# Session Log — 2026-06-01 — Client work review, QWM M365, GDAP docs ## User - **User:** Howard Enos (howard) - **Machine:** Howard-Home - **Role:** tech ## Session Summary Reviewed outstanding client work across the books (excluding Cascades) by pulling the coord API todos + component states, then drilled into Quantum Wealth Management (QWM) M365. Performed a read-only Graph review of the live QWM tenant `2fd0092b` using the ComputerGuru Security Investigator app. Found the wiki article was stale (still described the abandoned GoDaddy/johnvelez `8f7eaff4` tenant) and corrected it. Confirmed the 2026-06-03 license-lapse deadline objective is MET: both John and Sheila are Business Premium licensed and activated Office (signed into Microsoft Office + Authentication Broker from the Tucson office 5/27). The broader Intermedia->M365 migration remains in progress. The significant QWM finding: `john@quantumwms.com` is under an active distributed password-spray — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess), 0 successful malicious logins (account NOT breached). Risk is real because John is not MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (CA001 require-MFA, CA003 block-non-US) are still report-only. Saved a full report, updated the wiki + coord, closed the deadline todo, and filed urgent security + migration-remainder todos. Mike is taking over QWM. Ran a status pass on the remaining client items, then live-verified three: Deere Park WiFi quote (Syncro #32279 — still New, quote never sent, overdue), Len's Auto Brokerage + Sombra Residential GuruRMM deployments (live API), and Birth Biologic Datto SmartBadge (live RMM dispatch — PASS). Recorded all findings as coord components. Filed a todo for a new finding: Sombra's Server2013 (Win Server 2012/R2, EOL) GuruRMM agent has been offline since 2026-05-14 (~18 days), unmonitored. Investigated whether documented rules exist for onboarding a client to a Granular admin relationship (GDAP). Found ACG runs two delegated-admin models: (1) the ComputerGuru app-consent suite, well documented in the remediation-tool skill (gotchas.md, tenants.md, onboard-tenant.sh); (2) true Pax8/Partner-Center GDAP, which has NO requirements doc — only a group-membership script and scattered session-log mentions. The wiki has no onboarding article (wiki/patterns/ is empty). While reading the GDAP script, found a plaintext ClientSecret committed in the repo and flagged it as a security todo. ## Key Decisions - Treated the live tenant `2fd0092b` as authoritative and rewrote the stale QWM wiki (was pointing at the abandoned johnvelez `8f7eaff4` tenant). - Closed the 6/03 license-lapse todo (`46bda3ec`) because its named objective (license + Office activation before lapse) is verified met; created a migration-remainder todo (`72060fc8`) to preserve the personal-domain + GoDaddy-cancellation steps so nothing was lost. Left the stale johnvelez-tenant todo `37f2196c` open but flagged for cleanup (it's Mike's). - Filed the QWM password-spray finding as its own urgent todo (`bf09d843`) rather than un-parking the existing security-baseline todo, because the active attack + no-MFA + report-only-CA combination is new and time-sensitive. - Recorded all live-check results as coord components (the live-status tracker the team reads) rather than only in chat. Used hyphenated client project keys (e.g. `clients-lens-auto-brokerage`) — the slash form 404s on the component PUT endpoint. - Made NO tenant changes anywhere (QWM and others) — all read-only per the request. ## Problems Encountered - Coord component PUT returned `Not Found` with the slashed key `clients/quantumwms/m365`; resolved by using the hyphenated key `clients-quantumwms/m365` (matches how existing client components are stored). - Graph `auditLogs/signIns` `$filter` on `userPrincipalName`/`status` returned empty silently, and `$top=999` returned an empty `value`; resolved by pulling unfiltered at `$top=200` and filtering