8.3 KiB
Session Log — 2026-06-03
User
- User: Mike Swanson (mike)
- Machine: GURU-BEAST-ROG
- Role: admin
Session Summary
Howard initiated this session via Discord requesting an Office license assignment for Joshua Albert at SifOidak. The first challenge was identifying the correct tenant — the vault only held on-premises laptop credentials for this client, and the client was not present in CIPP. After checking the Syncro customer record (primary contact: deanna.cruz@tonation-nsn.gov), the domain toua.net was tried first based on Howard's input, but that tenant had no delegated admin access. Mike clarified the correct tenant was sifoidak.onmicrosoft.com (tenant ID: 568eb763-3b95-4271-8443-530c74b1c6bb).
With the tenant identified, none of the ACG MSP apps had been consented there. The correct onboarding process requires the Tenant Admin app to be consented first via a single admin-consent URL, after which onboard-tenant.sh programmatically consents the remaining apps (Security Investigator, Exchange Operator, User Manager) and assigns all required directory roles. Mike mistakenly consented the User Manager app first before being directed to the Tenant Admin URL. After Tenant Admin consent was confirmed, onboard-tenant.sh ran successfully: all four apps consented, Exchange Administrator role assigned to Security Investigator and Exchange Operator SPs, Conditional Access Administrator assigned to Tenant Admin SP, and User Administrator + Authentication Administrator assigned to User Manager SP. Two Graph permission errors on Security Investigator were a replication timing artifact (SP was just created).
With the tenant onboarded, Joshua Albert (jalbert.sod@sifoidak.onmicrosoft.com) was found to already have an O365 Business license assigned. The tenant was at 10/10 capacity. Howard then requested a password reset for Joshua to the user-chosen value Albert#2015 (no forced change at next sign-in), which was completed via Graph API PATCH. Mike then requested creation of a new user Dwayne Ortega (Dortega.sod@sifoidak.onmicrosoft.com); the account was created, usage location set to US, and O365 Business license assigned — the tenant auto-expanded from 10 to 11 seats. Syncro ticket #32380 was created, assigned to Howard, with the initial comment emailed to the client.
Key Decisions
- Tenant Admin consent first, not User Manager: The
onboard-tenant.shscript requires Tenant Admin app consent first because it uses that token to programmatically create SPs and grant permissions for all other apps. Asking for User Manager consent separately was an unnecessary extra step and deviates from the intended single-consent onboarding process. - No forced password change for Joshua Albert: Howard explicitly stated the user picked the password, so
forceChangePasswordNextSignInwas set tofalse. - Usage location set to US before license assignment: Graph API requires
usageLocationto be set on a user before any license can be assigned. The PATCH returned 204 but the license call still failed once; a second attempt after confirming the property was set (via GET) succeeded. - Tenant seat auto-expansion accepted: Rather than blocking on the 10/10 capacity, the license assignment to Dortega succeeded and the tenant expanded to 11 seats automatically (Microsoft 365 subscription behavior). No manual seat purchase was needed in the moment.
Problems Encountered
- CIPP DNS resolution failure (intermittent): Initial attempts to query CIPP's tenant list returned
curl: (6) Could not resolve host: cippcanvb.azurewebsites.net. DNS resolved shortly after. Subsequent requests returned empty bodies due to Azure Functions cold-start timing. Worked around by retrying with longer timeout and piping directly to Python. - Wrong tenant tried first:
toua.netwas tried based on Howard's input before Mike clarified the correct domain wassifoidak.onmicrosoft.com. - User Manager consented before Tenant Admin: Mike consented User Manager first (from the URL provided), then needed a second consent click for Tenant Admin. The script handled the already-present User Manager SP gracefully ("SP already present").
- License assignment failed with "invalid usage location": New user created without
usageLocation. Set toUSvia PATCH (HTTP 204), then re-attempted license assignment — first retry still failed (likely replication lag), second attempt succeeded. - Two Graph permission errors on Security Investigator:
grant_app_rolefailed for two roles immediately after SP creation with "Resource does not exist." Classic Graph replication delay. Roles will self-heal or can be backfilled by re-runningonboard-tenant.sh.
