Files
claudetools/wiki/clients/birth-biologic.md
Mike Swanson 1f15a6bc79 sync: auto-sync from GURU-5070 at 2026-06-29 11:05:52
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-29 11:05:52
2026-06-29 11:06:44 -07:00

21 KiB

type, name, display_name, last_compiled, compiled_by, sources, backlinks, aliases
type name display_name last_compiled compiled_by sources backlinks aliases
client birth-biologic BirthBiologic 2026-06-26 GURU-5070/claude-main
clients/birth-biologic/session-logs/2026-04-21-session.md
clients/birth-biologic/session-logs/2026-06-02-session.md
clients/birth-biologic/session-logs/2026-06/2026-06-26-mike-birthbio-mail-migration-and-datto-vm.md
clients/birth-biologic/docs/migration/google-to-m365-scope.md
projects/gururmm
birthbiologic

BirthBiologic

Profile

  • Company type: Biological/healthcare services (cord blood / donor services implied by site structure: Donor Services, Quality Department, Birth Biologic Activity Reports); Stilwell, KS
  • Contract type: Prepaid hour block
  • Key contacts:
    • Annise — primary client contact for migration work; no last name or email documented
    • Kristin Steen — ksteen@birthbiologic.com (known Syncro contact; workstation KSTEENBB2025)
    • sysadmin@birthbiologic.com — M365/Google shared admin account (ACG-managed); M365 Business Premium license assigned 2026-04-21; SharePoint admin role confirmed
  • Billing rate: (verify — check Syncro invoices)
  • Hours remaining (prepaid): 10.0 hrs as of 2026-06-26
  • Syncro customer ID: 17983014
  • Managed assets (Syncro): 13
  • Open tickets: 0 as of 2026-06-26
  • Historical ticket: #109277420 — Datto Workplace to SharePoint Migration; assigned Mike Swanson; contact Annise; closed/historical

Infrastructure

Servers & Services

Host IP Role OS Notes
BB-SERVER (verify) On-premise Windows server Windows Server 2016 GuruRMM agent 6c02baa7-0f1c-4990-b466-c9ab9eaefd3b installed 2026-04-21; Datto Workplace Server installed; custom Datto→SP migration script artifacts at C:\GuruMigration; state file shows 160 Supply Mgmt + 49 ITSvcs uploaded April 2026
ACG-DWP-X-BB 172.16.3.45 ACG-owned Datto/SPMT migration VM (Jupiter libvirt) Windows Server 2019 build 17763 (libvirt domain label "Windows Server 2016") Static IP /22, GW 172.16.0.1, DNS 172.16.0.1+1.1.1.1; virtio NIC 52:54:00:d4:8e:59 on br0 (vnet14); Datto Workplace Server (svc datto_workplace_server.default) + SPMT (under Administrator profile); source tree C:\Users\Public\Desktop\Datto Workplace Server Projects; GuruRMM agent a4524e85-8a07-45d0-91b1-51ce7e2ca74a enrolled 2026-06-26

