Mike Swanson
72dab09d3a
Follow-up on three pending items from breach check: - IdentityRiskyUser scope: consented but requires P2 license - Dime Client app: internal app requiring verification with Dan Center - Microsoft Authenticator: drafted upgrade plan and recommendations Created comprehensive follow-up report with action items. Machine: Mikes-MacBook-Air User: Mike Swanson (mike) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
5.7 KiB
Follow-Up: Dataforth M365 Security Investigation
Date: 2026-05-03 (UTC)
Analyst: Mike Swanson (Mikes-MacBook-Air)
Client: Dataforth Corp
User: Jacque Antar (jantar@dataforth.com)
Tenant: dataforth.com | 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
Summary
This follow-up addresses three items flagged in the breach investigation report for jantar@dataforth.com dated 2026-05-03.
01 - IdentityRiskyUser.Read.All Scope Status
Original Issue: Breach check reported 403 error when querying risky users endpoint due to missing IdentityRiskyUser.Read.All consent.
Investigation Result: [OK] Scope IS Consented, BUT Licensing Issue Exists
The IdentityRiskyUser.Read.All permission IS currently consented for the ComputerGuru Security Investigator app in the Dataforth tenant. Verification:
- Token acquired successfully includes this role in the JWT claims
- App consent was completed (likely after the breach check)
- Service principal exists and is active in tenant
However: API call to Identity Protection endpoint returns:
403 Forbidden: "Your tenant is not licensed for this feature"
Root Cause: Dataforth tenant does NOT have Microsoft Entra ID P2 licensing required for Identity Protection features.
Impact: The risky user checks cannot function regardless of app consent until Entra ID P2 licenses are assigned.
Recommendation:
| Priority | Action |
|---|---|
| [INFO] | If Dataforth wants Identity Protection monitoring (risky sign-ins, leaked credentials, anomaly detection), purchase and assign Entra ID P2 licenses |
| [INFO] | If NOT purchasing P2: Document that risky user checks are unavailable; rely on sign-in log analysis and conditional access instead |
02 - "Dime Client" Application Verification
Original Issue: Sign-in logs showed "Dime Client" as primary application (7 out of 8 successful sign-ins for jantar@dataforth.com over 30 days).
Investigation Result: [INFO] Internal Application - Verification Needed
Details from breach check:
- App Name: "Dime Client"
- Sign-in Frequency: 7/8 logins (primary app)
- IP Address: 67.206.163.122 (Salt Lake City, UT)
- Platform: Windows 10
- Pattern: Consistent single IP, no foreign logins, no impossible travel
Assessment:
- NOT a standard Microsoft 365 application (not Outlook, Teams, Excel, etc.)
- NOT found in tenant's service principal directory with "Dime" in display name
- Likely a custom line-of-business (LOB) application or internal Dataforth tool
- No indicators of compromise - usage is consistent with legitimate work patterns
Recommendation:
| Priority | Action | Owner |
|---|---|---|
| [ACTION REQUIRED] | Verify "Dime Client" with Dataforth IT/development team | Dan Center (IT Admin) |
| [ACTION REQUIRED] | Confirm this is an authorized internal application | Dan Center |
| [INFO] | If legitimate: Document in Dataforth's authorized apps inventory | Dataforth IT |
| [WARNING] | If UNKNOWN: Investigate immediately as potential unauthorized access | Dataforth IT + ACG |
Next Steps:
- Contact Dan Center (dcenter@dataforth.com) to confirm "Dime Client" identity
- If unknown, escalate for full application investigation
- Document outcome in Dataforth's IT asset inventory
03 - Microsoft Authenticator MFA Upgrade
Current State: Jacque Antar uses SMS-based MFA (phone: +1 520-245-6929)
Issue: SMS MFA is vulnerable to:
- SIM swapping attacks
- SMS intercep tion
- Social engineering (attacker convinces carrier to port number)
- Less phishing-resistant than modern MFA methods
Recommendation: Upgrade to Microsoft Authenticator (push notifications or TOTP)
Benefits:
| Feature | SMS MFA | Microsoft Authenticator |
|---|---|---|
| Phishing Resistance | Low | High |
| SIM Swap Protection | No | Yes |
| Number Matching | No | Yes (context-aware) |
| Offline TOTP | No | Yes |
| Compliance | Basic | Strong (meets NIST AAL2) |
Implementation Steps:
-
Pilot User: Jacque Antar (jantar@dataforth.com)
- Current: Password + SMS
- Target: Password + Microsoft Authenticator (push/TOTP)
-
Enrollment Process:
- User downloads Microsoft Authenticator app (iOS/Android)
- Admin initiates MFA re-registration OR user self-enrolls via https://aka.ms/mfasetup
- User scans QR code to add Dataforth account
- Test push notification and TOTP code generation
- CRITICAL: Keep SMS as backup method during initial rollout (remove after 30 days if Authenticator stable)
-
Rollout Plan (if expanding beyond Jacque):
- Phase 1: IT admins (Dan Center, others)
- Phase 2: Executive team
- Phase 3: General users
- Timeline: 2-4 weeks per phase
Priority: [INFO] - Security hardening, not urgent breach response
Who Should Approve: Dan Center (IT Admin) + Dataforth management
Summary of Actions
| Item | Status | Next Step | Owner |
|---|---|---|---|
| IdentityRiskyUser Scope | [OK] Consented, but needs P2 license | Decide: Purchase P2 or document limitation | Dataforth IT |
| Dime Client App | [PENDING] Needs verification | Confirm with Dan Center if authorized app | Dan Center |
| Authenticator Upgrade | [RECOMMENDED] Optional hardening | Pilot with Jacque Antar, expand if successful | Dataforth IT |
Files Referenced
- Breach Check Report:
clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md - Session Log (initial investigation):
clients/dataforth/session-logs/2026-05-03-session.md
Contact for Questions
Arizona Computer Guru
- Analyst: Mike Swanson
- Email: mike@azcomputerguru.com
- Ticket: #109790034 (Syncro)
Dataforth IT Contact:
- Dan Center: dcenter@dataforth.com
Report Generated: 2026-05-03 by Mike Swanson (Mikes-MacBook-Air)