sync: auto-sync from HOWARD-HOME at 2026-06-25 12:45:08
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 12:45:08
This commit is contained in:
@@ -0,0 +1,115 @@
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home
|
||||
- **Role:** tech
|
||||
|
||||
## Session Summary
|
||||
|
||||
A prior session working Cascades of Tucson was lost mid-task (Howard accidentally cleared the
|
||||
working context). This session reconstructed what that lost session had done, confirmed an
|
||||
outstanding message to Mike had NOT been sent, sent it, then verified the underlying work
|
||||
end-to-end against live systems.
|
||||
|
||||
The lost session had offboarded **Alma Montt** (terminated; Memory Care Life Enrichment /
|
||||
MC Reception; no PHI/clinical access). Recovery was possible because the work product survived
|
||||
in two places even though no session log had been checkpointed: the offboarding record
|
||||
`clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md` and the uncommitted
|
||||
datto-edr skill changes in the working tree (unrelated to Alma). The coord message log (last 30)
|
||||
confirmed nothing about "tenant control / remove access" had gone out.
|
||||
|
||||
The one item the lost session had flagged for Mike was a tenant-security decision: resetting
|
||||
Alma's M365 password required JIT-elevating the `ComputerGuru - Tenant Admin` service principal
|
||||
to **Privileged Authentication Administrator (PAA)**, and Microsoft Graph blocked the automatic
|
||||
teardown ("removing self from built-in role is not allowed"). That SP is therefore still holding
|
||||
a standing PAA role on the Cascades tenant. Because tenant role/access posture is Mike's call
|
||||
(admin/owner, Global Admin), a coord message was sent to Mike (his most-active session today,
|
||||
GURU-5070/claude-main) laying out the issue, the exact removal steps, and a recommended posture
|
||||
(keep JIT, fix the teardown so it stops stranding the role).
|
||||
|
||||
Finally, the Alma offboarding was verified live rather than trusted from the doc. M365 state was
|
||||
read via the remediation-tool skill (investigator Graph token + investigator-exo Exchange token),
|
||||
and on-prem AD state via the rmm skill against CS-SERVER. All eight claimed actions confirmed
|
||||
true against live state. The only loose end is the leftover PAA role assignment, now in Mike's
|
||||
queue.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **Did not guess the message content for Mike.** Reconstructed it from the surviving offboarding
|
||||
doc rather than fabricating; the "remove some access" item is specifically the leftover PAA role
|
||||
on the Tenant Admin SP.
|
||||
- **Sent the coord message to Mike's most-active session (GURU-5070)** rather than broadcasting,
|
||||
since it is a decision specifically for Mike. Coord messages persist/queue if he is on another box.
|
||||
- **Verified offboarding live with least-privilege tokens** (investigator + investigator-exo for
|
||||
read; read-only Get-ADUser on CS-SERVER) rather than relying on the doc's self-reported results.
|
||||
- **Recommended keeping JIT elevation (no standing PAA)** for the Tenant Admin SP and fixing the
|
||||
teardown, vs. granting permanent PAA — least-privilege for an auth-admin role.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **Lost session context** — Howard cleared the working context accidentally. Resolved by grepping
|
||||
surviving artifacts (offboarding doc, uncommitted working-tree changes) + the coord message log
|
||||
to reconstruct state; confirmed the Mike message was never sent.
|
||||
- **Bash `$UID` collision** — first Graph query used a variable named `UID`, which is a readonly
|
||||
bash builtin (expanded to the OS uid 197609), so the query hit the wrong resource
|
||||
(`Request_ResourceNotFound: '197609'`). Resolved by renaming the variable to `AID`.
|
||||
- **EXO MailboxPermission AccessRights parse** — initial parse pulled the wrong key and showed
|
||||
`AccessRights: None`; re-queried the raw permission object to confirm Shelby.Trozzi holds
|
||||
`FullAccess` (not inherited, not deny).
