--- name: reference_365_app_suite description: Authoritative map of the ComputerGuru M365 app suite (apps, App IDs, live-verified permissions per tier) and — the recurring failure — per-tenant consent is NOT uniform; how to audit + fix partial consent. metadata: type: reference --- The ComputerGuru M365 app suite is fully documented in the remediation-tool skill: `.claude/skills/remediation-tool/references/app-suite.md` (authoritative; live-verified 2026-07-02). Read it before concluding "the tool can't do X on tenant Y". **The recurring failure it fixes:** per-tenant consent is NOT uniform. A tenant can have an app's service principal but only a PARTIAL/OLD permission grant. Example: VWP (valleywideplastering.com, 5c53ae9f-…) had the Tenant Admin app but NO SharePoint `Sites.FullControl.All` — SharePoint calls 401'd with a valid-looking token whose `roles` claim was empty. The suite "having" a capability (baseline design) ≠ a given tenant having it (actual consent). **Always AUDIT before giving up:** decode each tier's token `roles` on the target tenant and compare to the baseline in app-suite.md. Empty roles on a correct `aud` = present-but-not-granted. **Fix partial consent — two methods:** - A: re-consent the whole manifest — `https://login.microsoftonline.com//adminconsent?client_id=` (reliably grants Graph; the SharePoint app-only role often does NOT attach from consent — verify + use B for the leftover). - B: grant the specific missing app role directly via `POST /servicePrincipals/{recipientSP}/appRoleAssignments` using a `tenant-admin` token (holds AppRoleAssignment.ReadWrite.All). This is how VWP's SharePoint role was granted 2026-07-02; propagates to a fresh token in seconds. Only to complete an intent the customer already consented to. - EXO role gap: `assign-exchange-role.sh ` (audit fleet: `--all --verify`). Apps: Security Investigator bfbc12a4 (Graph read + EXO read), Exchange Operator b43e7342 (EXO all-access + `exchange-op-graph` Graph Mail.ReadWrite), User Manager 64fac46b (Graph user/group write), Tenant Admin 709e6eed (Graph high-priv + SharePoint Sites.FullControl.All via CERT), Defender dbf8ad1a (MDE), Intune 46986910, Mailbox 1873b1b0 (ACG-internal only). SharePoint app-only REQUIRES cert (not secret). See [[reference_remediation_tool_365_access]], [[feedback_exchange_role_recurring_gap]], [[feedback_exchange_op_all_access]].