diff --git a/.claude/commands/mailbox.md b/.claude/commands/mailbox.md index a885b52a..8b53a9a3 100644 --- a/.claude/commands/mailbox.md +++ b/.claude/commands/mailbox.md @@ -1,6 +1,6 @@ # /mailbox — ACG M365 mailbox (read + send as you) -Read and send mail for an Arizona Computer Guru mailbox via Microsoft Graph, using the shared **Claude-MSP-Access** app. Defaults to the mailbox of the user running it (from `identity.json`). +Read and send mail for an Arizona Computer Guru mailbox via Microsoft Graph, using the dedicated **ComputerGuru Mailbox** app (`1873b1b0-3377-485c-a848-bae9b2f8f1f5`). Defaults to the mailbox of the user running it (from `identity.json`). > **Mail path (working — repointed 2026-06-17).** `/mailbox` uses the dedicated single-tenant **ComputerGuru Mailbox** app (`1873b1b0-3377-485c-a848-bae9b2f8f1f5`; vault `msp-tools/computerguru-mailbox.sops.yaml`; Mail.ReadWrite + Mail.Send + Contacts.ReadWrite; azcomputerguru.com only). Tokens come from the suite tool: `bash .claude/skills/remediation-tool/scripts/get-token.sh azcomputerguru.com mailbox` (cert-preferred, secret fallback, 55-min cache). This **replaces the deleted `fabb3421`** (Claude-MSP-Access), removed from the tenant 2026-06-14 — it returns **AADSTS700016**; do NOT reintroduce it. The mailbox app's service principal is **disabled when idle**: on a token 401 "account is disabled", enable the SP, then retry. @@ -181,4 +181,4 @@ st, d = graph("POST", f"/users/{MAILBOX}/messages/{MSG_ID}/reply", ## Attribution -API calls authenticate as the shared **Claude-MSP-Access** app, but a `sendMail`/`reply` from `/users//...` goes out with that mailbox as the `From:` and lands in that mailbox's Sent Items — i.e. it genuinely sends *as you*. Only the identity user's own mailbox is targeted by default; `--as` is for deliberately operating another ACG mailbox. +API calls authenticate as the dedicated **ComputerGuru Mailbox** app (`1873b1b0`, vault `msp-tools/computerguru-mailbox.sops.yaml`) — NOT the deleted `fabb3421`/Claude-MSP-Access — but a `sendMail`/`reply` from `/users//...` goes out with that mailbox as the `From:` and lands in that mailbox's Sent Items — i.e. it genuinely sends *as you*. Only the identity user's own mailbox is targeted by default; `--as` is for deliberately operating another ACG mailbox. diff --git a/.claude/memory/feedback_365_remediation_tool.md b/.claude/memory/feedback_365_remediation_tool.md index 64c5ae48..0e626efc 100644 --- a/.claude/memory/feedback_365_remediation_tool.md +++ b/.claude/memory/feedback_365_remediation_tool.md @@ -10,6 +10,8 @@ When the user says "365 remediation tool" or "remediation tool", they mean ACG's **DELETED — gone, do not reference:** `fabb3421` ("AI Remediation" / "Claude-MSP-Access", secret `msp-tools/claude-msp-access-graph-api.sops.yaml`). Removed from the azcomputerguru.com tenant **2026-06-14**; every token request now returns **AADSTS700016**. It previously had ~159 perms incl. Defender ATP (admin consent broke with AADSTS650052 on no-MDE tenants). Any skill still pointing at it is broken — repoint to the suite. (Original deprecation: 2026-05-27 Quantum onboarding.) +**MAIL.SEND ALREADY EXISTS IN THE SUITE — settled, NOT an open decision (do not re-raise).