Email & Identity

  • M365 tenant: birthbiologic.com / tenant ID 19a568e8-9e88-413b-9341-cbc224b39145
  • Target delivery domain (migration): birthbiologic.onmicrosoft.com
  • Accepted domains: birthbiologic.com (default), birthbiologic.onmicrosoft.com
  • MX (as of 2026-06-29): M365 (birthbiologic-com.mail.protection.outlook.com) — cutover done 2026-06-27 (Sat); live mail now on M365 (was Google Workspace through 06-26). Always verify MX live; do not trust the 06-26 migration-scope docs.
  • Mail groups / shared mailboxes (created/configured 2026-06-29):
    • medicalrecords@distribution group, 14 members (12 core staff + medicaldirector@ + mmerritt@), RequireSenderAuthenticationEnabled=$false (external processors can email it). Functions as all-staff but is a distinct named group for time-sensitive processor outreach.
    • info@shared mailbox; Full Access + Send As: Brandy Burgess, Julie Beck.
    • quality@shared mailbox; Full Access + Send As: Brandy Burgess, Julie Beck, Mary Ster, Alicia Meneely, Kristin Steen, Vicki Fountain.
    • Other existing shared mailboxes: accounting@, operations@ (user mailbox).
  • DNS host: SiteGround (ns1/ns2.us92.siteground.us); Registrar: Name.com; www → GCP 35.215.115.203 (not in scope)
  • M365 licensing (all consumed as of 2026-06-26):
    • Business Premium (skuId cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46): 14/14
    • Exchange Online Plan 1 — EXCHANGESTANDARD (skuId 4b9405b0-7788-4568-add1-99614e613b69): 7/7
    • Active-12 staff + sysadmin@ + operations@ on Business Premium; Dr. Chris Gillis (medicaldirector@) + Michael Merritt (mmerritt@) created 2026-06-26 with Exchange-only (passwords vaulted); 5 former employees (sabron, aboutte, araso, khoffman, pnelson) Exchange-only with sign-in disabled (future shared-mailbox targets, license reclaimable post-conversion)
    • Mindi address mismatch: mindim@ (Google) vs mmaher@ (M365) — mapped via CSV Username column + smtp:mindim@birthbiologic.com proxy added to her mailbox via Set-Mailbox
  • MFA status: (verify)
  • ACG remediation tool consent status (as of 2026-06-26 — FULLY ONBOARDED):
    • Security Investigator: consented (SP bf684a4b-…)
    • Tenant Admin: consented (app client_id 709e6eed-0711-4875-9c44-2d3518c47063; SP object 7a199b11-97fb-4e65-917d-f8d29a53ba49; consent redirect URI must be https://azcomputerguru.com, NOT https://rmm.azcomputerguru.com)
    • Exchange Operator: consented 2026-06-26 (SP bab4699b-32a3-4434-9cad-7a4a08cc4d9e; Exchange Administrator role)
    • User Manager: consented 2026-06-26 (SP 3347ebcc-…)
    • Defender Add-on: consented 2026-06-26 (SP 161b8f61-…)
  • Note: sysadmin@birthbiologic.com did not have a SharePoint/M365 license prior to 2026-04-21. For SharePoint app-only access, use Tenant Admin app with Sites.ReadWrite.All (no user license required for app-only).

Google Workspace (source tenant — migration in progress)

  • Super-admin: sysadmin@birthbiologic.com; password vaulted at clients/birth-biologic/google-workspace.sops.yaml (credentials.password)
  • Domain-wide delegation: acg-msp-access SA (acg-msp-access@acg-msp-access.iam.gserviceaccount.com); OAuth2 client ID 102231607889615995452; GCP project acg-msp-access (number 806899474449)
  • Required DWD scopes (5, exact, comma-separated, no spaces): https://mail.google.com/,https://www.googleapis.com/auth/calendar,https://www.google.com/m8/feeds/,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/contacts
  • GCP APIs enabled on acg-msp-access: Gmail, Calendar (calendar-json), People
  • Google roster (DWD pull, 2026-06-26): 20 accounts — 15 active, 5 suspended

Gmail Migration Status (as of 2026-06-26)

  • Method: Native MS "Migration from Google Workspace" via Exchange Operator REST InvokeCommand
  • Endpoint: BB-Gmail (type: Gmail; impersonation admin: sysadmin@birthbiologic.com)
  • Batch 1 (BB-Batch1): 14 live mailboxes, mail + calendar + contacts, TargetDeliveryDomain birthbiologic.onmicrosoft.com, AutoStart, NotificationEmails sysadmin@; Status: Syncing (created 2026-06-26)
  • Batch 2: Not started — 5 former employees; pending un-suspend in Google + free Workspace seats

