# /onboard365 — Single-consent M365 tenant onboarding Onboard a customer Microsoft 365 tenant to the ComputerGuru remediation app suite with **one** customer admin-consent click. Thin entry point to the `onboard365` skill. ## Usage ``` /onboard365 Smart: print the consent link if not yet consented, or provision the whole suite if it is. /onboard365 link Just generate the single Tenant Admin consent URL. /onboard365 status Dry-run: show current consent / role state. /onboard365 provision After the customer consents: provision all apps + roles. ``` ## What it does The customer Global Admin consents once to **ComputerGuru Tenant Admin**. Using that grant, `onboard-tenant.sh` (reused from the `remediation-tool` skill) then creates the service principals for Security Investigator, Exchange Operator, User Manager, and (if MDE-licensed) Defender Add-on, grants all their Graph/EXO/Defender permissions, and assigns the required Entra directory roles — no further customer clicks. ## Implementation 1. Read the full playbook in `.claude/skills/onboard365/SKILL.md`. 2. Run `bash .claude/skills/onboard365/scripts/onboard365.sh ` (the script auto-locates the reused remediation-tool scripts and the vault). 3. Confirm the target tenant with the user before generating a link, and again before `provision` (high-privilege, customer-facing). 4. After a clean provision, **record it**: set the tenant's `Onboarded` column to `YES` in the REPO copy of `remediation-tool/references/tenants.md` and note the onboarding in the client wiki. (See SKILL.md → Recording.) This is the front door; once a tenant is onboarded, breach checks and remediation are the `remediation-tool` skill.