azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,008 Commits 1 Branch 0 Tags
90407171126ff5af46cd00a533deca8de0b2a4e4
Commit Graph

44 Commits

Author SHA1 Message Date
Mike Swanson
f76f25100e sync: auto-sync from GURU-BEAST-ROG at 2026-05-28 10:46:43 
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-05-28 10:46:43
 2026-05-28 10:46:50 -07:00
Howard Enos
f75d375a2a sync: auto-sync from HOWARD-HOME at 2026-05-27 21:29:58 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-27 21:29:58
 2026-05-27 21:30:06 -07:00
Howard Enos
9c1b67931a sync: auto-sync from HOWARD-HOME at 2026-05-27 00:31:32 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-27 00:31:32
 2026-05-27 00:31:45 -07:00
Howard Enos
a44a0bcee0 sync: auto-sync from HOWARD-HOME at 2026-05-22 15:40:30 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-22 15:40:30
 2026-05-22 15:40:34 -07:00
Howard Enos
3c0ad785e8 sync: auto-sync from HOWARD-HOME at 2026-05-21 14:41:10 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-21 14:41:10
 2026-05-21 14:41:13 -07:00
Howard Enos
00488a9da7 sync: auto-sync from HOWARD-HOME at 2026-05-21 12:48:20 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-21 12:48:20
 2026-05-21 12:48:22 -07:00
Howard Enos
0f3b8869fc sync: auto-sync from HOWARD-HOME at 2026-05-20 22:41:35 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-20 22:41:35
 2026-05-20 22:41:38 -07:00
Howard Enos
04acf08061 sync: auto-sync from HOWARD-HOME at 2026-05-20 17:08:25 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-20 17:08:25
 2026-05-20 17:08:29 -07:00
Mike Swanson
c255b6c130 sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 15:22:14 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 15:22:14
 2026-05-20 15:22:18 -07:00
Howard Enos
f78ccf97da sync: auto-sync from HOWARD-HOME at 2026-05-20 14:53:36 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-20 14:53:36
 2026-05-20 14:53:38 -07:00
Howard Enos
7b541a6aee client/cascades: britney.thompson M365 offboarding complete — sign-in blocked, license removed, litigation hold 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-20 14:42:05 -07:00
Howard Enos
ad7537f7b8 client/cascades: Phase 2.6 COMPLETE — 13 printers, 4 GPOs, 5 accounts disabled 
Detailed context:
- Task: Cascades of Tucson Phase 2.6 — printer migration, GPO deployment, account cleanup
- Changes:
  - phase2-print-server.ps1: all 13 printers complete, Epson driver/share notes added
  - active-directory.md: 5 stale accounts disabled, 4 GPOs created, pending issues cleared, printer share table updated
  - Session log: 2026-05-20 Howard session covering all Phase 2.6 work
- Status: Phase 2.6 complete

Files modified:
- clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1
- clients/cascades-tucson/docs/servers/active-directory.md
- clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-20 14:04:08 -07:00
Mike Swanson
c6daba593f Session log: EOP access fix + Alma Montt mailbox investigation (Cascades Tucson) 
- Fixed Exchange.ManageAsApp missing from Security Investigator app registration
- Granted role directly in Cascades tenant via Graph API
- Investigated Alma Montt mailbox: no delivery blocks found, specific sender TBD

