## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin

---

## Session Summary

Mike requested an account status check for barbara@barbaragrygutis.com, initially assuming the account lived on Neptune Exchange / ACG-DC16. RMM agents on both servers were queried via GuruRMM (both online, site: DF Server Storage). Neither returned any AD user or Exchange mailbox — the account did not exist on ACG infrastructure. A disconnected mailbox search on Neptune also returned nothing.

MX record lookup revealed the domain points to Microsoft 365 (barbaragrygutis-com.mail.protection.outlook.com), not Neptune. The tenant had not yet been onboarded to the ComputerGuru MSP app suite. Mike directed generating a Tenant Admin consent URL, which was sent to Barbara's Global Admin. After she consented, `onboard-tenant.sh` was run twice — the first pass created all SPs and assigned all directory roles but hit Graph replication lag on some appRoleAssignments; the second pass cleaned up all remaining permission gaps cleanly. All 5 apps are now fully onboarded (Defender skipped — no MDE license).

With the tenant onboarded, the Security Investigator app was used to pull Barbara's account status and sign-in logs. The account is enabled, cloud-only, with a password unchanged since December 2021. Sign-in logs revealed an active credential spray attack: 100+ blocked attempts over May 27-29 from Tor exit nodes, Linode VPS infrastructure, Hurricane Electric tunnels, and European proxy nodes — all blocked by Microsoft malicious IP detection (error 50053). Zero successful sign-ins were found in the 30-day log window. No mail forwarding and no inbox rules were identified. Critically, the tenant has no Conditional Access policies at all.

MFA detail check showed one registered device: Microsoft Authenticator on an iPhone 13 Pro Max (app version 6.8.1, SoftwareTokenActivated). No backup phone number registered. The `createdDateTime` field on the Authenticator registration was null, so the registration date cannot be confirmed. Mike elected not to take remediation action at this time.

A wiki article was created at `wiki/clients/barbaragrygutis.md` and a Syncro ticket (#32349) was opened under Barbara Grygutis Sculpture LLC (customer ID 133348) documenting the findings and pending remediation steps.

---

## Key Decisions

- Used RMM agents on ACG-DC16 and NEPTUNE (both enrolled in GuruRMM, site: DF Server Storage) rather than WinRM after WinRM timed out on both external and internal IPs for Neptune.
- Onboarded the tenant before querying account status — the Security Investigator app required consent to pull sign-in logs and auth methods.
- Re-ran `onboard-tenant.sh` a second time to backfill 4 appRoleAssignments that failed on first pass due to Graph SP replication delay (5-second sleep insufficient for a fresh tenant).
- No remediation taken (password reset, session revocation, CA policies) per Mike's direction — ticket opened for follow-up instead.
- Tenant added to `tenant-consent.html` consent dashboard and immediately marked done after successful onboarding.
- Session log placed under `clients/barbaragrygutis/` (new client directory) to match wiki slug structure.

---

## Problems Encountered

- **WinRM timeout on Neptune:** Both external (67.206.163.124) and internal (172.16.3.11) IPs timed out on port 5985. Resolved by switching to GuruRMM RMM agents on both machines.
- **`pywinrm` not installed:** Module not found on system Python and discord-bot venv. Installed via `py -m pip install pywinrm` — moot once RMM approach was used.
- **Graph replication lag on first onboard-tenant.sh run:** 4 appRoleAssignment grants failed with "Resource does not exist" immediately after SP creation. Resolved by re-running the script after a short interval; all grants succeeded on the second pass (idempotent).
- **Empty jq output on initial sign-in queries:** Filter queries using `$filter=userId eq '...'` returned empty output due to shell variable interpolation issue in the heredoc. Resolved by switching to URL-encoded query strings in the curl URL directly.
- **Sign-in log query initially returned no results:** First attempts at querying `auditLogs/signIns` returned empty — turned out to be a `jq` parse failure (control characters in response). Resolved by switching to `curl -w "\nHTTP:%{http_code}"` and processing raw JSON directly.

