sync: auto-sync from GURU-5070 at 2026-06-12 15:53:59

Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-12 15:53:59
2026-06-12 15:54:17 -07:00
parent af529f953d
commit e34d4268bc
4 changed files with 183 additions and 8 deletions
--- a/session-logs/2026-06-12-mike-jparkinson-mail-migration.md
+++ b/session-logs/2026-06-12-mike-jparkinson-mail-migration.md
@@ -88,12 +88,47 @@ it to a mail migration to resolve calendar sync. Comment id 418758100.
 - RMM API `http://172.16.3.30:3001`. (Brief `.30` outage mid-session — networking, Mike fixed.)
 - Imunify360 (cpHulk disabled) gated WHM; whitelisted our IPv4 98.97.118.217 + IPv6 2605:59c0:43a6:9710::/64.

+### 7. Continued (post-/scc): autodiscover, DNS cleanup, DKIM, sharing, calendar, contacts
+- **IX WHM API token** recovered the lost access (see thread 3): full-access root token "ClaudeTools"
+  `HAUGCPQGJGDK3YDAMVA0B4ELR9CVNAQ6` vaulted `infrastructure/ix-server` `credentials.whm-api-token`;
+  header auth `Authorization: whm root:<token>`, `curl -4`. Used the ACG **ComputerGuru-Management** app
+  (`0df4e185...`, tenant ce61461e, Application.ReadWrite.All, vault `msp-tools/computerguru-management`) to
+  patch app registrations. **Claude-MSP-Access secret is INVALID** (AADSTS7000215) — rotate.
+- **Outlook autodiscover fix** on Jim's 2 machines (DESKTOP-EDN9UDO `2b24e8de`, DESKTOP-M0GBKF3 `4fdecea6`):
+  undid `C:\Users\guru\ownCloud\Toolbox\!-Utils\RegistryFixes\Exclude365-Final.reg` (HKLM policy + user hives);
+  set `ExcludeHttpsRootDomain=1`; ROOT CAUSE = `jparkinsonaz.com` root A pointed to Neptune so the root-domain
+  autodiscover probe answered on-prem. **Removed root A + all cPanel junk** (mail CNAME, CalDAV/CardDAV SRV,
+  DCV/ACME) -> zone is O365-only -> permanent global fix. **DKIM** selector1/selector2 CNAMEs published
+  (`...lamaddux.a-v1.dkim.mail.microsoft`, new MS format, resolves to live keys) — Mike to flip "Enable" in Defender.
+- **Mailbox sharing:** `jim@` granted **FullAccess (AutoMapping on) + Send-on-Behalf** on `leeann@lamaddux.com` (EXO adminapi).
+- **Calendar reconciliation:** found Jim's events inviting LeeAnn that weren't on her calendar; only **8** genuine
+  (Jim-organized one-off appts, mostly medical) — created them on her calendar (48 others were her own recurring/
+  birthday noise, left alone). Enabler: added `Calendars.ReadWrite`+`Contacts.ReadWrite` (Graph) to the **Exchange
+  Operator** app (objId `bae27250...`), consented in lamaddux, **scoped via ApplicationAccessPolicy RestrictAccess**
+  to mail-enabled group `app-calscope@lamaddux.onmicrosoft.com` (jim@+leeann@ only). Used a Graph-scoped token for
+  the Exchange Operator app (its client_secret). Forward route failed (needs Mail.Send) -> direct-create instead.
+- **Contacts:** Jim's 355 contacts clean of X500/on-prem; created `LeeAnn Maddux <leeann@lamaddux.com>`, removed
+  junk "Audible Leeann@lamaddux.com". Autocomplete cache may still hold legacy X500 for LeeAnn (clear in Outlook).
+
+### 8. Wolkin — Julie Guda MFA/profile (tenant rswolkin.com `ceb6dbe7-82c8-4d8f-9c6b-49aa26208e9b`)
+Removed Julie Guda (`julie@rswolkin.com`, id `acaeb49c...`) cell `702-624-3765` from directory `mobilePhone`
+(was GAL-visible); retained ONLY as MFA phone method `+1 7026243765`. Sign-in unaffected (password + Windows Hello too).
+
+### 9. Syncro #32411 billed
+2.0h remote (`1190473` @ $150) = **$300**, invoice `1650664905`, ticket -> Invoiced. Customer LeeAnn Parkinson (139908,
+not prepaid). Resolution comment on-ticket, no customer email.
+
+### Wiki updated this session
+- CREATED `wiki/clients/lamaddux.md` (household client + full migration).
+- UPDATED `wiki/clients/wolkin.md` (Julie MFA/profile note).
+- UPDATED `wiki/systems/ix-server.md` (WHM API token access + Imunify + jparkinsonaz O365 zone).
+
 ## Pending / next
-1. Mike: copy PST + Outlook-import on M0G/EDN9; confirm it connects to **Microsoft** (root-A removal is the fix).
-2. Mike: **Enable DKIM signing** for jparkinsonaz.com in Defender portal (CNAMEs are live).
-3. After import confirmed: **final delta export + decommission `jparkinsonaz.com` on Neptune** (remove accepted
-   domain/mailbox/DKIM/routing); then **close #32411**. Optional: remove stale `s1`/`default` DKIM TXT;
-   remove the now-redundant `ExcludeHttpsRootDomain` reg value.
-4. GuruRMM: 2 bugs + Feature 4a filed (ROOT-CAUSED) — await build decision.
-5. Future: add `Domain.ReadWrite.All` to Tenant Admin app to automate domain-adds (Mike: "wire this up").
-6. Bardach: Barbara to retry per iPhone steps; sign-in-log lookup on standby.
+1. Mike: copy PST + Outlook-import on M0G/EDN9; confirm Outlook connects to **Microsoft**; clear Jim's autocomplete (legacy X500 for LeeAnn).
+2. Mike: **Enable DKIM signing** for jparkinsonaz.com in Defender (CNAMEs live).
+3. After import confirmed: **final delta export + decommission `jparkinsonaz.com` on Neptune**; then **close #32411**.
+   Optional: remove stale `s1`/`default` DKIM TXT; remove now-redundant `ExcludeHttpsRootDomain` reg value.
+4. Rotate the invalid **Claude-MSP-Access** app secret (vault `msp-tools/claude-msp-access-graph-api`).
+5. GuruRMM: 2 bugs + Feature 4a filed (ROOT-CAUSED) — await build decision.
+6. Future: add `Domain.ReadWrite.All` to Tenant Admin app to automate domain-adds.
+7. Bardach: Barbara to retry per iPhone steps; sign-in-log lookup on standby.