claudetools/clients/dataforth/session-logs/2026-05-03-session.md

Session Log: 2026-05-03

User

• User: Mike Swanson (mike)
• Machine: GURU-BEAST-ROG
• Role: admin

Session Summary

A request was made to perform an M365 remediation check on jantar@dataforth.com following a darkweb scan indicating her credentials had been breached on a third-party site. The tenant ID for dataforth.com was resolved to 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584. Graph and Exchange tokens were acquired using certificate authentication. A full 10-point M365 breach check was executed, revealing no indicators of compromise. One disabled graymail inbox rule was identified, but no mailbox forwarding, delegates, or suspicious permissions were found. All sign-ins originated from a consistent IP address in Salt Lake City, and SMS MFA was configured.

An eM Client application with high-privilege IMAP/EWS scopes was found connected to the user account. The client confirmed eM Client is no longer in use at Dataforth. The OAuth grant and app role assignment were revoked for jantar@dataforth.com. A tenant sweep confirmed no other users had the app connected. The eM Client service principal was then disabled tenant-wide to prevent future re-authorization.

A breach check report was saved to the client reports directory. A Syncro ticket was created, billed against Dataforth's prepaid block (1hr), and marked Resolved.

Key Decisions

• Checked tenant-wide for other eM Client users before disabling the SP — confirmed jantar was the only connected user, making the tenant-wide disable clean with no user impact.
• Used user-manager tier for grant/role revocation (minimum necessary privilege) and escalated to tenant-admin only for the SP disable — kept to least-privilege throughout.
• Billed against Dataforth's prepaid block (47.5 hrs available) rather than standard remote rate — appropriate for a security task under their managed agreement.
• Contact set to Dan Center (IT admin) rather than Jacque Antar (end user) — ticket is an IT security action, not an end-user support request.

Problems Encountered

• IdentityRiskyUser scope not consented: The Security Investigator app lacks IdentityRiskyUser.Read.All consent in the Dataforth tenant, causing a 403 on the risky user check. Risk detections came back 0 via an alternate endpoint. Not resolved this session — documented in the report with consent URL for follow-up.
• Graph replication lag: POST responses for grant/SP deletions returned stale data immediately after HTTP 204. Re-queried after 5-6 second delay each time; all changes verified confirmed.
• eM Client SP not found by appId filter: GET /servicePrincipals?$filter=appId eq '...' returned empty under both investigator and tenant-admin tiers. Resolved by querying the SP directly by its object ID (sourced from the resourceId field in the app role assignment).

---

Breach Check: jantar@dataforth.com

Trigger: Darkweb scan report — credentials found in third-party breach User: Jacque Antar | Object ID: daa60027-be31-47a5-87af-d728499a9cc4 Tenant: dataforth.com | 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584 Verdict: No indicators of compromise

Check	Result
Account status	Enabled, pw changed 2026-03-09
Inbox rules (Graph)	1 — "Move Graymail to folder", disabled. Clean.
Hidden inbox rules (Exchange)	None
Mailbox forwarding	None
Mailbox delegates	None
SendAs	None
OAuth grants	Apple Internet Accounts (EAS) + eM Client (IMAP/EWS) — eM Client revoked
Auth methods	Password + Phone SMS (+1 520-245-6929). No authenticator app.
Sign-ins (30d)	8 — all from 67.206.163.122, Salt Lake City US, Windows 10. No foreign logins.
Directory audits (30d)	3 system updates + 2 group adds by dcenter@dataforth.com. Routine.
Identity risk	403 (scope not consented) / 0 risk detections

Recommendations noted in report:

• Upgrade MFA from SMS to Microsoft Authenticator
• Confirm "Dime Client" app is authorized (7/8 sign-ins)
• Consent IdentityRiskyUser scope for full risk signal visibility

---

Remediation Actions

1. eM Client OAuth Grant Revoked (jantar@dataforth.com)

• Grant ID: CBzbJaD1bE-73ac4aJsVh1kfp75Wee1Bj5lF8xxKY0InAKbaMb6lR4ev1yhJmpzE
• Scopes removed: IMAP.AccessAsUser.All EWS.AccessAsUser.All offline_access email openid
• Tier: user-manager | Result: HTTP 204 | Verified

2. eM Client App Role Assignment Revoked (jantar@dataforth.com)

• Assignment ID: JwCm2jG-pUeHr9coSZqcxBZRSQMEXYFOsp2E7viR7Xo
• Tier: user-manager | Result: HTTP 204 | Verified

3. eM Client Service Principal Disabled (tenant-wide)

• SP Object ID: 25db1c08-f5a0-4f6c-bbdd-a738689b1587
• SP appId: e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd
• Change: accountEnabled: true → accountEnabled: false
• Tier: tenant-admin | Result: HTTP 204 | Verified accountEnabled: false
• Scope: Tenant-wide — no user in Dataforth tenant can authorize eM Client going forward

---

Syncro Ticket

Field	Value
Ticket #	#109790034
Subject	M365 Security Investigation - jantar@dataforth.com
Customer	Dataforth Corp (id: 578095)
Contact	Dan Center (id: 2774091)
Assigned	Mike Swanson (1735)
Issue Type	Security
Status	Resolved
Invoice #	#1650179002
Labor	Prepaid Project Labor (9269129), 1.0 hr @ $0.00
Prepaid hrs	47.5 → 46.5 hrs remaining

---

Files Created / Modified

File	Action
clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md	Created — full 10-point breach check report
clients/dataforth/session-logs/2026-05-03-session.md	Created — this file

---

Raw Artifacts

Breach check JSON artifacts at (local, not committed):

/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/user-breach/jantar_dataforth_com/

---

Pending / Follow-Up

• Consent IdentityRiskyUser.Read.All scope in Dataforth tenant for full Identity Protection visibility Consent URL: https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent
• Confirm "Dime Client" app with Dataforth — verify it is an authorized internal application
• Consider pushing Jacque Antar to Microsoft Authenticator (currently SMS-only MFA)