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-20 10:39:15 -07:00
Howard Enos
8a2638ddee client/cascades: session log + AD doc update 2026-05-20 
Phase 2.5 complete. Folder redirection GPO decision documented — deferred
to Phase 3 (blocked on domain joins). Pending items carried forward.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-19 22:32:20 -07:00
Howard Enos
9231f5bf96 Session log: Howard Cascades Alma Montt account completion 2026-05-19 
Cloud-only M365 user created, SPB license assigned, SSPR group added,
CA/MFA audit, Syncro billing for tickets #109316879 and #110120097.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-19 13:22:52 -07:00
Howard Enos
07778142dd Session log: Howard caregiver reconciliation and new account provisioning 2026-05-18 
Cascades of Tucson — created 4 new caregiver accounts, Alma Montt admin account,
terminated Niel Castro, reclassified Celia Lassey and Patricia Sandoval-Beck from
SG-Caregivers. Entra sync run; Alma Montt M365 license pending background task.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-18 21:25:15 -07:00
Howard Enos
ec5f352998 sync: auto-sync from HOWARD-HOME at 2026-05-16 15:10:35 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-16 15:10:35
 2026-05-16 15:10:37 -07:00
Howard Enos
65cf262f98 sync: auto-sync from HOWARD-HOME at 2026-05-16 13:49:46 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-16 13:49:46
 2026-05-16 13:49:48 -07:00
Howard Enos
4b667db1ab sync: auto-sync from HOWARD-HOME at 2026-05-14 18:54:09 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-14 18:54:09
 2026-05-14 18:54:10 -07:00
Howard Enos
3a3f92d5d5 session: Cascades phone verification addendum - SSPR confirmed, Syncro ticket updated 2026-05-14 18:49:50 -07:00
Howard Enos
e191b713f9 session: Cascades phone verification & closeout — Entra Connect staging exited, CA policies re-pointed to AD-synced SG-Caregivers 
- Full tenant verification sweep: all Intune/Entra objects match session logs
- Entra Connect staging mode exited; 17 AD groups synced to cloud
- CA policies (Block-off-network, Sign-in-frequency-8h, Block-non-compliant) patched from SG-Caregivers-Pilot to AD-synced SG-Caregivers
- Registration Campaign exclusion updated to SG-Caregivers
- Deleted test accounts: howard.enos (AD) and pilot.test (M365)
- Documented Christine Nyanzunda collision risk, Ederick Yuzon open item, standing security-group rule
- Session log written

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-14 17:45:30 -07:00
Howard Enos
c13639fbf4 sync: auto-sync from HOWARD-HOME at 2026-05-11 18:06:36 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-11 18:06:36
 2026-05-11 18:06:39 -07:00
Howard Enos
dfa23c1f70 sync: auto-sync from HOWARD-HOME at 2026-05-08 19:54:23 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-08 19:54:23
 2026-05-08 19:54:24 -07:00
Howard Enos
78b5f5d8c9 sync: auto-sync from HOWARD-HOME at 2026-05-08 19:53:03 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-08 19:53:03
 2026-05-08 19:53:06 -07:00
Howard Enos
278a6a20d0 cascades: SDM activation root-caused, devices@ provisioning account created 
9-hour day on Cascades caregiver phone Shared Device Mode activation.
Root cause of repeated AADSTS50097 was missing Cloud Device Administrator
role -- pilot.test cannot self-register devices for shared mode. Created
dedicated devices@cascadestucson.com (CDA role, MFA on Howard's phone).
Final attempt on Phone A produced an Entra device record with shared-mode
markers (registeredOwners=0, registeredUsers=0). Resume tomorrow by
signing pilot.test in to verify SDM is actually active.

Side wins: ALIS SSO Entra App Registration created (vault commit 90ada33,
blocked on Medtelligent enabling App Store side); 2 of 3 caregiver CA
policies flipped from Report-only to Enforced; kiosk profile bumped to
v13 with full Android nav bar, 12hr inactivity signout, 6-app allowlist
including Company Portal.

Microsoft ticket #2605070040009774 still open.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-07 18:38:37 -07:00
Howard Enos
636281da5f sync: auto-sync from HOWARD-HOME at 2026-05-06 15:10:59 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-06 15:10:59
 2026-05-06 15:11:04 -07:00
Howard Enos
17f0d0becb sync: auto-sync from HOWARD-HOME at 2026-05-06 13:46:20 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-06 13:46:20
 2026-05-06 13:46:23 -07:00
Howard Enos
0e8d3c4622 sync: auto-sync from HOWARD-HOME at 2026-05-05 18:52:18 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-05 18:52:18
 2026-05-05 18:52:18 -07:00
Howard Enos
a4c59fc7dc sync: auto-sync from HOWARD-HOME at 2026-05-05 18:51:23 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-05 18:51:23
 2026-05-05 18:51:24 -07:00
Howard Enos
b67d5db9e4 sync: auto-sync from HOWARD-HOME at 2026-05-05 18:46:49 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-05 18:46:49
 2026-05-05 18:46:49 -07:00
Howard Enos
63e7786f90 sync: auto-sync from HOWARD-HOME at 2026-05-05 17:13:15 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-05 17:13:15
 2026-05-05 17:13:16 -07:00
Howard Enos
bac8e5f367 sync: auto-sync from HOWARD-HOME at 2026-05-05 16:44:25 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-05 16:44:25
 2026-05-05 16:44:26 -07:00
Howard Enos
e95ff831d9 sync: auto-sync from HOWARD-HOME at 2026-05-05 15:00:22 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-05 15:00:22
 2026-05-05 15:00:22 -07:00
Howard Enos
eee729e0e8 Session log: Cascades MHS kiosk fix + SDM bootstrap (mid-flight) + Sombra onboarding side-quest 2026-04-30 19:08:03 -07:00
Howard Enos
58e7feda9a Session log: Cascades CA bypass phased rollout + pilot user + phone re-enroll 
Cascades caregiver shared-phone bypass pilot — 2026-04-29 evening into
2026-04-30 early morning continuation.

