docs: purge stale fabb3421 narrative — Mail.Send already lives in the 365 app suite

Mail.Send is NOT an open decision or a 'blocked' item: the Exchange Operator
tier (b43e7342) already holds Graph Mail.Send + Mail.ReadWrite +
MailboxSettings.ReadWrite (the suite's IR victim-notification mail path).
/mailbox (ACG own-mail) separately uses the dedicated ComputerGuru Mailbox app
1873b1b0. The deleted fabb3421/Claude-MSP-Access app is now referenced only as
DELETED/do-not-use across all live surfaces.

Corrected: remediation-tool gotchas.md (removed 'suite has no mail scopes /
mailbox BLOCKED / decision-not-executed'), commands/mailbox.md (header +
Attribution no longer name the deleted app as active), feedback memory
(promoted 'suite has Mail.Send — settled' to a headline), breach-report
template, .grok mirrors, credentials.md, CATALOG_SHARED_DATA.md, and wiki
(internal-infrastructure, glaztech, dataforth). Removed dead plaintext secret
for the deleted app from CATALOG_SHARED_DATA.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.claude/commands/mailbox.md

@@ -1,6 +1,6 @@
 # /mailbox — ACG M365 mailbox (read + send as you)
 
-Read and send mail for an Arizona Computer Guru mailbox via Microsoft Graph, using the shared **Claude-MSP-Access** app. Defaults to the mailbox of the user running it (from `identity.json`).
+Read and send mail for an Arizona Computer Guru mailbox via Microsoft Graph, using the dedicated **ComputerGuru Mailbox** app (`1873b1b0-3377-485c-a848-bae9b2f8f1f5`). Defaults to the mailbox of the user running it (from `identity.json`).
 
 > **Mail path (working — repointed 2026-06-17).** `/mailbox` uses the dedicated single-tenant **ComputerGuru Mailbox** app (`1873b1b0-3377-485c-a848-bae9b2f8f1f5`; vault `msp-tools/computerguru-mailbox.sops.yaml`; Mail.ReadWrite + Mail.Send + Contacts.ReadWrite; azcomputerguru.com only). Tokens come from the suite tool: `bash .claude/skills/remediation-tool/scripts/get-token.sh azcomputerguru.com mailbox` (cert-preferred, secret fallback, 55-min cache). This **replaces the deleted `fabb3421`** (Claude-MSP-Access), removed from the tenant 2026-06-14 — it returns **AADSTS700016**; do NOT reintroduce it. The mailbox app's service principal is **disabled when idle**: on a token 401 "account is disabled", enable the SP, then retry.
 
@@ -181,4 +181,4 @@ st, d = graph("POST", f"/users/{MAILBOX}/messages/{MSG_ID}/reply",
 
 ## Attribution
 
-API calls authenticate as the shared **Claude-MSP-Access** app, but a `sendMail`/`reply` from `/users/<mailbox>/...` goes out with that mailbox as the `From:` and lands in that mailbox's Sent Items — i.e. it genuinely sends *as you*. Only the identity user's own mailbox is targeted by default; `--as` is for deliberately operating another ACG mailbox.
+API calls authenticate as the dedicated **ComputerGuru Mailbox** app (`1873b1b0`, vault `msp-tools/computerguru-mailbox.sops.yaml`) — NOT the deleted `fabb3421`/Claude-MSP-Access — but a `sendMail`/`reply` from `/users/<mailbox>/...` goes out with that mailbox as the `From:` and lands in that mailbox's Sent Items — i.e. it genuinely sends *as you*. Only the identity user's own mailbox is targeted by default; `--as` is for deliberately operating another ACG mailbox.

.claude/memory/feedback_365_remediation_tool.md

@@ -10,6 +10,8 @@ When the user says "365 remediation tool" or "remediation tool", they mean ACG's
 
 **DELETED — gone, do not reference:** `fabb3421` ("AI Remediation" / "Claude-MSP-Access", secret `msp-tools/claude-msp-access-graph-api.sops.yaml`). Removed from the azcomputerguru.com tenant **2026-06-14**; every token request now returns **AADSTS700016**. It previously had ~159 perms incl. Defender ATP (admin consent broke with AADSTS650052 on no-MDE tenants). Any skill still pointing at it is broken — repoint to the suite. (Original deprecation: 2026-05-27 Quantum onboarding.)
 