Configuration Changes
- Created
clients/sif-oidak/session-logs/2026-06-03-session.md(this file)
Credentials & Secrets
- Joshua Albert temp/user-chosen password:
Albert#2015— set by user, not vaulted - Dwayne Ortega temp password:
Temp1234!— must change at next sign-in, not vaulted - Vault paths accessed:
msp-tools/cipp.sops.yaml— CIPP OAuth credentials (tenant list lookup)msp-tools/computerguru-user-manager.sops.yaml— User Manager app (user/license ops)msp-tools/computerguru-tenant-admin.sops.yaml— Tenant Admin app (onboarding)msp-tools/syncro.sops.yaml— Syncro API key (ticket creation)clients/sif-oidak/laptops.sops.yaml— context lookup only
Infrastructure & Servers
| Resource | Value |
|---|---|
| Tenant domain | sifoidak.onmicrosoft.com |
| Tenant ID | 568eb763-3b95-4271-8443-530c74b1c6bb |
| Joshua Albert UPN | jalbert.sod@sifoidak.onmicrosoft.com |
| Joshua Albert user ID | 55f77ce1-20fc-44b1-a7c7-2fa42b348b76 |
| Dwayne Ortega UPN | Dortega.sod@sifoidak.onmicrosoft.com |
| Dwayne Ortega user ID | 014c1df6-444b-4502-9239-15c3ff935887 |
| License SKU | O365_BUSINESS (cdd28e44-67e3-425e-be4c-737fab2899d3) |
| Tenant seats | 11/11 (auto-expanded from 10) |
| Tenant Admin SP OID | 3cc1f0b3-6cc0-4dc3-ac8c-ac0ed94c5341 |
| User Manager SP OID | 011b990a-c787-4af1-b4d5-606a5461f2e5 |
| Security Investigator SP OID | 4b42e8e7-615d-4d67-8edf-a4166f1fd179 |
| Exchange Operator SP OID | 0d51ec52-0070-4073-98c6-2c8eb3caa8b5 |
| Syncro customer ID | 7694718 |
Commands & Outputs
# Onboard tenant
bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh sifoidak.onmicrosoft.com
# [SUCCESS] All directory roles assigned; 2 Graph permission errors on Sec Investigator (replication timing)
# Reset Joshua Albert password
PATCH https://graph.microsoft.com/v1.0/users/55f77ce1-20fc-44b1-a7c7-2fa42b348b76
{"passwordProfile":{"password":"Albert#2015","forceChangePasswordNextSignIn":false}}
# -> HTTP 204
# Create Dwayne Ortega
POST https://graph.microsoft.com/v1.0/users
# -> id: 014c1df6-444b-4502-9239-15c3ff935887
# Set usage location
PATCH https://graph.microsoft.com/v1.0/users/014c1df6...
{"usageLocation":"US"}
# -> HTTP 204
# Assign license
POST https://graph.microsoft.com/v1.0/users/014c1df6.../assignLicense
{"addLicenses":[{"skuId":"cdd28e44-67e3-425e-be4c-737fab2899d3"}],"removeLicenses":[]}
# -> HTTP 200, license confirmed, tenant expanded 10->11
Pending / Incomplete Tasks
- Security Investigator — 2 missing Graph permissions:
df021288(User.Read.All) andb0afded3(AuditLog.Read.All) failed to grant due to replication timing. Re-runonboard-tenant.sh sifoidak.onmicrosoft.comto backfill. Non-blocking for current user management tasks. - sifoidak.onmicrosoft.com not yet in CIPP: Tenant was onboarded into our MSP app suite but is not visible in CIPP. Consider adding it to CIPP for full MSP visibility (delegated admin relationship needed separately via Partner Center or GDAP).
- Vault: No M365 admin credentials vaulted for this tenant. Consider adding
clients/sif-oidak/m365-admin.sops.yamlif they share credentials with us.
Reference Information
- Syncro Ticket: #32380 — https://computerguru.syncromsp.com/tickets/112127922
- Syncro Customer: #7694718 — Sif-oidak District - Tohono O'odham Nation
- Tenant Admin consent URL (for future re-consent):
https://login.microsoftonline.com/sifoidak.onmicrosoft.com/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent - Discord Thread: 1511832024971739306