** The **Exchange Operator** tier (`exchange-op`, `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`) holds Graph **`Mail.Send` + `Mail.ReadWrite` + `MailboxSettings.ReadWrite`**. The suite CAN send mail in any consented tenant via Graph `POST /users//sendMail` (IR victim-notification). No separate app to provision, nothing "blocked", no pending click-through. Watch the token-audience gotcha below (line on Exchange-Online vs Graph audience). This replaced the deleted `fabb3421` for IR mail; `/mailbox` (ACG own-mail) separately uses the dedicated app `1873b1b0` (next paragraph). + **ACG OWN-mailbox reads/sends (`/mailbox`) — dedicated app `1873b1b0-3377-485c-a848-bae9b2f8f1f5`** ("ComputerGuru Mailbox", vault `msp-tools/computerguru-mailbox.sops.yaml`, Mail.ReadWrite + Mail.Send + Contacts.ReadWrite, azcomputerguru.com single-tenant). Token via `get-token.sh azcomputerguru.com mailbox` (a tier in get-token.sh; cert-preferred). This is what REPLACED fabb3421 for `/mailbox`. Its SP is **disabled when idle** → a token 401 "account is disabled" means enable the SP first. (`/mailbox` command doc repointed to it 2026-06-17 — it had been left on the dead fabb3421.) **Why (original):** user clarified "remediation tool" != CIPP after a wrong CIPP navigation. **How to apply:** prefer the `/remediation-tool` skill — it wraps tenant resolution, token caching, breach check, sweep, gated remediation, and consent/onboarding URLs (`references/gotchas.md`, `graph-endpoints.md`, `checklist.md`). diff --git a/.claude/skills/remediation-tool/references/gotchas.md b/.claude/skills/remediation-tool/references/gotchas.md index 8b0a1f92..9cc01ef8 100644 --- a/.claude/skills/remediation-tool/references/gotchas.md +++ b/.claude/skills/remediation-tool/references/gotchas.md @@ -24,16 +24,11 @@ Five multi-tenant apps replace the old single over-permissioned app. Use minimum | `tenant-admin` | ComputerGuru Tenant Admin | `709e6eed-0711-4875-9c44-2d3518c47063` | `computerguru-tenant-admin.sops.yaml` | | `defender` | ComputerGuru Defender Add-on | `dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b` | `computerguru-defender-addon.sops.yaml` | -**DELETED from the azcomputerguru.com tenant 2026-06-14** (was *ComputerGuru - AI Remediation* / *Claude-MSP-Access* / *Cloud MSP Access*, `fabb3421-8b34-484b-bc17-e46de9703418`) — old single-app with 159 permissions including Defender ATP. Any token request now returns **AADSTS700016** (app/SP gone). Two consequences: -1. It held the ONLY **Mail.Send / Mail.ReadWrite / Contacts** scopes the fleet had, so **`/mailbox` (ACG own-mail send/read) and the M365 contacts task are BLOCKED** until a replacement app is provisioned. The 5-app suite below has none of those scopes (`investigator` = `Mail.Read` only). -2. The legacy "old app only" tenants below (Valleywide, Dataforth, Cascades) have NO working remediation app anymore — migration to the new suite is now REQUIRED, not optional. +**DELETED from the azcomputerguru.com tenant 2026-06-14** (was *ComputerGuru - AI Remediation* / *Claude-MSP-Access* / *Cloud MSP Access*, `fabb3421-8b34-484b-bc17-e46de9703418`) — old single-app with 159 permissions including Defender ATP. Any token request now returns **AADSTS700016** (app/SP gone). Do NOT reference it as a live app anywhere. Consequence: the legacy "old app only" tenants below (Valleywide, Dataforth, Cascades) have NO working remediation app anymore — migration to the new suite is REQUIRED, not optional. -**Decision 2026-06-15 (Mike):** Mail.Send belongs in the SUITE, not a separate app. The real use case is incident response, auto-notifying victims during a mailbox takeover, which is a remediation action. Plan: add **`Mail.Send`** (application) to the **Exchange Operator** tier (`exchange-op`, `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`), the existing Exchange remediation/write app. `Mail.ReadWrite` + `Contacts` are optional and only needed to fully restore the general `/mailbox` read/send + contacts task (secondary). +**Mail.Send — already in the suite (DONE, not an open decision).