Files
claudetools/.claude/skills/remediation-tool/SKILL.md
Mike Swanson a42d657c55 docs(session)+rules: 2026-05-27 — Quantum M365 onboarding, IX autodiscover fix, Syncro emergency/labor/attribution rules
Session logs: root (Michael #32329 hosting offer + IX simplehost.email autodiscover DNS fix + Cascades #32332 emergency correction) + Quantum client log (M365 tenant 2fd0092b onboarding, break-glass GA, CA report-only).

Syncro rule overhaul:
- Emergency billing: prepaid -> 26184 @ hours x1.5 (was 26118); non-prepaid -> 26184 with channel rate (onsite $262.50 / remote+inshop $225)
- Never make up labor items (existing product + real name; QuickBooks sync)
- Corrections preserve original tech's user_id (commission); adding notes/labor never changes ticket owner

/remediation-tool: Conditional Access may be managed programmatically (report-only first + exclude break-glass + confirm before enforce); fabb3421 deprecated for customer tenants; Quantum tenant onboarded (gotchas table).

Memory: 4 new (no-madeup-labor, corrections-preserve-tech, ca-programmatic, quantum-godaddy-tenant) + updates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 14:57:55 -07:00

5.8 KiB

name, description
name description
remediation-tool M365 tenant investigation and remediation using the ComputerGuru tiered MSP app suite (5 apps: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on). Auto-invoke when the user says "remediation tool", "365 remediation", "check <user>'s mailbox/box", "credential stuffing" against an M365 user, "breach check" on an M365 tenant, or needs M365 admin API work that client-credentials Graph + Exchange REST can perform. NOT for CIPP — this is the direct Graph API app suite. Also invoke when the user needs any of: inbox rule enumeration, mailbox forwarding check, delegate/SendAs audit, OAuth consent audit, sign-in log queries, risky user lookup, directory audit queries, B2B guest invite audit against M365. Triggers: "365 remediation", "remediation tool", "check <user> box/mailbox/account for breach", "credential stuff*", "who's getting attacked", "foreign sign-in", "inbox rule", "mailbox forward*", "oauth consent" (in MSP context), "tenant sweep", "risky user", "hidden rule", Exchange Online admin API, "adminapi/beta/{tenant}/InvokeCommand".

365 Remediation Tool

Read-only by default. All remediation actions require explicit YES confirmation in chat (not a permission prompt).

App Architecture (Tiered)

Five multi-tenant apps cover distinct privilege tiers. Use only what the task requires.

Tier App display name App ID Vault file Scope
investigator ComputerGuru Security Investigator bfbc12a4-f0dd-4e12-b06d-997e7271e10c computerguru-security-investigator.sops.yaml Graph read-only
investigator-exo ComputerGuru Security Investigator bfbc12a4-f0dd-4e12-b06d-997e7271e10c computerguru-security-investigator.sops.yaml Exchange Online read
exchange-op ComputerGuru Exchange Operator b43e7342-5b4b-492f-890f-bb5a4f7f40e9 computerguru-exchange-operator.sops.yaml Exchange Online write
user-manager ComputerGuru User Manager 64fac46b-8b44-41ad-93ee-7da03927576c computerguru-user-manager.sops.yaml Graph user/group write
tenant-admin ComputerGuru Tenant Admin 709e6eed-0711-4875-9c44-2d3518c47063 computerguru-tenant-admin.sops.yaml Graph high-privilege
defender ComputerGuru Defender Add-on dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b computerguru-defender-addon.sops.yaml Defender ATP (MDE only)

Default for breach checks: use investigator (Graph) + investigator-exo (Exchange read). Escalate to write tiers only when remediating.

Auto-Invocation Behavior

When triggered automatically (vs. via /remediation-tool), follow the same workflow in .claude/commands/remediation-tool.md:

  1. Parse the user's intent into a subcommand (check/sweep/signins/consent-url/remediate).
  2. Resolve tenant ID from domain.
  3. Acquire tokens via get-token.sh <tenant> <tier> — use lowest-privilege tier needed.
  4. Run checks via scripts in scripts/.
  5. Interpret findings using references/checklist.md.
  6. Write report to clients/{slug}/reports/YYYY-MM-DD-{action}.md using templates/breach-report.md.
  7. Chat summary + delegate commit to Gitea agent.

Before calling any script, verify

  • The SOPS vault is accessible: test -f D:/vault/scripts/vault.sh (Windows) or test -f ~/vault/scripts/vault.sh (other).
  • jq, curl, bash are available.
  • For Exchange REST checks: confirm the target tenant has Exchange Administrator role assigned to the Security Investigator SP (for reads) or Exchange Operator SP (for writes). If any Exchange REST call returns 403, emit the tenant-scoped Entra Roles link from references/gotchas.md.
  • For Identity Protection checks: IdentityRiskyUser.Read.All is in the Security Investigator manifest AND the tenant has consented to that app. If 403, emit the per-app consent URL from references/gotchas.md.
  • For Defender checks: confirm tenant has Microsoft Defender for Endpoint (MDE) license before using defender tier — it returns AADSTS650052 otherwise.

Conventions

  • Target identifiers: accept UPN, domain, or tenant GUID. Normalize to tenant GUID internally.
  • Token tiers: minimum necessary privilege. Never use tenant-admin for a read-only check.
  • Token cache: /tmp/remediation-tool/{tenant-id}/{tier}.jwt. TTL 55 minutes. Check -mmin -55 before reuse.
  • Raw JSON artifacts: /tmp/remediation-tool/{tenant-id}/{check}/ — keep so the user can re-analyze.
  • Reports: clients/{slug}/reports/YYYY-MM-DD-{action}.md. Derive slug from domain (strip TLD, hyphenate).
  • UTC dates everywhere.

Scope boundaries

  • Not a replacement for CIPP. Use CIPP for bulk baseline configuration, templates, standards alerting. Use this tool for focused investigation and point-in-time remediation.
  • Entra app registrations stay manual in the portal — don't create/modify the multi-tenant apps themselves via the tool.
  • Conditional Access policies CAN be managed programmatically (Tenant Admin tier holds Policy.ReadWrite.ConditionalAccess + the Conditional Access Administrator role). MANDATORY discipline: (1) always create/modify in report-only (state: enabledForReportingButNotEnforced) first; (2) always exclude the tenant's break-glass account (conditions.users.excludeUsers); (3) verify impact in Entra sign-in logs before enforcing; (4) get explicit user confirmation before flipping any policy to enabled on a tenant with real users. (CA-manual boundary relaxed 2026-05-27 at Mike's direction — break-glass + report-only keep blast radius near zero.)
  • Not for Graph permissions the apps don't have. If a call 403s and the scope isn't in the relevant app's manifest, stop and tell the user — don't try to work around it.
  • Defender tier requires MDE license. If the tenant doesn't have MDE, the token request succeeds but API calls return AADSTS650052. Check before using.