File Storage

  • Pre-migration source: Datto Workplace (server on ACG-DWP-X-BB; original custom-script artifacts on BB-SERVER at C:\GuruMigration)
  • Post-migration target: Microsoft SharePoint (M365)
  • Migration tools: Custom PowerShell script (clients/birth-biologic/scripts/migrate-datto-to-sharepoint.ps1) + SPMT (on ACG-DWP-X-BB under Administrator profile)

SharePoint Site Map

Datto Folder SharePoint Site Size / Files Status
Admin birthbiologic.sharepoint.com/sites/Admin 5.8 GB / 6,279 files SPMT last ran 2026-04-29; completion UNCONFIRMED
Birth Biologic Activity Reports birthbiologic.sharepoint.com/sites/Admin (subfolder) 1 file SPMT; SPMT preserves source folder name as subfolder; UNCONFIRMED
Donor Services birthbiologic.sharepoint.com/sites/DonorServices 109 GB / 56,826 files SPMT last ran 2026-04-29; completion UNCONFIRMED
Quality Department birthbiologic.sharepoint.com/sites/QualityDepartment 28 GB / 3,714 files SPMT last ran 2026-04-29; completion UNCONFIRMED
Supply Management birthbiologic.sharepoint.com/sites/SupplyManagement 33 MB / 160 files 160/160 migrated via custom PS script 2026-04-21 — COMPLETE
ITSvcs EXCLUDED 52 files ACG-owned folder; never client data

Site IDs hardcoded in $SITE_MAP hashtable in the migration script.

Network

  • ACG Jupiter (Datto VM host): LAN 172.16.0.0/22, GW pfSense 172.16.0.1; Jupiter at 172.16.3.20 (Unraid, virsh); guest-exec helper /root/gx.sh
  • ACG-DWP-X-BB: 172.16.3.45/22 static (was APIPA after ~2 months parked; pfSense DHCP not leasing that MAC; fixed 2026-06-26)
  • ISP / WAN (BirthBio site): (verify)
  • Firewall (BirthBio site): (verify)
  • VPN: (verify)

GuruRMM

  • Client name: BirthBiologic
  • Client ID: da526b38-e832-4159-ab13-a3d94e9897a2
  • Site name: Main Office
  • Site code: BRIGHT-PEAK-5980
  • Site ID: 3b20ef97-c764-4ef8-9154-79c3d5b486f8
  • Agent enrollment key: clients/birthbiologic/gururmm-site-main.sops.yaml (vault)
  • Install landing page: https://rmm.azcomputerguru.com/install/BRIGHT-PEAK-5980
  • MSI download: https://rmm.azcomputerguru.com/sites/3b20ef97-c764-4ef8-9154-79c3d5b486f8/installer
  • RMM one-liner (Windows): irm https://rmm.azcomputerguru.com/install/BRIGHT-PEAK-5980/windows | iex

Enrolled Agents

Agent Host OS Agent ID IP Notes
BB-SERVER BB-SERVER Windows Server 2016 6c02baa7-0f1c-4990-b466-c9ab9eaefd3b (verify) Installed 2026-04-21; original Datto→SP command channel; Datto Workplace Server; custom migration script artifacts
KSTEENBB2025 KSTEENBB2025 Windows 11 ee3c6aea-e9cc-4d2f-9e79-a38dd0eb129e Kristin Steen's workstation
EVO-X1 EVO-X1 Windows 11 9595f002-5cfe-4db6-b7aa-1df4a20e9f9b Vicki Fountain's workstation; SmartBadge fleet reference machine
BB-Office2 BB-Office2 Windows 11 48763401-4859-49f9-b64a-7a50d0148b23 Shared/office workstation
ACG-DWP-X-BB ACG-DWP-X-BB Windows Server 2019 a4524e85-8a07-45d0-91b1-51ce7e2ca74a 172.16.3.45 ACG-owned; Jupiter libvirt VM; Datto Workplace Server + SPMT migration host; enrolled 2026-06-26 under BirthBiologic/Main Office