---

## Configuration Changes

- **Created:** `wiki/clients/barbaragrygutis.md` — new client wiki article
- **Modified:** `.claude/skills/remediation-tool/references/tenant-consent.html` — added Barbara Grygutis entry, status set to `done`
- **Created:** `clients/barbaragrygutis/session-logs/2026-05-29-session.md` — this file

---

## Credentials & Secrets

No new credentials created. Vault paths accessed:
- `infrastructure/gururmm-server.sops.yaml` — GuruRMM API credentials (for RMM agent dispatch)
- `clients/dataforth/neptune-exchange.sops.yaml` — Neptune Exchange credentials (attempted WinRM, unused)

MSP app credentials used (read from vault at token acquisition time):
- `msp-tools/computerguru-security-investigator.sops.yaml`
- `msp-tools/computerguru-tenant-admin.sops.yaml`

---

## Infrastructure & Servers

| Host | Role | Notes |
|---|---|---|
| NEPTUNE | Exchange Server 2016 | ACG-hosted, site: DF Server Storage. GuruRMM agent enrolled. WinRM not accessible externally or on 172.16.3.11 |
| ACG-DC16 | Windows DC | ACG domain controller, site: DF Server Storage. GuruRMM agent enrolled. No AD account found for barbara@ |
| barbaragrygutis.com M365 | Tenant | Tenant ID: `25998ddc-49e6-4234-9396-6c152ce4ea69`. MX: barbaragrygutis-com.mail.protection.outlook.com |

---

## Commands & Outputs

```bash
# MX check
nslookup -type=MX barbaragrygutis.com 8.8.8.8
# Result: barbaragrygutis-com.mail.protection.outlook.com (M365)

# Tenant ID resolution
bash .claude/skills/remediation-tool/scripts/resolve-tenant.sh barbaragrygutis.com
# Result: 25998ddc-49e6-4234-9396-6c152ce4ea69

# Onboarding (run twice — second pass clean)
bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh barbaragrygutis.com
# Result: [SUCCESS] Onboarding complete

# RMM commands dispatched:
# - ACG-DC16: Get-ADUser search by mail + UPN → no user found
# - NEPTUNE: Get-Mailbox + Get-Recipient wildcard search → no mailbox found
# - NEPTUNE: Get-MailboxStatistics disconnected mailboxes → zero disconnected mailboxes
```

**Sign-in attack summary (from Graph API):**
- 100 attempts in 30-day window, earliest 2026-05-27T15:15:28Z, latest 2026-05-29T17:41:50Z
- All errorCode 50053 (blocked: malicious IP)
- 100 unique IPs across Tor, Linode, Hurricane Electric, Limestone Networks, European proxy ranges
- Apps: Microsoft Azure CLI, Microsoft Online Services, OfficeHome, One Outlook Web

---

## Pending / Incomplete Tasks

- [ ] Confirm Barbara still controls the iPhone 13 Pro Max with Authenticator registered on account
- [ ] Force password reset (password is 4.5 years old and account is under active attack)
- [ ] Deploy CA policy: Require MFA for all users
- [ ] Deploy CA policy: Block legacy authentication
- [ ] Consider geo-restriction CA policy (all legitimate use expected to be US)
- [ ] Investigate auto-reply status — currently active/scheduled, may confirm account liveness to attackers
- [ ] Investigate Syncro duplicate: customer ID 641406 (grygutisstudios@dokotacom.net) — possible secondary contact or stale record

---

## Update: 16:40 PT — Security Defaults check

Checked `identitySecurityDefaultsEnforcementPolicy` on the barbaragrygutis.com tenant.

**Security Defaults: ENABLED**

Baseline protections active: MFA enforced for all users (14-day grace on new sign-ins), legacy authentication blocked, privileged action protection. This explains why the credential spray is being blocked at the Microsoft layer. Security Defaults and custom CA policies are mutually exclusive — if granular CA is added in future, Security Defaults must be disabled first and replaced with equivalent policies.

Decision: leave account untouched until Barbara confirms she still has the iPhone 13 Pro Max with Authenticator registered. Security Defaults provide adequate baseline protection in the interim.

---

## Reference Information

- **Syncro ticket:** #32349 — https://computerguru.syncromsp.com/tickets/111566564
- **Syncro customer:** Barbara Grygutis Sculpture LLC — ID 133348
- **M365 tenant ID:** 25998ddc-49e6-4234-9396-6c152ce4ea69
- **Barbara's user object ID (Entra):** 11b4966e-1e5d-47f4-ad27-57d4713fab61
- **MFA device:** Authenticator ID 8f0e1723-18f6-40d4-8cc1-c4795840bba9 (iPhone 13 Pro Max)
- **Consent dashboard:** `.claude/skills/remediation-tool/references/tenant-consent.html`
- **Wiki article:** `wiki/clients/barbaragrygutis.md`
- **GuruRMM commands dispatched:**
  - ACG-DC16 cmd: f1ebd858-1186-4317-ac78-62696067047b
  - NEPTUNE mailbox cmd: a60781c7-cdc2-42a9-9c4b-370f9cc9f015
  - NEPTUNE disconnected cmd: 3d997d11-a288-413a-ac14-c89091de2b4a