Major work:
- Adopted phased per-group CA rollout (corrects original tenant-wide §5
  design that would have blocked off-site office users)
- Step A: backfilled admin@ into excludeUsers on all 8 existing Cascades
  CA policies (mirrors sysadmin@ exclusion posture; Option 1 break-glass)
- Outlook + Helpany + LinkRx assigned to Cascades - Shared Phones group
  and added to MHS kiosk app list (final dashboard: 5 caregiver apps)
- Created cloud-only pilot user pilot.test@cascadestucson.com,
  SG-Caregivers-Pilot group, Business Premium license, vault entry
  pushed to Gitea vault repo
- Built 4 CA changes: PATCH legacy all-users-MFA to exclude pilot group,
  CREATE 3 new Report-only policies (block off-network, block
  non-compliant, 8h sign-in frequency) with both admins excluded
- Pilot phone wipe + re-enroll after first attempt stuck; PIN set,
  awaiting MHS to take over launcher and SDM sign-in prompt

6 new project/feedback memories. Resume point at top of new session log.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-30 10:57:28 -07:00
Mike Swanson
95ea8f3973 Session log: Cascades audit retention design + Pro-Tech Services email investigation 
Cascades:
- Approved Howard's corrected 4-policy CA bypass design
- Caught + fixed policy 3 GDAP bug (Service provider users exclusion)
- Decided hybrid LAW + Storage Account audit retention (ACG-billed,
  reuse existing Trusted Signing Azure subscription, westus2)
- Wrote full audit retention runbook for Howard
- Reshaped break-glass to two accounts (split-storage YubiKeys)
- Documented Cascades M365 admin model (admin@/sysadmin@ Connect-excluded
  by design; local AD Administrator separate identity layer)
- Decided Howard gets Owner on ACG sub with guardrails (resource lock +
  cost alert) instead of per-RG Contributor

Pro-Tech Services:
- DNS recon of pro-techhelps.com + pro-techservices.co
- Diagnosed calendar invite delivery issue (DKIM domain mismatch +
  no DMARC = strict receivers silently drop invites)
- Drafted non-technical IT-provider migration email to Michelle Sora

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-29 17:05:41 -07:00
Howard Enos
01cb843d74 Session log: 2026-04-29 Cascades close-out update 
Append /save close-out timestamp + commit reference to today's bypass-pilot
Phase B buildout log.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-29 11:05:41 -07:00
Howard Enos
f21745eff9 cascades: CA unblock + Phase B buildout + onboard-tenant.sh CA Admin backfill 
Day-long session unblocking the Cascades CA reconciliation that was paused on
the Tenant Admin SP directory-role gap. Discovered Microsoft also tightened
the OAuth scope for /identity/conditionalAccess/* reads (Policy.Read.All now
required, Policy.ReadWrite.ConditionalAccess no longer accepted for reads).
Patched Tenant Admin manifest accordingly and re-consented in Cascades.

Phase B Intune state turned out to be far more built than the 4/20 log
suggested -- compliance policy, Wi-Fi, device restrictions, both SDM app
configs (Authenticator + Teams), and 7 of 8 apps were already deployed and
assigned. PATCHed device restrictions to block camera/Bluetooth/roaming
and enabled Managed Home Screen multi-app kiosk (ALIS + Teams visible,
10-min auto-signout). PATCHed Cascades named location to add primary WAN
(184.191.143.62/32). Howard added Outlook from Managed Play; SMB encryption
enabled on \CS-SERVER\homes.