Access

  • GuruRMM: Dashboard → BirthBiologic → Main Office
  • M365 admin: sysadmin@birthbiologic.com
  • Google Workspace admin: sysadmin@birthbiologic.com (same account; password vaulted)
  • Vault paths:
    • clients/birthbiologic/gururmm-site-main.sops.yaml — GuruRMM site enrollment key
    • msp-tools/computerguru-tenant-admin.sops.yamlcredentials.credential — Tenant Admin app secret
    • msp-tools/computerguru-exchange-operator.sops.yamlcredentials.client_secret — Exchange Operator app secret
    • msp-tools/acg-msp-access-google-workspace.sops.yamlcredentials.credential — Google SA JSON key (full)
    • clients/birth-biologic/google-workspace.sops.yamlcredentials.password — Google Workspace super-admin password
    • clients/birth-biologic/m365-medicaldirector.sops.yaml — Dr. Chris Gillis M365 initial password (forceChangePasswordNextSignIn=true)
    • clients/birth-biologic/m365-mmerritt.sops.yaml — Michael Merritt M365 initial password (forceChangePasswordNextSignIn=true)
  • Tenant Admin app: client_id 709e6eed-0711-4875-9c44-2d3518c47063; consent redirect URI must be https://azcomputerguru.com (NOT https://rmm.azcomputerguru.com)
  • Exchange Operator SP: bab4699b-32a3-4434-9cad-7a4a08cc4d9e; Exchange Administrator role; drive via REST InvokeCommand (see Patterns)
  • Migration script: clients/birth-biologic/scripts/migrate-datto-to-sharepoint.ps1
  • Migration runbook: projects/msp-tools/runbooks/google-workspace-to-m365-migration.md (updated 2026-06-26 — exact 5-scope string, all-or-nothing gotcha, Contacts API retired/People API, GCP-owner requirement)

