Session logs: root (Michael #32329 hosting offer + IX simplehost.email autodiscover DNS fix + Cascades #32332 emergency correction) + Quantum client log (M365 tenant 2fd0092b onboarding, break-glass GA, CA report-only). Syncro rule overhaul: - Emergency billing: prepaid -> 26184 @ hours x1.5 (was 26118); non-prepaid -> 26184 with channel rate (onsite $262.50 / remote+inshop $225) - Never make up labor items (existing product + real name; QuickBooks sync) - Corrections preserve original tech's user_id (commission); adding notes/labor never changes ticket owner /remediation-tool: Conditional Access may be managed programmatically (report-only first + exclude break-glass + confirm before enforce); fabb3421 deprecated for customer tenants; Quantum tenant onboarded (gotchas table). Memory: 4 new (no-madeup-labor, corrections-preserve-tech, ca-programmatic, quantum-godaddy-tenant) + updates. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5.8 KiB
5.8 KiB
name, description
| name | description |
|---|---|
| remediation-tool | M365 tenant investigation and remediation using the ComputerGuru tiered MSP app suite (5 apps: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on). Auto-invoke when the user says "remediation tool", "365 remediation", "check <user>'s mailbox/box", "credential stuffing" against an M365 user, "breach check" on an M365 tenant, or needs M365 admin API work that client-credentials Graph + Exchange REST can perform. NOT for CIPP — this is the direct Graph API app suite. Also invoke when the user needs any of: inbox rule enumeration, mailbox forwarding check, delegate/SendAs audit, OAuth consent audit, sign-in log queries, risky user lookup, directory audit queries, B2B guest invite audit against M365. Triggers: "365 remediation", "remediation tool", "check <user> box/mailbox/account for breach", "credential stuff*", "who's getting attacked", "foreign sign-in", "inbox rule", "mailbox forward*", "oauth consent" (in MSP context), "tenant sweep", "risky user", "hidden rule", Exchange Online admin API, "adminapi/beta/{tenant}/InvokeCommand". |
365 Remediation Tool
Read-only by default. All remediation actions require explicit YES confirmation in chat (not a permission prompt).
App Architecture (Tiered)
Five multi-tenant apps cover distinct privilege tiers. Use only what the task requires.
| Tier | App display name | App ID | Vault file | Scope |
|---|---|---|---|---|
investigator |
ComputerGuru Security Investigator | bfbc12a4-f0dd-4e12-b06d-997e7271e10c |
computerguru-security-investigator.sops.yaml |
Graph read-only |
investigator-exo |
ComputerGuru Security Investigator | bfbc12a4-f0dd-4e12-b06d-997e7271e10c |
computerguru-security-investigator.sops.yaml |
Exchange Online read |
exchange-op |
ComputerGuru Exchange Operator | b43e7342-5b4b-492f-890f-bb5a4f7f40e9 |
computerguru-exchange-operator.sops.yaml |
Exchange Online write |
user-manager |
ComputerGuru User Manager | 64fac46b-8b44-41ad-93ee-7da03927576c |
computerguru-user-manager.sops.yaml |
Graph user/group write |
tenant-admin |
ComputerGuru Tenant Admin | 709e6eed-0711-4875-9c44-2d3518c47063 |
computerguru-tenant-admin.sops.yaml |
Graph high-privilege |
defender |
ComputerGuru Defender Add-on | dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b |
computerguru-defender-addon.sops.yaml |
Defender ATP (MDE only) |
Default for breach checks: use investigator (Graph) + investigator-exo (Exchange read). Escalate to write tiers only when remediating.
Auto-Invocation Behavior
When triggered automatically (vs. via /remediation-tool), follow the same workflow in .claude/commands/remediation-tool.md:
- Parse the user's intent into a subcommand (check/sweep/signins/consent-url/remediate).
- Resolve tenant ID from domain.
- Acquire tokens via
get-token.sh <tenant> <tier>— use lowest-privilege tier needed. - Run checks via scripts in
scripts/. - Interpret findings using
references/checklist.md. - Write report to
clients/{slug}/reports/YYYY-MM-DD-{action}.mdusingtemplates/breach-report.md. - Chat summary + delegate commit to Gitea agent.
Before calling any script, verify
- The SOPS vault is accessible:
test -f D:/vault/scripts/vault.sh(Windows) ortest -f ~/vault/scripts/vault.sh(other). jq,curl,bashare available.- For Exchange REST checks: confirm the target tenant has Exchange Administrator role assigned to the Security Investigator SP (for reads) or Exchange Operator SP (for writes). If any Exchange REST call returns 403, emit the tenant-scoped Entra Roles link from
references/gotchas.md. - For Identity Protection checks:
IdentityRiskyUser.Read.Allis in the Security Investigator manifest AND the tenant has consented to that app. If 403, emit the per-app consent URL fromreferences/gotchas.md. - For Defender checks: confirm tenant has Microsoft Defender for Endpoint (MDE) license before using
defendertier — it returns AADSTS650052 otherwise.
Conventions
- Target identifiers: accept UPN, domain, or tenant GUID. Normalize to tenant GUID internally.
- Token tiers: minimum necessary privilege. Never use
tenant-adminfor a read-only check. - Token cache:
/tmp/remediation-tool/{tenant-id}/{tier}.jwt. TTL 55 minutes. Check-mmin -55before reuse. - Raw JSON artifacts:
/tmp/remediation-tool/{tenant-id}/{check}/— keep so the user can re-analyze. - Reports:
clients/{slug}/reports/YYYY-MM-DD-{action}.md. Derive slug from domain (strip TLD, hyphenate). - UTC dates everywhere.
Scope boundaries
- Not a replacement for CIPP. Use CIPP for bulk baseline configuration, templates, standards alerting. Use this tool for focused investigation and point-in-time remediation.
- Entra app registrations stay manual in the portal — don't create/modify the multi-tenant apps themselves via the tool.
- Conditional Access policies CAN be managed programmatically (Tenant Admin tier holds
Policy.ReadWrite.ConditionalAccess+ the Conditional Access Administrator role). MANDATORY discipline: (1) always create/modify in report-only (state: enabledForReportingButNotEnforced) first; (2) always exclude the tenant's break-glass account (conditions.users.excludeUsers); (3) verify impact in Entra sign-in logs before enforcing; (4) get explicit user confirmation before flipping any policy toenabledon a tenant with real users. (CA-manual boundary relaxed 2026-05-27 at Mike's direction — break-glass + report-only keep blast radius near zero.) - Not for Graph permissions the apps don't have. If a call 403s and the scope isn't in the relevant app's manifest, stop and tell the user — don't try to work around it.
- Defender tier requires MDE license. If the tenant doesn't have MDE, the token request succeeds but API calls return AADSTS650052. Check before using.