** The **Exchange Operator** tier (`exchange-op`, `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`) holds Graph **`Mail.Send` + `Mail.ReadWrite` + `MailboxSettings.ReadWrite`**. The suite CAN send mail in any consented tenant via Graph `POST /users//sendMail` — this is the IR victim-notification path (notifying victims during a mailbox takeover is a remediation action). There is NO separate mail app to provision and NO pending decision. Token-audience gotcha: `get-token.sh exchange-op` returns an **Exchange-Online**-audience token whose `roles` claim does NOT list Graph scopes; to call Graph, mint a **Graph**-audience token (`scope=https://graph.microsoft.com/.default`) — never conclude Mail.Send is "missing" from the wrong-audience token. -Implementation (NOT yet executed — production multi-tenant app change, needs explicit go + admin-consent clicks): -1. Add the Graph app permission(s) to the Exchange Operator app manifest in the home tenant; grant admin consent in the home tenant. -2. Re-consent Exchange Operator in each tenant where IR victim-notification is needed (adding a permission invalidates prior consent and re-prompts). -3. Repoint `commands/mailbox.md` `client_id` + vault path to `computerguru-exchange-operator.sops.yaml`, and consent Exchange Operator in the ACG home tenant so `/mailbox` (own-mail) works again. +**ACG own-mail (`/mailbox`) is separate and working.** It uses the dedicated single-tenant **ComputerGuru Mailbox** app `1873b1b0-3377-485c-a848-bae9b2f8f1f5` (vault `msp-tools/computerguru-mailbox.sops.yaml`; `Mail.ReadWrite` + `Mail.Send` + `Contacts.ReadWrite`, azcomputerguru.com only), via `get-token.sh azcomputerguru.com mailbox`. Repointed off the dead `fabb3421` on 2026-06-17. Its SP is disabled when idle → a token 401 "account is disabled" means enable the SP first. When searching customer admin portals for a service principal (role assignments, app role assignments, CA exclusions), search by the display name for that tier (e.g., "ComputerGuru Security Investigator"). diff --git a/.claude/skills/remediation-tool/templates/breach-report.md b/.claude/skills/remediation-tool/templates/breach-report.md index 73e09c59..aeebccac 100644 --- a/.claude/skills/remediation-tool/templates/breach-report.md +++ b/.claude/skills/remediation-tool/templates/breach-report.md @@ -3,7 +3,7 @@ **Date:** {{YYYY-MM-DD}} **Tenant:** {{tenant-display-name}} ({{domain}}, {{tenant-id}}) **Subject:** {{user-or-tenant}} -**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`) +**Tool:** ComputerGuru remediation app suite (Security Investigator `bfbc12a4` / Exchange Operator `b43e7342` / User Manager `64fac46b` / Tenant Admin `709e6eed` / Defender `dbf8ad1a`) — list the tier(s) actually used **Scope:** {{read-only | included remediation}} ## Summary diff --git a/.grok/skills/mailbox/SKILL.md b/.grok/skills/mailbox/SKILL.md index 9b103c51..d541a92b 100644 --- a/.grok/skills/mailbox/SKILL.md +++ b/.grok/skills/mailbox/SKILL.md @@ -1,7 +1,7 @@ --- name: mailbox description: > - Read and send mail for an Arizona Computer Guru mailbox via Microsoft Graph (shared Claude-MSP-Access app). Defaults to the mailbox of the running user (from identity.json). Use for "/mailbox", "check my email", "send a message as @azcomputerguru.com". + Read and send mail for an Arizona Computer Guru mailbox via Microsoft Graph (dedicated ComputerGuru Mailbox app 1873b1b0; NOT the deleted fabb3421/Claude-MSP-Access). Defaults to the mailbox of the running user (from identity.json). Use for "/mailbox", "check my email", "send a message as @azcomputerguru.com". --- See `.claude/commands/mailbox.md` and the remediation-tool skill (they share Graph access patterns). Use vault/1p for the app credentials. Gated for writes. \ No newline at end of file diff --git a/.grok/skills/remediation-tool/SKILL.md b/.grok/skills/remediation-tool/SKILL.md index d9786a8b..f48a944e 100644 --- a/.grok/skills/remediation-tool/SKILL.md +++ b/.grok/skills/remediation-tool/SKILL.md @@ -12,7 +12,7 @@ description: > - Read-only by default. - All write/remediation actions are **gated** behind explicit `--confirm` or user approval. - Use the skill's structured flows for tenant sweeps, password spray detection, inbox rule enumeration, mailbox searches, etc. -- NOT for CIPP — this is the direct Graph API app suite (Claude-MSP-Access or equivalent). +- NOT for CIPP — this is the direct Graph API tiered app suite (Security Investigator / Exchange Operator / User Manager / Tenant Admin / Defender). The old single `fabb3421`/Claude-MSP-Access app was DELETED 2026-06-14 — do not reference it. Mail.Send lives in the Exchange Operator tier (b43e7342). When invoked: - Read the command doc `.claude/commands/remediation-tool.md`. diff --git a/CATALOG_SHARED_DATA.md b/CATALOG_SHARED_DATA.md index 21a61949..d79f08e8 100644 --- a/CATALOG_SHARED_DATA.md +++ b/CATALOG_SHARED_DATA.md @@ -460,43 +460,10 @@ curl -s "https://cippcanvb.azurewebsites.net/api/ListLicenses?TenantFilter=sonor - **App ID:** d545a836-7118-44f6-8852-d9dd64fb7bb9 - **Status:** Authenticated but all endpoints returned 403 -### Claude-MSP-Access (Multi-Tenant Graph API) -- **Service:** Direct Graph API access for M365 investigations -- **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d -- **App ID (Client ID):** fabb3421-8b34-484b-bc17-e46de9703418 -- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO -- **Secret Expires:** 2026-12 (24 months) -- **Sign-in Audience:** Multi-tenant (any Entra ID org) -- **Purpose:** Direct Graph API access for M365 investigations and remediation -- **Admin Consent URL:** https://login.microsoftonline.com/common/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient -- **Permissions:** User.ReadWrite.All, Directory.ReadWrite.All, Mail.ReadWrite, MailboxSettings.ReadWrite, AuditLog.Read.All, Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, Group.ReadWrite.All, SecurityEvents.ReadWrite.All, AppRoleAssignment.ReadWrite.All, UserAuthenticationMethod.ReadWrite.All -- **Created:** 2025-12-29 -- **Access Methods:** Graph API (OAuth 2.0) - -#### Usage (Python) -```python -import requests - -tenant_id = "CUSTOMER_TENANT_ID" # or use 'common' after consent -client_id = "fabb3421-8b34-484b-bc17-e46de9703418" -client_secret = "~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO" - -# Get