client-side with jq. - Coord todo POST initially failed validation (missing `created_by_user`/`created_by_machine`); resolved by adding both required fields. - Briefly suspected a sync collision because the rebase diffstat showed the QWM report + wiki under "incoming"; verified it was just the pre-rebase comparison direction — Mike's same-day commits were for Jupiter/GURU-KALI/EZ Fast Auto Glass, zero QWM overlap. Files intact after rebase. ## Configuration Changes Created: - `clients/quantumwms/reports/2026-06-01-m365-review.md` — full read-only M365 review (committed earlier this session, commit `847d634`). Modified: - `wiki/clients/quantumwms.md` — corrected tenant to `2fd0092b`, rewrote users/CA section, added Current Status + security block, updated Open Items (committed `847d634`). Coord API (server-side, not repo): - Component `clients-quantumwms/m365` = active (created) - Component `clients-lens-auto-brokerage/gururmm-deployment` = pending (verified 0 agents) - Component `clients-sombra-residential/gururmm` = degraded (Server2013 offline) - Component `clients-birth-biologic/datto-smartbadge` = active (created, PASS verified) - Component `clients-deere-park/wifi-quote` = pending (created) - Todo `46bda3ec` -> done (QWM 6/03 lapse) - Todos created: `bf09d843` (QWM security/spray), `72060fc8` (QWM migration remainder), `7221c025` (Sombra Server2013 offline, ->howard), `10536f07` (exposed secret, ->mike) ## Credentials & Secrets - **EXPOSED (flagged, not yet remediated):** plaintext `ClientSecret` for app `fabb3421-8b34-484b-bc17-e46de9703418` (deprecated ComputerGuru AI Remediation app) in ACG partner tenant `ce61461e-81a0-4c84-bb4a-7b354a9a356d`, committed at `clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1` line 9 (and in git history). Tracked in todo `10536f07` — rotate + remove + confirm app retirement. - QWM read performed with ComputerGuru Security Investigator app `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` (cert auth, read-only). No new secrets created. - QWM break-glass remains vaulted at `clients/quantumwms/m365-breakglass.sops.yaml`. ## Infrastructure & Servers - **QWM M365 tenant (current):** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` ("Quantum Wealth Management", `quantumwms.com` primary, `quantumwms.onmicrosoft.com` initial). Users: john@/sheila@ (Business Premium, not MFA-registered), sysadmin@ (Mike, GA, MFA), breakglass@ (GA, CA-excluded). CA001/CA002/CA003 all report-only; Security Defaults ON. Abandoned tenants: `8f7eaff4` (johnvelez/NETORGFT2570783), `ddf3d2c9` (dormant GoDaddy netorg18235235). - **GuruRMM:** API `http://172.16.3.30:3001`. Len's Auto Brokerage client `bc76984f`, site "Main" code `UPPER-STAR-2820` — 0 agents. Sombra Residential client `4143369f`: Server2013 (agent `5383e9c1`, build 9200, OFFLINE last_seen 2026-05-14) + DESKTOP-UQRN4K3 (Win11, online). Birth Biologic KSTEENBB2025 agent `ee3c6aea` (online, verify PASS). - **Syncro #32279** "Onsite - Install Office (and new quote for wifi)", customer Deere Park Development (id 7088463), internal id 110305905, status New. DPA Inc tenant `11de2fe0-4fa4-4b28-a430-40bc20c86fc2`. ## Commands & Outputs - Graph token: `bash get-token.sh 2fd0092b-... investigator` (cert auth). - Sign-in pull (filter quirk workaround): `GET /v1.0/auditLogs/signIns?$top=200` then jq client-side. John: 102 events, 4 success (all Tucson 69.254.197.173, 5/27), 98 failures (94x err 50053 malicious-IP block, 4x err 50126 bad password). Foreign: Amsterdam NL `192.42.116.61` (50053), Praha CZ `130.193.15.79` (50126). - Component PUT pattern: `PUT /api/coord/components/clients-/` (hyphenated key). ## Pending / Incomplete Tasks - **QWM (Mike owns now):** security todo `bf09d843` (reset John pw, MFA registration, enforce CA001+CA003); migration remainder `72060fc8`; PST backups `d3623023`; close stale `37f2196c`. - **Len's Auto Brokerage GuruRMM deployment** — NEXT TASK this session. Site `UPPER-STAR-2820` exists, 0 