CA bypass design corrected -- original §5 plan in user-account-rollout-plan.md
called for "block off-site + MFA on-site" which doesn't match the actual goal
of bypass when network + device assurance present. Reshaped to three policies
that produce on-site-compliant = password only, anything else = MFA or block.

onboard-tenant.sh patched to:
  1. Backfill Policy.Read.All on Tenant Admin SP if missing (idempotent --
     for tenants consented before the 2026-04-29 manifest update).
  2. Assign Conditional Access Administrator directory role to Tenant Admin
     SP at onboard time. Mirrors the Exchange Operator fix Mike landed in
     5da9804.

Validated with --dry-run against Cascades. Customer-facing tenants already
onboarded should be re-run with this script to backfill both items.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-29 07:32:23 -07:00
Howard Enos
faf529de7c cascades save: AD-side pilot prep done; CA reconciliation blocked on SP role gap (2026-04-28) 
Thread 1 (AD-side prep on CS-SERVER) completed:
- howard.enos password reset to memorable value (PHS will sync to M365 once staging exits)
- proxyAddresses=SMTP:howard.enos@cascadestucson.com added (G1 convention)

Thread 2 (CA reconciliation) blocked: ComputerGuru - Tenant Admin SP
(appId 709e6eed-...) has zero directory role assignments in Cascades.
Graph CA endpoints 403 despite Policy.ReadWrite.ConditionalAccess on token.

Decision pending: Path A (Graph-side role assignment via existing
RoleManagement.ReadWrite.Directory) vs Path B (portal click as admin@).
Target role: Conditional Access Administrator
(b1be1c3e-b65d-4f19-8427-f6fa0d97feb9) on SP objectId
a5fa89a9-b735-4e10-b664-f042e265d137.

Follow-up: extend onboard-tenant.sh to assign this role at onboard time
(parallels 5da9804 Exchange Admin fix for Exchange Operator SP).

Pilot target slipped 2026-04-27 to 2026-04-28. ALIS App Store still
inaccessible — install-side of ALIS SSO still deferred regardless.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-28 07:19:11 -07:00
Howard Enos
f8767e5f50 session log: cascades — Entra Connect install + pilot account prep (2026-04-24/25) 
Comprehensive log of the Entra setup work spanning 4/24 evening through 4/25.
Includes a Resume Point at the top so the next session can pick up cleanly.

Highlights:
- Entra Connect Sync installed in staging mode on CS-SERVER, scope OU=Caregivers
- Pilot AD account howard.enos@cascadestucson.com created
- Master plan v2 with explicit drift log (FIDO2/YubiKey injection caught)
- HIPAA retention remediation: 7 mailboxes restored from soft-delete (4/22 deletes
  violated 164.316(b)(2)); termination procedures policy + IR-2026-04-24-001 documented
- admin@cascadestucson.com re-promoted to Global Admin (Sandra Fish cleanup had
  stripped role); residual profile data cleaned
- Existing Cascades CA architecture discovered (Named Location 72.211.21.217 + all-users
  MFA policy from 2026-02-11) — adjusts plan, no duplicate policies needed
- Syncro ticket #32214 'Entra setup' with hidden private rollup (~40-45 billable hrs)

Released session lock; resume point flagged in PROJECT_STATE.md.
 2026-04-25 15:38:08 -07:00
Howard Enos
3e513d3db4 cascades: ingest staff CSV + AD/M365 user rollout plan 
Meredith/John returned the staff-editor questionnaire (70 people, 11
departments). CSV ingested to reports/; p2-staff-candidates.md updated
with real persona breakdown. Wrote full AD/M365 user rollout plan (8
personas, license mapping, OU/group layout, CA policies, 4-wave
sequence, 8 open decisions). Drafted follow-up email for remaining open
items — Howard will edit and send.

Britney Thompson and Polett Pinazavala confirmed still employed (were
absent from the CSV return). Christine Nyanzunda confirmed as one
person with two roles. Usernames locked for new accounts:
Alma.Montt, Kyla.QuickTiffany.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-22 15:09:39 -07:00
Howard Enos
1fd68c11da sync: auto-sync from HOWARD-HOME at 2026-04-21 15:07:39 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-21 15:07:39
 2026-04-21 15:07:42 -07:00
Howard Enos
41f5b6a21c sync: auto-sync from ACG-TECH03L at 2026-04-20 00:02:36 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-20 00:02:36
 2026-04-20 00:02:38 -07:00
Howard Enos
47c3cb1a3c sync: auto-sync from ACG-TECH03L at 2026-04-17 23:51:18 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-17 23:51:18
 2026-04-17 23:51:20 -07:00