token -token_resp = requests.post( - f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token", - data={ - "client_id": client_id, - "client_secret": client_secret, - "scope": "https://graph.microsoft.com/.default", - "grant_type": "client_credentials" - } -) -access_token = token_resp.json()["access_token"] - -# Query Graph API -headers = {"Authorization": f"Bearer {access_token}"} -users = requests.get("https://graph.microsoft.com/v1.0/users", headers=headers) -``` +### Claude-MSP-Access (Multi-Tenant Graph API) — DELETED 2026-06-14, DO NOT USE +- **Status:** App `fabb3421-8b34-484b-bc17-e46de9703418` was DELETED from the azcomputerguru.com tenant on 2026-06-14. Every token request now returns **AADSTS700016**. The old client secret is dead (app gone). Do not reintroduce. +- **Replaced by:** the tiered **ComputerGuru remediation app suite** — Security Investigator `bfbc12a4`, Exchange Operator `b43e7342` (holds Graph **Mail.Send / Mail.ReadWrite / MailboxSettings.ReadWrite** — the suite's mail-send path), User Manager `64fac46b`, Tenant Admin `709e6eed`, Defender Add-on `dbf8ad1a`. Secrets in `msp-tools/computerguru-*.sops.yaml`. Acquire tokens via `bash .claude/skills/remediation-tool/scripts/get-token.sh `. +- **ACG own-mail (`/mailbox`):** dedicated app `1873b1b0-3377-485c-a848-bae9b2f8f1f5`, vault `msp-tools/computerguru-mailbox.sops.yaml`. --- @@ -875,7 +842,7 @@ curl http://172.16.3.20:3001/health - **Web Applications:** 7 (Gitea, NPM, Cloudflare, CIPP, etc.) - **Databases:** 5 (PostgreSQL x2, MariaDB x2, MySQL x1) - **API Keys/Tokens:** 12 (Gitea, Cloudflare, WHM, Syncro, Autotask, CIPP, GuruRMM, etc.) -- **Microsoft Entra Apps:** 5 (GuruRMM SSO, Seafile Graph, Claude-MSP-Access, Dataforth Claude-Code, CIPP) +- **Microsoft Entra Apps:** GuruRMM SSO, Seafile Graph, ComputerGuru remediation suite (5 tiers) + Mailbox app, Dataforth Claude-Code, CIPP (the old Claude-MSP-Access single app was deleted 2026-06-14) - **SSH Keys:** 3 (guru@wsl, azcomputerguru@local, gururmm-build-server) - **Client Tenants:** 5 (MVAN, BG Builders, Dataforth, CW Concrete, Valley Wide Plastering, Khalsa) - **Client Networks:** 4 (Dataforth, Valley Wide, Khalsa, Scileppi) diff --git a/credentials.md b/credentials.md index 7193f5f2..f74a4838 100644 --- a/credentials.md +++ b/credentials.md @@ -562,10 +562,21 @@ export OP_SERVICE_ACCOUNT_TOKEN="op://Infrastructure/Service Account Auth Token: - **Client Secret:** op://MSP Tools/CIPP/OAuth.Client Secret - **Scope:** op://MSP Tools/CIPP/OAuth.Scope -### Claude-MSP-Access (Multi-Tenant Graph API) +### Claude-MSP-Access (Multi-Tenant Graph API) — DELETED 2026-06-14 +- **Status:** App `fabb3421-8b34-484b-bc17-e46de9703418` was DELETED from the azcomputerguru.com tenant 2026-06-14. Token requests now return AADSTS700016. Do NOT use. Replaced by the tiered ComputerGuru app suite below. + +### ComputerGuru Remediation App Suite (tiered, multi-tenant Graph/EXO) - **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d -- **App ID:** op://MSP Tools/Claude-MSP-Access (Graph API)/App ID -- **Client Secret:** op://MSP Tools/Claude-MSP-Access (Graph API)/credential +- **Security Investigator:** `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` — vault `msp-tools/computerguru-security-investigator.sops.yaml` (Graph read + EXO read) +- **Exchange Operator:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` — vault `msp-tools/computerguru-exchange-operator.sops.yaml` (EXO write + Graph **Mail.Send / Mail.ReadWrite / MailboxSettings.ReadWrite** — the suite's mail-send path) +- **User Manager:** `64fac46b-8b44-41ad-93ee-7da03927576c` — vault `msp-tools/computerguru-user-manager.sops.yaml` +- **Tenant Admin:** `709e6eed-0711-4875-9c44-2d3518c47063` — vault `msp-tools/computerguru-tenant-admin.sops.yaml` +- **Defender Add-on:** `dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b` — vault `msp-tools/computerguru-defender-addon.sops.yaml` (MDE-licensed tenants only) +- **Token:** `bash .claude/skills/remediation-tool/scripts/get-token.sh ` + +### ComputerGuru Mailbox (ACG own-mail, `/mailbox`) +- **App ID:** `1873b1b0-3377-485c-a848-bae9b2f8f1f5` — vault `msp-tools/computerguru-mailbox.sops.yaml` (single-tenant azcomputerguru.com; Mail.ReadWrite + Mail.Send + Contacts.ReadWrite) +- **Token:** `bash .claude/skills/remediation-tool/scripts/get-token.sh azcomputerguru.com mailbox` (SP disabled when idle — enable on 401 "account is disabled") ### ACG-MSP-Access (Google Workspace) - **Service Account:** op://MSP Tools/ACG-MSP-Access (Google Workspace)/Service Account Email diff --git a/errorlog.md b/errorlog.md index 8b383686..5e066f94 100644 --- a/errorlog.md +++ b/errorlog.md @@ -17,6 +17,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · +2026-06-21 | GURU-KALI | mailbox/remediation-tool | [correction] assumed Mail.Send needs a separate app (fabb3421/Claude-MSP-Access); correct is Mail.Send ALREADY EXISTS in the 365 remediation app suite — docs hardwiring the deleted fabb3421 must be purged everywhere [ctx: ref=4th-time-asked] + 2026-06-20 | Howard-Home | discord-dm/file-upload | [friction] Discord multipart attachment upload: (1) inline -F payload_json={json} -> 400 PAYLOAD_JSON_INVALID; (2) payload_json written to mktemp /tmp file -> Windows curl can't open MSYS /tmp path -> HTTP 000. Fix: write payload_json to a RELATIVE ./file and use -F 'payload_json=<./file;type=application/json' + -F 'files[N]=@path'. discord-dm.sh is text-only; consider adding an --attach flag. [ctx: ref=msys-tmp-path-mismatch tool=curl machine=HOWARD-HOME] 2026-06-20 | Mikes-MacBook-Air.local | harness-guard | [friction] mapfile not available on macOS bash 3.2; guard silently skips all checks [ctx: ref=.claude/scripts/harness-guard.sh line 28; bash 3.2 predates mapfile (bash 4.0); replace with bash 3.2-compatible while-read loop] diff --git a/wiki/clients/dataforth.md b/wiki/clients/dataforth.md index 911c8363..17e54901 100644 --- a/wiki/clients/dataforth.md +++ b/wiki/clients/dataforth.md @@ -323,7 +323,7 @@ Syncro asset IDs: 23845, 149614, 9708445, 9357407, 9276901, 9212922, 9078651, 88 - **M365 admin:** sysadmin@dataforth.com — vault: `clients/dataforth/m365.sops.yaml` - **Tenant ID:** `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584` - **Claude-Code-M365 Entra App:** App ID `7a8c0b2e-57fb-4d79-9b5a-4b88d21b1f29`, secret expires 2027-12-22 — vault: `clients/dataforth/m365.sops.yaml → credentials.entra-app` -- **MSP Multi-Tenant App (Claude-MSP-Access):** MSP tenant `ce61461e-81a0-4c84-bb4a-7b354a9a356d`, App ID `fabb3421-8b34-484b-bc17-e46de9703418` — vault: msp-tools SOPS file +- **MSP remediation app suite:** MSP tenant `ce61461e-81a0-4c84-bb4a-7b354a9a356d` — tiered ComputerGuru apps (Exchange Operator `b43e7342` etc.), vault `msp-tools/computerguru-*.sops.yaml`. *(Old single app `fabb3421`/Claude-MSP-Access DELETED 2026-06-14 — AADSTS700016, do not use.)