agents. Need site-specific MSI from dashboard, then execute GPO rollout to ~10 endpoints. Prep in `clients/lens-auto-brokerage/docs/`. - **Sombra Server2013 offline** — todo `7221c025` (investigate power/service/connectivity; EOL box dark). - **Deere Park** — build + send updated UniFi quote to Richard Glabman, attach to #32279. - **Exposed secret** — todo `10536f07`. - **Doc gap:** no GDAP/onboarding rules doc; offered to draft `wiki/patterns/m365-client-onboarding.md`. ## Reference Information - QWM report: `clients/quantumwms/reports/2026-06-01-m365-review.md`. Prior commit `847d634`. - Onboarding docs: `.claude/skills/remediation-tool/references/{gotchas.md,tenants.md}`, `scripts/onboard-tenant.sh`. GDAP groups: `clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1` (13 M365 GDAP groups + AdminAgents in tenant ce61461e). - Coord API: `http://172.16.3.30:8001/api/coord`. Todos this session: 46bda3ec(done), bf09d843, 72060fc8, 7221c025, 10536f07. - Syncro #32279: https://computerguru.syncromsp.com/tickets/110305905 --- ## Update: 10:26 PT — Len's Auto Brokerage GuruRMM deployment (complete) + Dataforth handoff ### Summary Executed and reconciled the Len's Auto Brokerage GuruRMM rollout. Resolved the enrollment key from agent source: the **site code `UPPER-STAR-2820` IS the enrollment credential** (the site's api_key is null, irrelevant for the `.exe install --api-key ` / WS auto-register path). Installer confirmed live. Environment is a workgroup (no AD domain), so delivery was via **ScreenConnect**, not GPO. Howard enrolled all machines online in the last ~2 months. Reconciled GuruRMM (8 online agents) against the Syncro asset list (15). All online-in-2mo machines enrolled. Key identity resolution: **LAB-SVR (RMM) = LENS-SV (Syncro) = the new/current server**, one HPE MicroServer Gen10+ v2 (SN 3M1D1T12PD, Server 2019, IP .81) that the old overview doc had called DESKTOP-BMBTQLI. The old **LAB-SERVER** (Server 2008, .241) is deliberately NOT enrolled — agent won't run on 2008; decommission handles it. Offline>2mo machines (DESKTOP-LJ825H1, LAB-005252, MATT, PARKER) are being removed from Syncro — no action. desertRV machines (DESERTRVSERVER, DRV-TK-DESKTOP) belong to a separate group that doesn't exist in GuruRMM yet. ### Decisions - ScreenConnect delivery (workgroup, no domain → GPO not viable). - Site code = enrollment key (verified in agent source, not guessed). - Do not enroll the EOL Server 2008 box; let decommission handle it. - Re-scoped the desertRV todo to its own client key (was mis-filed under Len's). ### Config / coord changes - Created: `clients/lens-auto-brokerage/docs/gururmm-deployment.md` (runbook + reconciliation). - Modified: `clients/lens-auto-brokerage/docs/overview.md` (server table — LAB-SVR/LENS-SV identity, LAB-SERVER EOL). - Coord: component `clients-lens-auto-brokerage/gururmm-deployment` = deployed (reconciled); deployment lock `01eae532` claimed + released. - Todos: `3aeb3f2b` (desertRV stand-up, ->howard), `a0b890ae` closed (superseded/re-scoped), `37543f7f` (Dataforth optical-tester, ->howard). ### Infrastructure - Len's: 192.168.1.0/24, WAN 174.77.67.237, ScreenConnect. GuruRMM client `bc76984f`, site "Main" `d8f69cd8` / code `UPPER-STAR-2820`. 8 agents online. - New server LAB-SVR/LENS-SV: HPE MicroServer Gen10+ v2, SN 3M1D1T12PD, Server 2019 (installed 4/15/2026), 192.168.1.81. - Old EOL server LAB-SERVER: HP ProLiant ML310e Gen8 v2, SN MX253500HB, Server 2008, 192.168.1.241 (up 79d, not in RMM). ### Pending / Next - **NEXT SESSION (after /clear): Dataforth optical-tester** (todo `37543f7f`, Mike's request) — VLAN the XP optical tester + give it backup to a server; XP can't do modern SMB, so it must reach the legacy NAS or an SMB1-capable server. Scope SMB1 narrowly (security). - desertRV stand-up (todo `3aeb3f2b`). - Len's optional follow-up: site walkthrough + user self-installer (`UPPER-STAR-2820`) to catch stragglers; cosmetic LAB-SVR vs LENS-SV hostname mismatch.