azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1de6e4aff012d00cb0c09d673fc922289fdd98b8
claudetools/.claude/memory/feedback_ca_programmatic_management.md
Mike Swanson a42d657c55 docs(session)+rules: 2026-05-27 — Quantum M365 onboarding, IX autodiscover fix, Syncro emergency/labor/attribution rules 
Session logs: root (Michael #32329 hosting offer + IX simplehost.email autodiscover DNS fix + Cascades #32332 emergency correction) + Quantum client log (M365 tenant 2fd0092b onboarding, break-glass GA, CA report-only).

Syncro rule overhaul:
- Emergency billing: prepaid -> 26184 @ hours x1.5 (was 26118); non-prepaid -> 26184 with channel rate (onsite $262.50 / remote+inshop $225)
- Never make up labor items (existing product + real name; QuickBooks sync)
- Corrections preserve original tech's user_id (commission); adding notes/labor never changes ticket owner

/remediation-tool: Conditional Access may be managed programmatically (report-only first + exclude break-glass + confirm before enforce); fabb3421 deprecated for customer tenants; Quantum tenant onboarded (gotchas table).

Memory: 4 new (no-madeup-labor, corrections-preserve-tech, ca-programmatic, quantum-godaddy-tenant) + updates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 14:57:55 -07:00

1.8 KiB
Raw Blame History

name, description, metadata
name description metadata
feedback-ca-programmatic-management Conditional Access MAY be managed programmatically via the remediation-tool Tenant Admin app (overrides the old "CA stays manual in portal" boundary); strict report-only-first + break-glass-exclude discipline required
type
feedback

Conditional Access policies may be created/modified programmatically via the /remediation-tool Tenant Admin tier (709e6eed — carries Policy.ReadWrite.ConditionalAccess + the Conditional Access Administrator directory role). This overrides the prior scope boundary ("CA stays manual in the portal").

Why: Mike explicitly directed it 2026-05-27 (Quantum onboarding). His rationale: with a break-glass account excluded and policies in report-only, the blast radius is near zero, and he wants the capability for scale (templated CA baselines across tenants).

How to apply — mandatory discipline every time:

  1. Create/modify in report-only firststate: "enabledForReportingButNotEnforced". Never create a policy directly enabled.
  2. Always exclude the tenant's break-glass account in conditions.users.excludeUsers (create the break-glass GA first if none exists).
  3. Verify impact in Entra sign-in logs (report-only logs what would happen) before enforcing.
  4. Get explicit user confirmation before flipping any policy to enabled on a tenant with real users.
  5. Entra app registrations still stay manual — only CA is in scope for programmatic management.

Endpoint: POST/PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies with the tenant-admin token. Verified working on Quantum tenant 2fd0092b (CA001 MFA-all + CA002 block-legacy, report-only). See 365-remediation-tool-reference.

Reference in New Issue View Git Blame Copy Permalink