* - **ComputerGuru tiered apps:** All 5 apps consented 2026-04-23. Exchange Operator SP (b43e7342) had Exchange Admin role added manually (gap in onboard-tenant.sh — not auto-assigned for Exch Operator). ### MSP360 Managed Backup API diff --git a/wiki/clients/glaztech.md b/wiki/clients/glaztech.md index 97fbd5e0..c0fadbed 100644 --- a/wiki/clients/glaztech.md +++ b/wiki/clients/glaztech.md @@ -103,7 +103,7 @@ Note on Priority 1: The "GTIMail No-Reply - Reject Inbound" transport rule rejec - **Remediation tool:** ComputerGuru apps consented in tenant (Exchange Operator, Security Investigator, Tenant Admin, Defender Add-on) - **Exchange Operator App ID:** b43e7342-5b4b-492f-890f-bb5a4f7f40e9 - **Exchange Operator cert thumbprint:** A615823DE1CAF15229027DEC075AFE32B900D82C (not in Windows cert store on BEAST — use `get-token.sh` bearer token flow) -- **Remediation tool app (AI):** fabb3421-8b34-484b-bc17-e46de9703418 +- **Remediation tool:** ComputerGuru tiered suite (Exchange Operator `b43e7342` etc.). *(Old single app `fabb3421`/Claude-MSP-Access DELETED 2026-06-14 — AADSTS700016, do not use.)* - **Exchange Admin role:** Assigned to ACG service principal in Entra - **Global Admin account:** admin@glaztechindustries.onmicrosoft.com (ACG admin only — external GA from tomakkglass.com removed 2026-04-21) - **Vault path:** `clients/glaztech/` [no SOPS credential file documented — remediation tool uses MSP-wide app credentials] diff --git a/wiki/clients/internal-infrastructure.md b/wiki/clients/internal-infrastructure.md index 7a3f5cbd..5be772db 100644 --- a/wiki/clients/internal-infrastructure.md +++ b/wiki/clients/internal-infrastructure.md @@ -172,7 +172,7 @@ acg.local, acghosting.com (ExternalRelay), airandspaceacademy.com, amtransit.com - **Domain:** azcomputerguru.com - **Tenant ID:** `ce61461e-81a0-4c84-bb4a-7b354a9a356d` -- **MSP multi-tenant app (Claude-MSP-Access):** App ID `fabb3421-8b34-484b-bc17-e46de9703418` — vault: msp-tools SOPS file +- **MSP remediation app suite (tiered, multi-tenant):** Security Investigator `bfbc12a4`, Exchange Operator `b43e7342` (holds Graph **Mail.Send** — the suite's mail-send path), User Manager `64fac46b`, Tenant Admin `709e6eed`, Defender `dbf8ad1a` — vault `msp-tools/computerguru-*.sops.yaml`. ACG own-mail (`/mailbox`) = dedicated app `1873b1b0` (`msp-tools/computerguru-mailbox.sops.yaml`). *(Old single app `fabb3421`/Claude-MSP-Access DELETED 2026-06-14 — AADSTS700016, do not use.)* --- @@ -187,7 +187,7 @@ acg.local, acghosting.com (ExternalRelay), airandspaceacademy.com, amtransit.com | pfSense | `ssh admin@172.16.0.1 -p 2248` | Vault: `infrastructure/pfsense-firewall.sops.yaml` | | Neptune | Local PowerShell as administrator.ACG (on-box) | Also: WinRM from ACG-DC16; no WinRM from external without VPN | | ACG-DC16 | `Invoke-Command -ComputerName ACG-DC16` (from domain-joined box) | Kerberos via SPN-matching hostname required | -| ACG M365 | Graph API via Claude-MSP-Access app | Vault: msp-tools SOPS file | +| ACG M365 | Graph API via ComputerGuru app suite (Sec-Inv/Exch-Op/User-Mgr/Tenant-Admin/Defender) + Mailbox app `1873b1b0` | Vault: `msp-tools/computerguru-*.sops.yaml` | | Cloudflare API | Bearer token from 1Password | Partial: lacks Zone Settings + Analytics permissions | **SSH passwordless automation to GuruRMM server (172.16.3.30, physical box):**