Patterns & Known Issues

  • Datto Workplace fleet standard = "Datto Workplace" v10.53.4 (installs to C:\Program Files\Datto\Workplace2\). EVO-X1 and BB-Office2 run this version only. Never run the older "Datto Workplace Desktop" v8.50.13 (folder …\Workplace Desktop\) alongside it — having both installed breaks the Excel SmartBadge add-in (see below). Note the confusing naming: despite "Desktop" sounding newer, v8 Desktop is the older product; plain "Datto Workplace" v10 is current.
  • SmartBadge Excel add-in failure from dual Datto Workplace installs: When both Workplace2 (v10) and Workplace Desktop (v8) are present, the _CC COM class {3C639243-95A2-400D-B4B4-4384DA7F61D3} gets a 64-bit InprocServer32 pointing at the wrong DLL (or only a 32-bit WOW64 entry), so 64-bit Excel can't load the shim and silently drops the SmartBadge ribbon tab. Excel then auto-disables the add-in (per-user LoadBehavior=2). Fix = align to fleet: remove Workplace Desktop v8 (Revo for a full leftover sweep), install Workplace v10.53.4, ensure only the _CC add-in (HKLM+WOW64, LoadBehavior=3) with the _CC CLSID → …\Workplace2\SmartBadge\DattoSmartBadgeShim_x64/x86.dll, and reset the user's LoadBehavior to 3 + clear Excel Resiliency. Reference machine: EVO-X1. Scripts: .claude/scripts/ksteen-smartbadge-verify.ps1, .claude/scripts/ksteen-smartbadge-fix.ps1.
  • Windows Server 2016 TLS: BB-SERVER defaults to TLS 1.0. PowerShell scripts must include [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 at the top or Graph API calls will fail.
  • GuruRMM command timeout on long-running processes: The RMM command channel times out on operations running longer than ~300 seconds. An 8 MB PDF upload at ~77 KB/s exceeded this limit during the migration. Workaround: base64-encode file on server, capture stdout, decode and upload locally.
  • SharePoint 409 Conflict on retry: If a chunked upload session is interrupted, a partial item remains in SharePoint. Subsequent upload sessions against the same path return 409 Conflict. Fix: DELETE the item before creating a new upload session.
  • SPMT requires sysadmin to be SharePoint admin: SPMT destination access requires the running account to have SharePoint admin rights. Confirm before scheduling future SPMT runs.
  • Syncro comment rendering: Use <br> for line breaks in Syncro comments. <ul>/<li> collapses into a single line in the Syncro renderer.
  • Syncro duplicate comments on #109277420: Two duplicate comments were noted in the session log. GUI deletion only (no API delete for comments). Verify status next time in ticket view.
  • ITSvcs folder exclusion: The ITSvcs folder on the Datto share is ACG-owned, not client data. Always exclude from any migration or client-facing file audit.
  • GuruRMM command body requirements: command_type field is required (use "powershell" for PS scripts). Missing field returns 422. JWT must include sub, role, orgs, exp, iat claims — any missing claim returns 401.
  • GuruRMM .stdout null handling in watch scripts: jq -r '.stdout' emits the literal 4-char string "null" when the API returns JSON null for stdout. Always use .stdout // empty (or .stdout // "") so that a null field becomes an empty string, not the word "null". Affects any script that greps command output for a sentinel line.
  • PS5.1 quirks on BB-SERVER: No Unicode box-drawing characters (parse error in PS5.1); no @{} + @{} hashtable merge (use foreach loop); use ${encodedPath} not $encodedPath: in URL strings (colon interpreted as drive reference).
  • Google→M365 migration requires exactly Microsoft's 5-scope DWD set: Google rejects the migration token all-or-nothing if any scope is missing (unauthorized_client: … not authorized for any of the scopes requested). The original DWD grant had only 3 of 5; missing were m8/feeds and gmail.settings.sharing. The m8/feeds scope is a still-valid alias for contacts auth, served by the People API; the standalone Contacts API was retired 2022 (not enableable in GCP, not needed). See exact 5-scope string in the Google Workspace section above.
  • Enabling GCP APIs in acg-msp-access requires ACG project owner identity: Running gcloud services enable as a client super-admin (sysadmin@birthbiologic.com) fails — that account has no rights to ACG's acg-msp-access GCP project. Must be authenticated as the ACG GCP project owner.
  • Exchange driven via REST InvokeCommand — EXO PS module not available: Exchange Operator app token (scope=https://outlook.office365.com/.default), endpoint POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand, body {"CmdletInput":{"CmdletName":"…","Parameters":{…}}}. EXO PowerShell module not installed; the app has no vaulted cert, so Connect-ExchangeOnline app-only auth is not available. Byte-array parameters (ServiceAccountKeyFileData, CSVData) must be passed as base64 strings.
  • vault.sh get-field requires dotted field path for nested secrets: credentials.client_secret and credentials.credential work; bare leaf names (client_secret) return a literal 4-char null. Always specify the full dotted path.
  • Tenant's real Business Premium skuId is cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46: The scope doc had a stale GUID (cbdc14ab-d96c-4132-b7f4-1f3a3a819bb4). License assign 400'd until corrected. Pull skuId live from Graph /subscribedSkus before any license assignment.