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- **Created:** `clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-alma-offboarding-recovery-verify.md` (this log)
|
||||
- No code or config changes made this session (verification was read-only).
|
||||
- Note: uncommitted **datto-edr skill** changes remain in the working tree from the lost session
|
||||
(`.claude/skills/datto-edr/scripts/edr.py`, `edr_client.py`, new `selftest.py`) — Locations vs
|
||||
scan-Targets inventory-model refactor. Unrelated to Alma; left as-is for a separate review/commit.
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- Alma Montt offboarding password stored for emergency recovery/audit only at vault
|
||||
`clients/cascades-tucson/alma-montt` (do NOT re-enable without authorization). No new credentials
|
||||
created or discovered this session.
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **M365 tenant:** cascadestucson.com — Tenant ID `207fa277-e9d8-4eb7-ada1-1064d2221498`
|
||||
- **Alma Montt M365 object id:** `b2fb546e-687a-4647-b286-9c8edd3d989f`
|
||||
- **On-prem DC:** CS-SERVER (192.168.2.254), `cascades.local`; GuruRMM agent id (live this session)
|
||||
`c39f1de7-d5b6-45ae-b132-e06977ab1713` (re-enrolls — resolve live by hostname).
|
||||
- **Remediation apps used:** ComputerGuru Security Investigator (`bfbc12a4-f0dd-4e12-b06d-997e7271e10c`,
|
||||
Graph read + EXO read). The PAA-stranded SP is **ComputerGuru - Tenant Admin**.
|
||||
- **Coord API:** http://172.16.3.30:8001/api/coord — message sent to GURU-5070/claude-main.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- Graph user verify (Security Investigator token):
|
||||
`GET /v1.0/users/{id}?$select=accountEnabled,assignedLicenses,showInAddressList` ->
|
||||
`accountEnabled=false`, `assignedLicenses=[]`, `showInAddressList=false`; `memberOf` -> none.
|
||||
- EXO mailbox verify (Security Investigator EXO token):
|
||||
`GET adminapi/beta/{tenant}/Mailbox('Alma.Montt@cascadestucson.com')` ->
|
||||
`RecipientTypeDetails=SharedMailbox`; `.../MailboxPermission` -> `Shelby.Trozzi -> [FullAccess]`
|
||||
(IsInherited=false, Deny=false).
|
||||
- AD verify (RMM, CS-SERVER, exit 0):
|
||||
`Get-ADUser Alma.Montt -Properties Enabled,MemberOf,DistinguishedName` ->
|
||||
`Enabled=False`, `DN=CN=Alma Montt,OU=Excluded-From-Sync,DC=cascades,DC=local`, `GroupCount=0`.
|
||||
- Coord message POST -> id `4b2bb6a9-881b-4003-984c-687183b96802` (to GURU-5070/claude-main).
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **[MIKE / SECURITY] Remove the standing Privileged Authentication Administrator role from the
|
||||
`ComputerGuru - Tenant Admin` SP** on the Cascades tenant (Entra portal: Roles & admins ->
|
||||
Privileged Authentication Administrator -> remove the SP). LEAVE its Conditional Access
|
||||
Administrator role (intentional). Either Mike does it, or grants Howard GA briefly. Message sent.
|
||||
- **[POSTURE] Decide the JIT-elevation pattern** so password resets via the Tenant Admin SP stop
|
||||
stranding PAA (self-removal is blocked by Graph). Recommended: keep JIT, fix teardown.
|
||||
- **[SEPARATE] datto-edr skill changes** uncommitted in the working tree — review + commit/discard
|
||||
on their own.
|
||||
- Reconcile: Alma removed from proposed share rosters
|
||||
(`docs/migration/share-group-roster-proposed-2026-06-25.md`).
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Offboarding record: `clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md`
|
||||
- Termination runbook: `docs/security/termination-procedures.md`
|
||||
- Coord message id: `4b2bb6a9-881b-4003-984c-687183b96802`
|
||||
- Cascades wiki: `wiki/clients/cascades-tucson.md`
|
||||
Reference in New Issue
Block a user