sync: auto-sync from HOWARD-HOME at 2026-06-25 12:45:08

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 12:45:08
This commit is contained in:
2026-06-25 12:45:43 -07:00
parent bd1e84d32c
commit e9ece35c2a
3 changed files with 182 additions and 3 deletions

View File

@@ -0,0 +1,115 @@
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
A prior session working Cascades of Tucson was lost mid-task (Howard accidentally cleared the
working context). This session reconstructed what that lost session had done, confirmed an
outstanding message to Mike had NOT been sent, sent it, then verified the underlying work
end-to-end against live systems.
The lost session had offboarded **Alma Montt** (terminated; Memory Care Life Enrichment /
MC Reception; no PHI/clinical access). Recovery was possible because the work product survived
in two places even though no session log had been checkpointed: the offboarding record
`clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md` and the uncommitted
datto-edr skill changes in the working tree (unrelated to Alma). The coord message log (last 30)
confirmed nothing about "tenant control / remove access" had gone out.
The one item the lost session had flagged for Mike was a tenant-security decision: resetting
Alma's M365 password required JIT-elevating the `ComputerGuru - Tenant Admin` service principal
to **Privileged Authentication Administrator (PAA)**, and Microsoft Graph blocked the automatic
teardown ("removing self from built-in role is not allowed"). That SP is therefore still holding
a standing PAA role on the Cascades tenant. Because tenant role/access posture is Mike's call
(admin/owner, Global Admin), a coord message was sent to Mike (his most-active session today,
GURU-5070/claude-main) laying out the issue, the exact removal steps, and a recommended posture
(keep JIT, fix the teardown so it stops stranding the role).
Finally, the Alma offboarding was verified live rather than trusted from the doc. M365 state was
read via the remediation-tool skill (investigator Graph token + investigator-exo Exchange token),
and on-prem AD state via the rmm skill against CS-SERVER. All eight claimed actions confirmed
true against live state. The only loose end is the leftover PAA role assignment, now in Mike's
queue.
## Key Decisions
- **Did not guess the message content for Mike.** Reconstructed it from the surviving offboarding
doc rather than fabricating; the "remove some access" item is specifically the leftover PAA role
on the Tenant Admin SP.
- **Sent the coord message to Mike's most-active session (GURU-5070)** rather than broadcasting,
since it is a decision specifically for Mike. Coord messages persist/queue if he is on another box.
- **Verified offboarding live with least-privilege tokens** (investigator + investigator-exo for
read; read-only Get-ADUser on CS-SERVER) rather than relying on the doc's self-reported results.
- **Recommended keeping JIT elevation (no standing PAA)** for the Tenant Admin SP and fixing the
teardown, vs. granting permanent PAA — least-privilege for an auth-admin role.
## Problems Encountered
- **Lost session context** — Howard cleared the working context accidentally. Resolved by grepping
surviving artifacts (offboarding doc, uncommitted working-tree changes) + the coord message log
to reconstruct state; confirmed the Mike message was never sent.
- **Bash `$UID` collision** — first Graph query used a variable named `UID`, which is a readonly
bash builtin (expanded to the OS uid 197609), so the query hit the wrong resource
(`Request_ResourceNotFound: '197609'`). Resolved by renaming the variable to `AID`.
- **EXO MailboxPermission AccessRights parse** — initial parse pulled the wrong key and showed
`AccessRights: None`; re-queried the raw permission object to confirm Shelby.Trozzi holds
`FullAccess` (not inherited, not deny).
## Configuration Changes
- **Created:** `clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-alma-offboarding-recovery-verify.md` (this log)
- No code or config changes made this session (verification was read-only).
- Note: uncommitted **datto-edr skill** changes remain in the working tree from the lost session
(`.claude/skills/datto-edr/scripts/edr.py`, `edr_client.py`, new `selftest.py`) — Locations vs
scan-Targets inventory-model refactor. Unrelated to Alma; left as-is for a separate review/commit.
## Credentials & Secrets
- Alma Montt offboarding password stored for emergency recovery/audit only at vault
`clients/cascades-tucson/alma-montt` (do NOT re-enable without authorization). No new credentials
created or discovered this session.
## Infrastructure & Servers
- **M365 tenant:** cascadestucson.com — Tenant ID `207fa277-e9d8-4eb7-ada1-1064d2221498`
- **Alma Montt M365 object id:** `b2fb546e-687a-4647-b286-9c8edd3d989f`
- **On-prem DC:** CS-SERVER (192.168.2.254), `cascades.local`; GuruRMM agent id (live this session)
`c39f1de7-d5b6-45ae-b132-e06977ab1713` (re-enrolls — resolve live by hostname).
- **Remediation apps used:** ComputerGuru Security Investigator (`bfbc12a4-f0dd-4e12-b06d-997e7271e10c`,
Graph read + EXO read). The PAA-stranded SP is **ComputerGuru - Tenant Admin**.
- **Coord API:** http://172.16.3.30:8001/api/coord — message sent to GURU-5070/claude-main.
## Commands & Outputs
- Graph user verify (Security Investigator token):
`GET /v1.0/users/{id}?$select=accountEnabled,assignedLicenses,showInAddressList` ->
`accountEnabled=false`, `assignedLicenses=[]`, `showInAddressList=false`; `memberOf` -> none.
- EXO mailbox verify (Security Investigator EXO token):
`GET adminapi/beta/{tenant}/Mailbox('Alma.Montt@cascadestucson.com')` ->
`RecipientTypeDetails=SharedMailbox`; `.../MailboxPermission` -> `Shelby.Trozzi -> [FullAccess]`
(IsInherited=false, Deny=false).
- AD verify (RMM, CS-SERVER, exit 0):
`Get-ADUser Alma.Montt -Properties Enabled,MemberOf,DistinguishedName` ->
`Enabled=False`, `DN=CN=Alma Montt,OU=Excluded-From-Sync,DC=cascades,DC=local`, `GroupCount=0`.
- Coord message POST -> id `4b2bb6a9-881b-4003-984c-687183b96802` (to GURU-5070/claude-main).
## Pending / Incomplete Tasks
- **[MIKE / SECURITY] Remove the standing Privileged Authentication Administrator role from the
`ComputerGuru - Tenant Admin` SP** on the Cascades tenant (Entra portal: Roles & admins ->
Privileged Authentication Administrator -> remove the SP). LEAVE its Conditional Access
Administrator role (intentional). Either Mike does it, or grants Howard GA briefly. Message sent.
- **[POSTURE] Decide the JIT-elevation pattern** so password resets via the Tenant Admin SP stop
stranding PAA (self-removal is blocked by Graph). Recommended: keep JIT, fix teardown.
- **[SEPARATE] datto-edr skill changes** uncommitted in the working tree — review + commit/discard
on their own.
- Reconcile: Alma removed from proposed share rosters
(`docs/migration/share-group-roster-proposed-2026-06-25.md`).
## Reference Information
- Offboarding record: `clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md`
- Termination runbook: `docs/security/termination-procedures.md`
- Coord message id: `4b2bb6a9-881b-4003-984c-687183b96802`
- Cascades wiki: `wiki/clients/cascades-tucson.md`