+**MAIL.SEND ALREADY EXISTS IN THE SUITE — settled, NOT an open decision (do not re-raise).** The **Exchange Operator** tier (`exchange-op`, `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`) holds Graph **`Mail.Send` + `Mail.ReadWrite` + `MailboxSettings.ReadWrite`**. The suite CAN send mail in any consented tenant via Graph `POST /users/<upn>/sendMail` (IR victim-notification). No separate app to provision, nothing "blocked", no pending click-through. Watch the token-audience gotcha below (line on Exchange-Online vs Graph audience). This replaced the deleted `fabb3421` for IR mail; `/mailbox` (ACG own-mail) separately uses the dedicated app `1873b1b0` (next paragraph).
+
 **ACG OWN-mailbox reads/sends (`/mailbox`) — dedicated app `1873b1b0-3377-485c-a848-bae9b2f8f1f5`** ("ComputerGuru Mailbox", vault `msp-tools/computerguru-mailbox.sops.yaml`, Mail.ReadWrite + Mail.Send + Contacts.ReadWrite, azcomputerguru.com single-tenant). Token via `get-token.sh azcomputerguru.com mailbox` (a tier in get-token.sh; cert-preferred). This is what REPLACED fabb3421 for `/mailbox`. Its SP is **disabled when idle** → a token 401 "account is disabled" means enable the SP first. (`/mailbox` command doc repointed to it 2026-06-17 — it had been left on the dead fabb3421.)
 
 **Why (original):** user clarified "remediation tool" != CIPP after a wrong CIPP navigation. **How to apply:** prefer the `/remediation-tool` skill — it wraps tenant resolution, token caching, breach check, sweep, gated remediation, and consent/onboarding URLs (`references/gotchas.md`, `graph-endpoints.md`, `checklist.md`).

.claude/skills/remediation-tool/references/gotchas.md

@@ -24,16 +24,11 @@ Five multi-tenant apps replace the old single over-permissioned app. Use minimum
 | `tenant-admin` | ComputerGuru Tenant Admin | `709e6eed-0711-4875-9c44-2d3518c47063` | `computerguru-tenant-admin.sops.yaml` |
 | `defender` | ComputerGuru Defender Add-on | `dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b` | `computerguru-defender-addon.sops.yaml` |
 
-**DELETED from the azcomputerguru.com tenant 2026-06-14** (was *ComputerGuru - AI Remediation* / *Claude-MSP-Access* / *Cloud MSP Access*, `fabb3421-8b34-484b-bc17-e46de9703418`) — old single-app with 159 permissions including Defender ATP. Any token request now returns **AADSTS700016** (app/SP gone). Two consequences:
-1. It held the ONLY **Mail.Send / Mail.ReadWrite / Contacts** scopes the fleet had, so **`/mailbox` (ACG own-mail send/read) and the M365 contacts task are BLOCKED** until a replacement app is provisioned. The 5-app suite below has none of those scopes (`investigator` = `Mail.Read` only).
-2. The legacy "old app only" tenants below (Valleywide, Dataforth, Cascades) have NO working remediation app anymore — migration to the new suite is now REQUIRED, not optional.
+**DELETED from the azcomputerguru.com tenant 2026-06-14** (was *ComputerGuru - AI Remediation* / *Claude-MSP-Access* / *Cloud MSP Access*, `fabb3421-8b34-484b-bc17-e46de9703418`) — old single-app with 159 permissions including Defender ATP. Any token request now returns **AADSTS700016** (app/SP gone). Do NOT reference it as a live app anywhere. Consequence: the legacy "old app only" tenants below (Valleywide, Dataforth, Cascades) have NO working remediation app anymore — migration to the new suite is REQUIRED, not optional.
 
-**Decision 2026-06-15 (Mike):** Mail.Send belongs in the SUITE, not a separate app. The real use case is incident response, auto-notifying victims during a mailbox takeover, which is a remediation action. Plan: add **`Mail.Send`** (application) to the **Exchange Operator** tier (`exchange-op`, `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`), the existing Exchange remediation/write app. `Mail.ReadWrite` + `Contacts` are optional and only needed to fully restore the general `/mailbox` read/send + contacts task (secondary).
+**Mail.Send — already in the suite (DONE, not an open decision).** The **Exchange Operator** tier (`exchange-op`, `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`) holds Graph **`Mail.Send` + `Mail.ReadWrite` + `MailboxSettings.ReadWrite`**. The suite CAN send mail in any consented tenant via Graph `POST /users/<upn>/sendMail` — this is the IR victim-notification path (notifying victims during a mailbox takeover is a remediation action). There is NO separate mail app to provision and NO pending decision. Token-audience gotcha: `get-token.sh exchange-op` returns an **Exchange-Online**-audience token whose `roles` claim does NOT list Graph scopes; to call Graph, mint a **Graph**-audience token (`scope=https://graph.microsoft.com/.default`) — never conclude Mail.Send is "missing" from the wrong-audience token.
 
