azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2c5f10faaa14799a49ee7be4cb128d757bdf7913
claudetools/clients/glaztech/session-logs/2026-04-20-session.md
Mike Swanson 06c53ee324 Session log: glaztech DMARC override + syncro skill billing fix 
- clients/glaztech/session-logs/2026-04-20-session.md: Exchange Online
  transport rule created to bypass DMARC for clearcutglass.com
- session-logs/2026-04-20-session.md: update with 12:55 work
- .claude/commands/syncro.md: fix billing workflow — comment endpoint
  silently drops time fields; use timer_entry endpoint instead

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-20 12:56:31 -07:00

3.3 KiB
Raw Blame History

Session Log — 2026-04-20 — Glaz-Tech Industries

User

  • User: Mike Swanson (mike)
  • Machine: DESKTOP-0O8A1RL
  • Role: admin

Session Summary

Set up Exchange Online DMARC bypass for inbound mail from clearcutglass.com → glaztech.com. Full remediation tool workflow: app consent, role assignment, transport rule creation via EXO REST API.

Work Performed

Problem

Inbound mail from clearcutglass.com was being rejected at glaztech.com due to DMARC failure. Client needed a temporary override while clearcutglass.com fixes their email authentication.

Solution

Created Exchange Online transport rule via EXO REST API (InvokeCommand) to set SCL = -1 for all mail from clearcutglass.com, bypassing DMARC/spam filtering.

Steps Taken

  1. App consent — Exchange Operator app (b43e7342-5b4b-492f-890f-bb5a4f7f40e9) was not yet consented in glaztech.com tenant. Provided admin consent URL: https://login.microsoftonline.com/82931e3c-de7a-4f74-87f7-fe714be1f160/adminconsent?client_id=b43e7342-5b4b-492f-890f-bb5a4f7f40e9 glaztech.com Global Admin completed consent.

  2. Role assignment — After consent, EXO REST API still returned 403 because the SP needed Exchange Administrator role in the tenant directory (consent alone is not sufficient for EXO cmdlets). Verified SP was already assigned via screenshot from Entra portal (ComputerGuru Exchange Operator already listed as Exchange Administrator member).

  3. Transport rule created — via POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand:

    • Rule name: TEMP - Allow DMARC fail from clearcutglass.com
    • Condition: SenderDomainIs = clearcutglass.com
    • Action: SetSCL = -1
    • State: Enabled, Enforce mode
    • Rule GUID: 6b702a5c-02ad-46e5-a2e1-7cb70284bd5c
    • Created: 2026-04-20 19:28 UTC

  4. Syncro ticket created — #32176 "Exchange Online - DMARC override for clearcutglass.com", status Resolved.

Follow-up Required

Once clearcutglass.com fixes their SPF/DMARC configuration, remove the transport rule:

  • Exchange Admin Center → Mail flow → Rules → delete "TEMP - Allow DMARC fail from clearcutglass.com"
  • Or via API: Remove-TransportRule -Identity "6b702a5c-02ad-46e5-a2e1-7cb70284bd5c"

Tenant Info

  • Domain: glaztech.com
  • Tenant ID: 82931e3c-de7a-4f74-87f7-fe714be1f160
  • Syncro customer ID: 143932
  • Syncro ticket: #32176 (ID: 109216691)
  • Contact: Steve Eastman (Seastman@glaztech.com)

Credentials Used

  • Exchange Operator app: b43e7342-5b4b-492f-890f-bb5a4f7f40e9 / vault: msp-tools/computerguru-exchange-operator.sops.yaml

Issues Encountered

  • AADSTS7000229 on first token attempt — app not consented in tenant. Fixed via admin consent URL.
  • 403 after consent — SP needed Exchange Administrator role in Entra directory (separate from API consent). Already assigned per Entra portal.
  • curl null byte response — EXO REST API returns compressed/binary response when no Accept header or --compressed flag used. Fixed by writing payload to temp file and checking raw bytes.
  • PowerShell Graph module device code auth failureDeviceCodeCredential authentication failed: Object reference not set to an instance of an object — known bug with Microsoft.Graph 2.36.1 + WAM on Windows. Workaround: not needed since role was already assigned.
Reference in New Issue View Git Blame Copy Permalink