API): `https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=d5108493-cba8-4f08-90b6-1bb0bc09eb2a`
- Migration master plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
- Remediation skill: `.claude/skills/remediation-tool/` (get-token.sh tiers: investigator, intune-manager, tenant-admin)
- New CA policy id: `1b7fd025-1aad-47c8-9274-c32c3e0b163c` ; consent grant id: `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`