-Implementation (NOT yet executed — production multi-tenant app change, needs explicit go + admin-consent clicks):
-1. Add the Graph app permission(s) to the Exchange Operator app manifest in the home tenant; grant admin consent in the home tenant.
-2. Re-consent Exchange Operator in each tenant where IR victim-notification is needed (adding a permission invalidates prior consent and re-prompts).
-3. Repoint `commands/mailbox.md` `client_id` + vault path to `computerguru-exchange-operator.sops.yaml`, and consent Exchange Operator in the ACG home tenant so `/mailbox` (own-mail) works again.
+**ACG own-mail (`/mailbox`) is separate and working.** It uses the dedicated single-tenant **ComputerGuru Mailbox** app `1873b1b0-3377-485c-a848-bae9b2f8f1f5` (vault `msp-tools/computerguru-mailbox.sops.yaml`; `Mail.ReadWrite` + `Mail.Send` + `Contacts.ReadWrite`, azcomputerguru.com only), via `get-token.sh azcomputerguru.com mailbox`. Repointed off the dead `fabb3421` on 2026-06-17. Its SP is disabled when idle → a token 401 "account is disabled" means enable the SP first.
 
 When searching customer admin portals for a service principal (role assignments, app role assignments, CA exclusions), search by the display name for that tier (e.g., "ComputerGuru Security Investigator").
 

.claude/skills/remediation-tool/templates/breach-report.md

@@ -3,7 +3,7 @@
 **Date:** {{YYYY-MM-DD}}
 **Tenant:** {{tenant-display-name}} ({{domain}}, {{tenant-id}})
 **Subject:** {{user-or-tenant}}
-**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`)
+**Tool:** ComputerGuru remediation app suite (Security Investigator `bfbc12a4` / Exchange Operator `b43e7342` / User Manager `64fac46b` / Tenant Admin `709e6eed` / Defender `dbf8ad1a`) — list the tier(s) actually used
 **Scope:** {{read-only | included remediation}}
 
 ## Summary

.grok/skills/mailbox/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: mailbox
 description: >
-  Read and send mail for an Arizona Computer Guru mailbox via Microsoft Graph (shared Claude-MSP-Access app). Defaults to the mailbox of the running user (from identity.json). Use for "/mailbox", "check my email", "send a message as <user>@azcomputerguru.com".
+  Read and send mail for an Arizona Computer Guru mailbox via Microsoft Graph (dedicated ComputerGuru Mailbox app 1873b1b0; NOT the deleted fabb3421/Claude-MSP-Access). Defaults to the mailbox of the running user (from identity.json). Use for "/mailbox", "check my email", "send a message as <user>@azcomputerguru.com".
 ---
 
 See `.claude/commands/mailbox.md` and the remediation-tool skill (they share Graph access patterns). Use vault/1p for the app credentials. Gated for writes.

.grok/skills/remediation-tool/SKILL.md

@@ -12,7 +12,7 @@ description: >
 - Read-only by default.
 - All write/remediation actions are **gated** behind explicit `--confirm` or user approval.
 - Use the skill's structured flows for tenant sweeps, password spray detection, inbox rule enumeration, mailbox searches, etc.
-- NOT for CIPP — this is the direct Graph API app suite (Claude-MSP-Access or equivalent).
+- NOT for CIPP — this is the direct Graph API tiered app suite (Security Investigator / Exchange Operator / User Manager / Tenant Admin / Defender). The old single `fabb3421`/Claude-MSP-Access app was DELETED 2026-06-14 — do not reference it. Mail.Send lives in the Exchange Operator tier (b43e7342).
 
 When invoked:
 - Read the command doc `.claude/commands/remediation-tool.md`.

