# Note for Mike ## From Howard, 2026-04-19 ### Cascades of Tucson - M365 Remediation App - Identity Protection scope During today's phishing investigation on Cascades of Tucson (crystal.rodriguez, et al.), the 10-point breach check returned `Forbidden` on `/identityProtection/riskyUsers` and `/identityProtection/riskDetections` because **Claude-MSP-Access (ComputerGuru - AI Remediation, App ID `fabb3421-8b34-484b-bc17-e46de9703418`) lacks admin consent for `IdentityRiskyUser.Read.All` on the Cascades tenant.** **Asking before I grant:** should I go ahead and give this consent, or do you want to hold off? #### What the scope does - **Read-only.** Reads Entra ID Identity Protection signals: risky-user state (low/medium/high), and the underlying risk detections (impossible travel, anonymous IP, leaked credentials, malware-linked IP, etc.). - **No write capability** - not `ReadWrite.All`, just `Read.All`. The app cannot reset risk state, dismiss detections, or modify anything in Identity Protection. - **Tenant-scoped.** Consent applies only to the Cascades tenant; doesn't affect other clients. #### Why I want it - Closes a visibility gap in our standard breach-check workflow. Today I had to tell the report "this check skipped" for risky-user signals. - Saves us from logging into the Defender / Entra portal manually during IR to cross-check. - Cascades has Defender P1+ (based on targeted-user protection already configured), so risk data exists to read. #### Why you might say no - Every additional scope on the app = larger blast radius if the app's client secret/cert leaks. - Scope is persistent until revoked via the portal. - Identity Protection data can include sensitive info (IPs, geo, device hints). If our audit logging is weak, reading it leaves tracks we should be aware of. #### My lean **Allow it.** The scope is read-only, the app is narrowly controlled (only us), and we already have Mail.Read, User.Read.All, Exchange Admin, etc. — which are materially more sensitive than this. The inconsistency of "we can read full mailbox contents but not risky-user flags" doesn't match a risk-based model. If you say yes, consent URL is: ``` https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418 ``` Takes ~30 seconds. Sign in as a GA on Cascades' tenant (sysadmin@ works), review the permission, click Accept. Full investigation report: `clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md` - Howard