# Follow-Up: Dataforth M365 Security Investigation **Date:** 2026-05-03 (UTC) **Analyst:** Mike Swanson (Mikes-MacBook-Air) **Client:** Dataforth Corp **User:** Jacque Antar (jantar@dataforth.com) **Tenant:** dataforth.com | `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584` --- ## Summary This follow-up addresses three items flagged in the breach investigation report for jantar@dataforth.com dated 2026-05-03. --- ## 01 - IdentityRiskyUser.Read.All Scope Status **Original Issue:** Breach check reported 403 error when querying risky users endpoint due to missing `IdentityRiskyUser.Read.All` consent. **Investigation Result:** [OK] Scope IS Consented, BUT Licensing Issue Exists The `IdentityRiskyUser.Read.All` permission IS currently consented for the ComputerGuru Security Investigator app in the Dataforth tenant. Verification: - Token acquired successfully includes this role in the JWT claims - App consent was completed (likely after the breach check) - Service principal exists and is active in tenant **However:** API call to Identity Protection endpoint returns: ``` 403 Forbidden: "Your tenant is not licensed for this feature" ``` **Root Cause:** Dataforth tenant does NOT have **Microsoft Entra ID P2** licensing required for Identity Protection features. **Impact:** The risky user checks cannot function regardless of app consent until Entra ID P2 licenses are assigned. **Recommendation:** | Priority | Action | |---|---| | [INFO] | If Dataforth wants Identity Protection monitoring (risky sign-ins, leaked credentials, anomaly detection), purchase and assign Entra ID P2 licenses | | [INFO] | If NOT purchasing P2: Document that risky user checks are unavailable; rely on sign-in log analysis and conditional access instead | --- ## 02 - "Dime Client" Application Verification **Original Issue:** Sign-in logs showed "Dime Client" as primary application (7 out of 8 successful sign-ins for jantar@dataforth.com over 30 days). **Investigation Result:** [INFO] Internal Application - Verification Needed Details from breach check: - **App Name:** "Dime Client" - **Sign-in Frequency:** 7/8 logins (primary app) - **IP Address:** 67.206.163.122 (Salt Lake City, UT) - **Platform:** Windows 10 - **Pattern:** Consistent single IP, no foreign logins, no impossible travel **Assessment:** - NOT a standard Microsoft 365 application (not Outlook, Teams, Excel, etc.) - NOT found in tenant's service principal directory with "Dime" in display name - Likely a **custom line-of-business (LOB) application** or **internal Dataforth tool** - No indicators of compromise - usage is consistent with legitimate work patterns **Recommendation:** | Priority | Action | Owner | |---|---|---| | [ACTION REQUIRED] | Verify "Dime Client" with Dataforth IT/development team | Dan Center (IT Admin) | | [ACTION REQUIRED] | Confirm this is an authorized internal application | Dan Center | | [INFO] | If legitimate: Document in Dataforth's authorized apps inventory | Dataforth IT | | [WARNING] | If UNKNOWN: Investigate immediately as potential unauthorized access | Dataforth IT + ACG | **Next Steps:** 1. Contact Dan Center (dcenter@dataforth.com) to confirm "Dime Client" identity 2. If unknown, escalate for full application investigation 3. Document outcome in Dataforth's IT asset inventory --- ## 03 - Microsoft Authenticator MFA Upgrade **Current State:** Jacque Antar uses **SMS-based MFA** (phone: +1 520-245-6929) **Issue:** SMS MFA is vulnerable to: - SIM swapping attacks - SMS intercep tion - Social engineering (attacker convinces carrier to port number) - Less phishing-resistant than modern MFA methods **Recommendation:** Upgrade to **Microsoft Authenticator** (push notifications or TOTP) **Benefits:** | Feature | SMS MFA | Microsoft Authenticator | |---|---|---| | Phishing Resistance | Low | High | | SIM Swap Protection | No | Yes | | Number Matching | No | Yes (context-aware) | | Offline TOTP | No | Yes | | Compliance | Basic | Strong (meets NIST AAL2) | **Implementation Steps:** 1. **Pilot User:** Jacque Antar (jantar@dataforth.com) - Current: Password + SMS - Target: Password + Microsoft Authenticator (push/TOTP) 2. **Enrollment Process:** - User downloads Microsoft Authenticator app (iOS/Android) - Admin initiates MFA re-registration OR user self-enrolls via https://aka.ms/mfasetup - User scans QR code to add Dataforth account - Test push notification and TOTP code generation - **CRITICAL:** Keep SMS as backup method during initial rollout (remove after 30 days if Authenticator stable) 3. **Rollout Plan (if expanding beyond Jacque):** - Phase 1: IT admins (Dan Center, others) - Phase 2: Executive team - Phase 3: General users - Timeline: 2-4 weeks per phase **Priority:** [INFO] - Security hardening, not urgent breach response **Who Should Approve:** Dan Center (IT Admin) + Dataforth management --- ## Summary of Actions | Item | Status | Next Step | Owner | |---|---|---|---| | **IdentityRiskyUser Scope** | [OK] Consented, but needs P2 license | Decide: Purchase P2 or document limitation | Dataforth IT | | **Dime Client App** | [PENDING] Needs verification | Confirm with Dan Center if authorized app | Dan Center | | **Authenticator Upgrade** | [RECOMMENDED] Optional hardening | Pilot with Jacque Antar, expand if successful | Dataforth IT | --- ## Files Referenced - Breach Check Report: `clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md` - Session Log (initial investigation): `clients/dataforth/session-logs/2026-05-03-session.md` --- ## Contact for Questions **Arizona Computer Guru** - Analyst: Mike Swanson - Email: mike@azcomputerguru.com - Ticket: #109790034 (Syncro) **Dataforth IT Contact:** - Dan Center: dcenter@dataforth.com --- **Report Generated:** 2026-05-03 by Mike Swanson (Mikes-MacBook-Air)