CATALOG_SHARED_DATA.md

@@ -460,43 +460,10 @@ curl -s "https://cippcanvb.azurewebsites.net/api/ListLicenses?TenantFilter=sonor
 - **App ID:** d545a836-7118-44f6-8852-d9dd64fb7bb9
 - **Status:** Authenticated but all endpoints returned 403
 
-### Claude-MSP-Access (Multi-Tenant Graph API)
-- **Service:** Direct Graph API access for M365 investigations
-- **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d
-- **App ID (Client ID):** fabb3421-8b34-484b-bc17-e46de9703418
-- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
-- **Secret Expires:** 2026-12 (24 months)
-- **Sign-in Audience:** Multi-tenant (any Entra ID org)
-- **Purpose:** Direct Graph API access for M365 investigations and remediation
-- **Admin Consent URL:** https://login.microsoftonline.com/common/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
-- **Permissions:** User.ReadWrite.All, Directory.ReadWrite.All, Mail.ReadWrite, MailboxSettings.ReadWrite, AuditLog.Read.All, Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, Group.ReadWrite.All, SecurityEvents.ReadWrite.All, AppRoleAssignment.ReadWrite.All, UserAuthenticationMethod.ReadWrite.All
-- **Created:** 2025-12-29
-- **Access Methods:** Graph API (OAuth 2.0)
-
-#### Usage (Python)
-```python
-import requests
-
-tenant_id = "CUSTOMER_TENANT_ID"  # or use 'common' after consent
-client_id = "fabb3421-8b34-484b-bc17-e46de9703418"
-client_secret = "~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO"
-
-# Get token
-token_resp = requests.post(
-    f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
-    data={
-        "client_id": client_id,
-        "client_secret": client_secret,
-        "scope": "https://graph.microsoft.com/.default",
-        "grant_type": "client_credentials"
-    }
-)
-access_token = token_resp.json()["access_token"]
-
-# Query Graph API
-headers = {"Authorization": f"Bearer {access_token}"}
-users = requests.get("https://graph.microsoft.com/v1.0/users", headers=headers)
-```
+### Claude-MSP-Access (Multi-Tenant Graph API) — DELETED 2026-06-14, DO NOT USE
+- **Status:** App `fabb3421-8b34-484b-bc17-e46de9703418` was DELETED from the azcomputerguru.com tenant on 2026-06-14. Every token request now returns **AADSTS700016**. The old client secret is dead (app gone). Do not reintroduce.
+- **Replaced by:** the tiered **ComputerGuru remediation app suite** — Security Investigator `bfbc12a4`, Exchange Operator `b43e7342` (holds Graph **Mail.Send / Mail.ReadWrite / MailboxSettings.ReadWrite** — the suite's mail-send path), User Manager `64fac46b`, Tenant Admin `709e6eed`, Defender Add-on `dbf8ad1a`. Secrets in `msp-tools/computerguru-*.sops.yaml`. Acquire tokens via `bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> <tier>`.
+- **ACG own-mail (`/mailbox`):** dedicated app `1873b1b0-3377-485c-a848-bae9b2f8f1f5`, vault `msp-tools/computerguru-mailbox.sops.yaml`.
 
 ---
 
@@ -875,7 +842,7 @@ curl http://172.16.3.20:3001/health
 - **Web Applications:** 7 (Gitea, NPM, Cloudflare, CIPP, etc.)
 - **Databases:** 5 (PostgreSQL x2, MariaDB x2, MySQL x1)
 - **API Keys/Tokens:** 12 (Gitea, Cloudflare, WHM, Syncro, Autotask, CIPP, GuruRMM, etc.)
-- **Microsoft Entra Apps:** 5 (GuruRMM SSO, Seafile Graph, Claude-MSP-Access, Dataforth Claude-Code, CIPP)
+- **Microsoft Entra Apps:** GuruRMM SSO, Seafile Graph, ComputerGuru remediation suite (5 tiers) + Mailbox app, Dataforth Claude-Code, CIPP (the old Claude-MSP-Access single app was deleted 2026-06-14)
 - **SSH Keys:** 3 (guru@wsl, azcomputerguru@local, gururmm-build-server)
 - **Client Tenants:** 5 (MVAN, BG Builders, Dataforth, CW Concrete, Valley Wide Plastering, Khalsa)
 - **Client Networks:** 4 (Dataforth, Valley Wide, Khalsa, Scileppi)

credentials.md

@@ -562,10 +562,21 @@ export OP_SERVICE_ACCOUNT_TOKEN="op://Infrastructure/Service Account Auth Token:
 - **Client Secret:** op://MSP Tools/CIPP/OAuth.Client Secret
 - **Scope:** op://MSP Tools/CIPP/OAuth.Scope
 
