From fd933b68c3bd751266d7d8a2c0f050bf72dcdb1d Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Wed, 29 Apr 2026 09:11:40 -0700
Subject: [PATCH] remediation-tool: flag PIM role_assigned gap for Howard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

role_assigned() only checks direct/permanent roleAssignments.
PIM-managed assignments are in roleAssignmentSchedules and won't
be found, producing noisy (non-blocking) output on re-runs against
tenants with PIM-assigned roles (e.g. Cascades).

TODO comment added at the helper — Howard to implement the fix.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .claude/skills/remediation-tool/scripts/onboard-tenant.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.claude/skills/remediation-tool/scripts/onboard-tenant.sh b/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
index f0ed052..74e827d 100755
--- a/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
+++ b/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
@@ -323,6 +323,11 @@ consent_app() {
 }
 
 # ── Helper: check if directory role already assigned ─────────────────────────
+# TODO(howard): This only checks roleAssignments (direct/permanent). PIM-managed
+# assignments live in roleAssignmentSchedules and won't be found here, causing
+# noisy-but-harmless "MISSING -> ASSIGNING" output that hits the Conflict fallback.
+# Fix: also query /roleManagement/directory/roleAssignmentSchedules?$filter=principalId eq '...'
+# and return true if either query finds the role. Reference: Howard's note 2026-04-29.
 role_assigned() {
   local token="$1"
   local sp_oid="$2"