sync: auto-sync from GURU-5070 at 2026-06-29 11:45:50

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-29 11:45:50
This commit is contained in:
2026-06-29 11:46:42 -07:00
parent 1f15a6bc79
commit e99110fdc9
8 changed files with 1245 additions and 2 deletions

View File

@@ -17,6 +17,10 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
<!-- Append entries below this line -->
2026-06-29 | GURU-5070 | remediation-tool/reset-password.sh | [friction] JIT de-elevation can never succeed: an app-only SP cannot remove its OWN Privileged Authentication Administrator assignment ('no privilege to remove self'). Every admin-account reset leaves standing PAA on the ComputerGuru Tenant Admin SP; requires a human Global Admin to remove. Likely also left PAA on birthbiologic.com (2026-06-08). [ctx: tenant=5c53ae9f-7071-4248-b834-8685b646450f sp=fccda86c-77ca-4248-b876-b0cdba8605d4 role=PrivilegedAuthAdmin fix=PIM-or-second-principal-or-human-GA]
2026-06-29 | GURU-5070 | remediation-tool | reset-password: failed to remove JIT Privileged Auth Admin role - standing privilege left behind, REMOVE MANUALLY [ctx: tenant=5c53ae9f-7071-4248-b834-8685b646450f assignment=ikzke6-tKk6E1qsmSeCKE2yozfzKd0hCuHawzbqGBdQ-1 http=400]
2026-06-29 | GURU-5070 | syncro/billing | [friction] created invoice on ticket with pre-existing unbilled line item without checking first; invoice swept a prior 5.0h migration charge + my 1.0h, deducting 6.0h from prepaid block (10->3 total, intended 2). ALWAYS GET /tickets/{id} .line_items before POST /invoices on a prepaid customer [ctx: client=birth-biologic ticket=32187 invoice=1650837688]
2026-06-29 | GURU-5070 | remediation-tool/birthbiologic | [correction] assumed MX still on Google (per 06-26 docs); actual: MX cut to M365 (birthbiologic-com.mail.protection.outlook.com) on Sat 2026-06-27 — verify MX live, don't trust stale migration-scope docs [ctx: client=birth-biologic]