-### Claude-MSP-Access (Multi-Tenant Graph API)
+### Claude-MSP-Access (Multi-Tenant Graph API) — DELETED 2026-06-14
+- **Status:** App `fabb3421-8b34-484b-bc17-e46de9703418` was DELETED from the azcomputerguru.com tenant 2026-06-14. Token requests now return AADSTS700016. Do NOT use. Replaced by the tiered ComputerGuru app suite below.
+
+### ComputerGuru Remediation App Suite (tiered, multi-tenant Graph/EXO)
 - **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d
-- **App ID:** op://MSP Tools/Claude-MSP-Access (Graph API)/App ID
-- **Client Secret:** op://MSP Tools/Claude-MSP-Access (Graph API)/credential
+- **Security Investigator:** `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` — vault `msp-tools/computerguru-security-investigator.sops.yaml` (Graph read + EXO read)
+- **Exchange Operator:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` — vault `msp-tools/computerguru-exchange-operator.sops.yaml` (EXO write + Graph **Mail.Send / Mail.ReadWrite / MailboxSettings.ReadWrite** — the suite's mail-send path)
+- **User Manager:** `64fac46b-8b44-41ad-93ee-7da03927576c` — vault `msp-tools/computerguru-user-manager.sops.yaml`
+- **Tenant Admin:** `709e6eed-0711-4875-9c44-2d3518c47063` — vault `msp-tools/computerguru-tenant-admin.sops.yaml`
+- **Defender Add-on:** `dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b` — vault `msp-tools/computerguru-defender-addon.sops.yaml` (MDE-licensed tenants only)
+- **Token:** `bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> <tier>`
+
+### ComputerGuru Mailbox (ACG own-mail, `/mailbox`)
+- **App ID:** `1873b1b0-3377-485c-a848-bae9b2f8f1f5` — vault `msp-tools/computerguru-mailbox.sops.yaml` (single-tenant azcomputerguru.com; Mail.ReadWrite + Mail.Send + Contacts.ReadWrite)
+- **Token:** `bash .claude/skills/remediation-tool/scripts/get-token.sh azcomputerguru.com mailbox` (SP disabled when idle — enable on 401 "account is disabled")
 
 ### ACG-MSP-Access (Google Workspace)
 - **Service Account:** op://MSP Tools/ACG-MSP-Access (Google Workspace)/Service Account Email

errorlog.md

@@ -17,6 +17,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
 
 <!-- Append entries below this line -->
 
+2026-06-21 | GURU-KALI | mailbox/remediation-tool | [correction] assumed Mail.Send needs a separate app (fabb3421/Claude-MSP-Access); correct is Mail.Send ALREADY EXISTS in the 365 remediation app suite — docs hardwiring the deleted fabb3421 must be purged everywhere [ctx: ref=4th-time-asked]
+
 2026-06-20 | Howard-Home | discord-dm/file-upload | [friction] Discord multipart attachment upload: (1) inline -F payload_json={json} -> 400 PAYLOAD_JSON_INVALID; (2) payload_json written to mktemp /tmp file -> Windows curl can't open MSYS /tmp path -> HTTP 000. Fix: write payload_json to a RELATIVE ./file and use -F 'payload_json=<./file;type=application/json' + -F 'files[N]=@path'. discord-dm.sh is text-only; consider adding an --attach flag. [ctx: ref=msys-tmp-path-mismatch tool=curl machine=HOWARD-HOME]
 
 2026-06-20 | Mikes-MacBook-Air.local | harness-guard | [friction] mapfile not available on macOS bash 3.2; guard silently skips all checks [ctx: ref=.claude/scripts/harness-guard.sh line 28; bash 3.2 predates mapfile (bash 4.0); replace with bash 3.2-compatible while-read loop]

