Mike Swanson
100a491ac6
Two session logs: - session-logs/2026-04-16-session.md: cross-cutting (multi-user, audit, infrastructure) - guru-rmm session log appended: MSI installer, Len's Auto Brokerage, Uranus, migration drift Gap fixes: GrepAI initialized + MCP server added, Ollama models pulling, settings.json created (bypassPermissions), MCP_SERVERS.md written. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.5 KiB
3.5 KiB
name, description
| name | description |
|---|---|
| remediation-tool | M365 tenant investigation and remediation using the Claude-MSP-Access Graph API app (App ID fabb3421-8b34-484b-bc17-e46de9703418, known as "ComputerGuru - AI Remediation" in customer tenants). Auto-invoke when the user says "remediation tool", "365 remediation", "check <user>'s mailbox/box", "credential stuffing" against an M365 user, "breach check" on an M365 tenant, or needs M365 admin API work that client-credentials Graph + Exchange REST can perform. NOT for CIPP — this is the direct Graph API app. Also invoke when the user needs any of: inbox rule enumeration, mailbox forwarding check, delegate/SendAs audit, OAuth consent audit, sign-in log queries, risky user lookup, directory audit queries, B2B guest invite audit against M365. Triggers: "365 remediation", "remediation tool", "check <user> box/mailbox/account for breach", "credential stuff*", "who's getting attacked", "foreign sign-in", "inbox rule", "mailbox forward*", "oauth consent" (in MSP context), "tenant sweep", "risky user", "hidden rule", Exchange Online admin API, "adminapi/beta/{tenant}/InvokeCommand". |
365 Remediation Tool
Read-only by default. All remediation actions require explicit YES confirmation in chat (not a permission prompt).
Auto-Invocation Behavior
When triggered automatically (vs. via /remediation-tool), follow the same workflow described in .claude/commands/remediation-tool.md:
- Parse the user's intent into a subcommand (check/sweep/signins/consent-url/remediate).
- Resolve tenant ID from domain.
- Acquire tokens (cached).
- Run checks via scripts in
scripts/. - Interpret findings using
references/checklist.md. - Write report to
clients/{slug}/reports/YYYY-MM-DD-{action}.mdusingtemplates/breach-report.md. - Chat summary + delegate commit to Gitea agent.
Before calling any script, verify
- The SOPS vault is accessible:
test -f D:/vault/scripts/vault.sh(Windows) ortest -f ~/vault/scripts/vault.sh(other). jq,curl,bashare available.- For Exchange REST checks: confirm the target tenant has Exchange Administrator role assigned to the app's service principal (display name "ComputerGuru - AI Remediation"). If any Exchange REST call returns 403, emit the tenant-scoped Entra Roles link from
references/gotchas.md. - For Identity Protection checks: app manifest must include
IdentityRiskyUser.Read.Allor.ReadWrite.All, AND the tenant must have admin-consented after that permission was added. If 403, emit the consent URL.
Conventions
- Target identifiers: accept UPN, domain, or tenant GUID. Normalize to tenant GUID internally.
- Token cache:
/tmp/remediation-tool/{tenant-id}/{scope}.jwt. TTL 55 minutes. Check-mmin -55before reuse. - Raw JSON artifacts:
/tmp/remediation-tool/{tenant-id}/{check}/— keep so the user can re-analyze. - Reports:
clients/{slug}/reports/YYYY-MM-DD-{action}.md. Derive slug from domain (strip TLD, hyphenate). - UTC dates everywhere.
Scope boundaries
- Not a replacement for CIPP. Use CIPP for bulk baseline configuration, templates, standards alerting. Use this tool for focused investigation and point-in-time remediation.
- Not for creating/modifying Entra apps or Conditional Access policies. Those are sensitive enough to stay manual in the portal.
- Not for Graph permissions the app doesn't have. If a call 403s and the scope isn't in the app manifest, stop and tell the user — don't try to work around it.