Active Work

  • Google → M365 mail migration (IN PROGRESS): BB-Batch1 auto-started 2026-06-26, Status: Syncing, 14 live mailboxes (mail + calendar + contacts). Pending:
    • Monitor BB-Batch1: Provisioning → Syncing → Synced
    • When Synced: flip MX in SiteGround DNS → M365; update SPF (include:spf.protection.outlook.com); enable/publish DKIM (2 CNAMEs); autodiscover CNAME → autodiscover.outlook.com; review DMARC; run final delta; complete batch
    • Batch 2 — 5 former employees → shared mailboxes: un-suspend each in Google (free Workspace seats by suspending migrated live users first), run Gmail migration batch (aboutte, araso, khoffman, pnelson, sabron — already EXO-licensed, sign-in disabled), convert to shared mailboxes (<=50 GB = free), reclaim 5 EXO licenses
    • Confirm Valerie VanEaton's status (active or departed since mid-May; if departed → former/shared track)
    • Confirm Michael Merritt's long-term licensing tier
    • Confirm operations@ fate post-cutover (retain BP or convert to shared)
  • Datto → SharePoint migration reconciliation (BLOCKED — awaiting ACG-DWP-X-BB Datto re-sync):
    • Supply Management complete (160/160 files, 2026-04-21)
    • 4 large SPMT folders (Admin 5.8 GB, Donor Services 109 GB, Quality 28 GB, Activity Reports) last SPMT run 2026-04-29; completion UNCONFIRMED — reconciliation pending Datto re-sync on ACG-DWP-X-BB
    • After re-sync: compare source vs each SharePoint site, determine what April SPMT run left incomplete, schedule completion run(s)
    • Notify Annise to test SharePoint access once confirmed complete; run delta sync (-DeltaOnly) post-confirmation
  • pfSense: add DHCP reservation for 172.16.3.45 (MAC 52:54:00:d4:8e:59) or confirm it is outside the DHCP pool

History Highlights

Date Event
2026-06-26 Mike (GURU-5070): Google→M365 mail migration initiated; BB-Batch1 live (14 mailboxes, Status: Syncing). Identified Datto/SPMT migration VM as Jupiter libvirt domain ACG-DWP-X-BB (actual WS2019 build 17763); had APIPA after ~2 months parked (pfSense not leasing MAC); fixed with static IP 172.16.3.45/22; GuruRMM agent enrolled (a4524e85-…); Datto Workplace Server reconnected + re-syncing. Confirmed April SPMT run (4 large folders) completion unconfirmed. Fully onboarded BirthBio M365 to ACG suite (Exchange Operator + User Manager + Defender Add-on consented via onboard365.sh provision). Provisioned Exchange-only mailboxes for Dr. Chris Gillis (medicaldirector@) and Michael Merritt (mmerritt@); license redistribution: Mei Mei + Valerie +BP, Savanna BP→EXO, 4 disabled formers +EXO. Created Gmail migration endpoint BB-Gmail; created + auto-started BB-Batch1 (14 mailboxes, TargetDeliveryDomain birthbiologic.onmicrosoft.com). Vaulted Google super-admin creds + new M365 user passwords.
2026-06-02 Mike (BEAST/discord-bot): SMARTBADGE-WATCH fired a false-positive DRIFT alert. Root cause: jq -r '.stdout' emitting literal "null" when RMM API returned JSON null stdout. Live re-verify via RMM confirmed KSTEENBB2025 clean (RESULT: PASS). Fixed check-ksteen-smartbadge.sh (commit 551aaf2): .stdout // empty coercion, INFRA-ERROR vs DRIFT distinction, stderr/exit_code in diagnostics, poll window 80s→120s.
2026-05-29 Mike: Corrected the SmartBadge fix — Kristin's machine had been left on the older Workplace Desktop v8 (diverged from fleet). Revo-removed v8, installed Workplace v10.53.4 (Workplace2), aligned SmartBadge _CC add-in/CLSID to EVO-X1, cleared her stuck per-user LoadBehavior=2. Verified working. Public tech notes + 1hr warranty on Syncro #32339. Stood up a 7-day daily verification (scheduled task on GURU-5070 + coord todo 4a5b09b3, expires 2026-06-05).
2026-05-28 Mike: Initial Kristin Steen SmartBadge remediation (Syncro #32339) — diagnosed dual Workplace2/Workplace Desktop install; uninstalled the wrong one (Workplace2 v10), leaving v8 Desktop (corrected 2026-05-29).
2026-04-21 Mike: New client onboarded to GuruRMM (client + site created, vault entry saved). Tenant Admin app consented. sysadmin@birthbiologic.com assigned M365 Business Premium. GuruRMM agent installed on BB-SERVER. Custom Datto→SharePoint migration script built. Supply Management (160 files) migrated via script. SPMT launched for 4 remaining folders. Syncro ticket #109277420 opened.