# Session Log — 2026-06-02 — Glaz-Tech Industries ## User - **User:** Mike Swanson (mike) - **Machine:** GURU-BEAST-ROG - **Role:** admin --- ## Session Summary Mike requested a transport rule in the Glaztech Exchange Online tenant to allow messages from MailProtector as `noreply@azcomputerguru.com` through spam filtering. These are MailProtector quarantine digest notifications sent to Glaztech users on behalf of ACG's no-reply address. Before creating the rule, a message trace was pulled (via `Get-MessageTraceV2`) for `noreply@azcomputerguru.com` over the past 10 days to verify that messages were in fact being filtered by Microsoft. The trace confirmed the issue: the vast majority of digest messages delivered successfully, but some recipients were hitting `FilteredAsSpam` status (e.g., `tshaw@glaztech.com` on 2026-06-02 at 3:07 PM). The `gtimail@glaztech.com` address showed `Failed` status on every daily send — this is caused by the existing "GTIMail No-Reply - Reject Inbound" transport rule (Priority 1, `SentToPredicate` → `RejectMessageAction`) and is a separate, pre-existing issue noted for follow-up. Authentication to Exchange Online used the ComputerGuru Exchange Operator multi-tenant app (`b43e7342`) with certificate-based credentials from the vault. The token was acquired via `get-token.sh` for the `exchange-op` tier against the Glaztech tenant (`82931e3c-de7a-4f74-87f7-fe714be1f160`) and passed to `Connect-ExchangeOnline -AccessToken` with EXO PowerShell V3 (3.9.2). A new transport rule was created: **"SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)"** at Priority 4, condition `From: noreply@azcomputerguru.com`, action `SetSCL -1`. This bypasses all spam and junk folder filtering for these digests. The rule was verified active immediately after creation. --- ## Key Decisions - **SCL = -1 rather than domain-level bypass:** The sender address `noreply@azcomputerguru.com` is specific enough that setting SCL=-1 on it carries minimal risk. A domain-level bypass (`azcomputerguru.com`) was considered but rejected — too broad, would cover all ACG-origin mail. - **Priority 4:** Placed below the existing SCL bypass rules (Priority 2–3) since no conflict exists; priority ordering doesn't matter for non-overlapping senders. Placed above any catch-all rules that might exist in the future. - **Did not restrict by connector:** The "Inbound Spam Filter" connector has no SenderIPAddresses restriction (per prior decision — avoids blocking calendar invites from external M365 tenants). Adding a connector-based condition to the rule was avoided for the same reason. - **gtimail@glaztech.com not addressed:** The daily `Failed` delivery to `gtimail@glaztech.com` is caused by the pre-existing "GTIMail No-Reply - Reject Inbound" rule. Mike did not request any change to that rule; flagged for separate review. --- ## Problems Encountered - **`Get-MessageTrace` deprecated:** Initial call to `Get-MessageTrace` returned a deprecation warning and failed. Switched to `Get-MessageTraceV2`. Note: `Get-MessageTraceV2` does not accept `-PageSize` — that parameter does not exist on the V2 cmdlet. - **`New-TransportRule -SenderAddresses` not valid:** First attempt used `-SenderAddresses` which is not a valid parameter. Correct parameter is `-From` for explicit sender address matching. - **Cert not in Windows cert store:** Exchange Operator cert (`A615823DE1CAF15229027DEC075AFE32B900D82C`) is not installed in LocalMachine\My or CurrentUser\My on BEAST. Used `get-token.sh` cert-based JWT flow instead, passing the resulting bearer token to `Connect-ExchangeOnline -AccessToken`. --- ## Configuration Changes - **Exchange Online transport rule created** in `glaztechindustries.onmicrosoft.com`: - Name: `SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)` - Condition: `From = noreply@azcomputerguru.com` - Action: `SetSCL -1` - Priority: 4 - State: Enabled - Comments: "Bypass spam filtering for MailProtector quarantine digest emails sent as noreply@azcomputerguru.com. Created 2026-06-02 by ACG." --- ## Credentials & Secrets - **Vault path used:** `msp-tools/computerguru-exchange-operator.sops.yaml` - App: ComputerGuru - Exchange Operator - Client ID: `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` - Cert thumbprint: `A615823DE1CAF15229027DEC075AFE32B900D82C` - Token acquired via: `bash .claude/skills/remediation-tool/scripts/get-token.sh exchange-op` --- ## Infrastructure & Servers - **Glaztech tenant:** `glaztechindustries.onmicrosoft.com` - **Tenant ID:** `82931e3c-de7a-4f74-87f7-fe714be1f160` - **Inbound mail filter:** MailProtector — `glaztech-com.inbound.emailservice.io` - **Inbound connector:** "Inbound Spam Filter" — Partner type, RequireTls=True, no IP restriction (intentional — preserves calendar invite delivery) - **EXO PowerShell module:** ExchangeOnlineManagement 3.9.2 --- ## Commands & Outputs ```powershell # Connect to Glaztech EXO with app-only token $token = bash .claude/skills/remediation-tool/scripts/get-token.sh 82931e3c-de7a-4f74-87f7-fe714be1f160 exchange-op Connect-ExchangeOnline -AccessToken $token -Organization 'glaztechindustries.onmicrosoft.com' -ShowBanner:$false # Message trace (last 10 days) — confirmed FilteredAsSpam occurrences Get-MessageTraceV2 -SenderAddress 'noreply@azcomputerguru.com' -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) # Key finding: tshaw@glaztech.com → FilteredAsSpam (2026-06-02 3:07 PM) # Key finding: gtimail@glaztech.com → Failed daily (pre-existing rule, separate issue) # Create rule New-TransportRule ` -Name 'SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)' ` -From 'noreply@azcomputerguru.com' ` -SetSCL -1 ` -Priority 4 ` -Comments 'Bypass spam filtering for MailProtector quarantine digest emails sent as noreply@azcomputerguru.com. Created 2026-06-02 by ACG.' ` -Enabled $true ``` **Final transport rule list (Glaztech):** ``` Priority 0 Pensky Allow Enabled Priority 1 GTIMail No-Reply - Reject Inbound Enabled Priority 2 SCL Bypass - hartsglass + olemons (SHVSALES) Enabled Priority 3 SCL Bypass - aaaglassinc.com (SHVSALES) Enabled Priority 4 SCL Bypass - noreply@azcomputerguru.com (MailProtector digests) Enabled ``` --- ## Pending / Incomplete Tasks - **gtimail@glaztech.com failing daily:** The "GTIMail No-Reply - Reject Inbound" rule (Priority 1) rejects all inbound mail to `gtimail@glaztech.com`. This causes the daily MailProtector digest to fail for that address. Confirm with Steve Eastman whether `gtimail@glaztech.com` should receive digests (i.e., whether the reject rule should have an exception or be modified). - **Exchange Operator cert not in BEAST cert store:** If cert-based PowerShell connections are needed without `get-token.sh` (e.g., for interactive EXO sessions), the cert will need to be imported to the machine store. Not urgent — token flow works fine for bot-driven operations. --- ## Reference Information - **Syncro customer ID:** 143932 - **EXO rule created:** `SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)` — Priority 4 - **EXO PowerShell V2 deprecation note:** `Get-MessageTrace` deprecated Sept 1 2025; use `Get-MessageTraceV2` (no `-PageSize` parameter) - **Vault:** `msp-tools/computerguru-exchange-operator.sops.yaml` - **Token cache:** `/tmp/remediation-tool/82931e3c-de7a-4f74-87f7-fe714be1f160/exchange-op.jwt`