wiki/clients/dataforth.md

@@ -323,7 +323,7 @@ Syncro asset IDs: 23845, 149614, 9708445, 9357407, 9276901, 9212922, 9078651, 88
 - **M365 admin:** sysadmin@dataforth.com — vault: `clients/dataforth/m365.sops.yaml`
 - **Tenant ID:** `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`
 - **Claude-Code-M365 Entra App:** App ID `7a8c0b2e-57fb-4d79-9b5a-4b88d21b1f29`, secret expires 2027-12-22 — vault: `clients/dataforth/m365.sops.yaml → credentials.entra-app`
-- **MSP Multi-Tenant App (Claude-MSP-Access):** MSP tenant `ce61461e-81a0-4c84-bb4a-7b354a9a356d`, App ID `fabb3421-8b34-484b-bc17-e46de9703418` — vault: msp-tools SOPS file
+- **MSP remediation app suite:** MSP tenant `ce61461e-81a0-4c84-bb4a-7b354a9a356d` — tiered ComputerGuru apps (Exchange Operator `b43e7342` etc.), vault `msp-tools/computerguru-*.sops.yaml`. *(Old single app `fabb3421`/Claude-MSP-Access DELETED 2026-06-14 — AADSTS700016, do not use.)*
 - **ComputerGuru tiered apps:** All 5 apps consented 2026-04-23. Exchange Operator SP (b43e7342) had Exchange Admin role added manually (gap in onboard-tenant.sh — not auto-assigned for Exch Operator).
 
 ### MSP360 Managed Backup API

wiki/clients/glaztech.md

@@ -103,7 +103,7 @@ Note on Priority 1: The "GTIMail No-Reply - Reject Inbound" transport rule rejec
 - **Remediation tool:** ComputerGuru apps consented in tenant (Exchange Operator, Security Investigator, Tenant Admin, Defender Add-on)
 - **Exchange Operator App ID:** b43e7342-5b4b-492f-890f-bb5a4f7f40e9
 - **Exchange Operator cert thumbprint:** A615823DE1CAF15229027DEC075AFE32B900D82C (not in Windows cert store on BEAST — use `get-token.sh` bearer token flow)
-- **Remediation tool app (AI):** fabb3421-8b34-484b-bc17-e46de9703418
+- **Remediation tool:** ComputerGuru tiered suite (Exchange Operator `b43e7342` etc.). *(Old single app `fabb3421`/Claude-MSP-Access DELETED 2026-06-14 — AADSTS700016, do not use.)*
 - **Exchange Admin role:** Assigned to ACG service principal in Entra
 - **Global Admin account:** admin@glaztechindustries.onmicrosoft.com (ACG admin only — external GA from tomakkglass.com removed 2026-04-21)
 - **Vault path:** `clients/glaztech/` [no SOPS credential file documented — remediation tool uses MSP-wide app credentials]

wiki/clients/internal-infrastructure.md

@@ -172,7 +172,7 @@ acg.local, acghosting.com (ExternalRelay), airandspaceacademy.com, amtransit.com
 
 - **Domain:** azcomputerguru.com
 - **Tenant ID:** `ce61461e-81a0-4c84-bb4a-7b354a9a356d`
-- **MSP multi-tenant app (Claude-MSP-Access):** App ID `fabb3421-8b34-484b-bc17-e46de9703418` — vault: msp-tools SOPS file
+- **MSP remediation app suite (tiered, multi-tenant):** Security Investigator `bfbc12a4`, Exchange Operator `b43e7342` (holds Graph **Mail.Send** — the suite's mail-send path), User Manager `64fac46b`, Tenant Admin `709e6eed`, Defender `dbf8ad1a` — vault `msp-tools/computerguru-*.sops.yaml`. ACG own-mail (`/mailbox`) = dedicated app `1873b1b0` (`msp-tools/computerguru-mailbox.sops.yaml`). *(Old single app `fabb3421`/Claude-MSP-Access DELETED 2026-06-14 — AADSTS700016, do not use.)*
 
 ---
 
@@ -187,7 +187,7 @@ acg.local, acghosting.com (ExternalRelay), airandspaceacademy.com, amtransit.com
 | pfSense | `ssh admin@172.16.0.1 -p 2248` | Vault: `infrastructure/pfsense-firewall.sops.yaml` |
 | Neptune | Local PowerShell as administrator.ACG (on-box) | Also: WinRM from ACG-DC16; no WinRM from external without VPN |
 | ACG-DC16 | `Invoke-Command -ComputerName ACG-DC16` (from domain-joined box) | Kerberos via SPN-matching hostname required |
-| ACG M365 | Graph API via Claude-MSP-Access app | Vault: msp-tools SOPS file |
+| ACG M365 | Graph API via ComputerGuru app suite (Sec-Inv/Exch-Op/User-Mgr/Tenant-Admin/Defender) + Mailbox app `1873b1b0` | Vault: `msp-tools/computerguru-*.sops.yaml` |
 | Cloudflare API | Bearer token from 1Password | Partial: lacks Zone Settings + Analytics permissions |
 
 **SSH passwordless automation to GuruRMM server (172.16.3.30, physical box):**