azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
307bb8812bc0da42d470703f7ebdfbc32a3a89c8
claudetools/clients/quantumwms/session-logs/2026-05-27-session.md
Mike Swanson a42d657c55 docs(session)+rules: 2026-05-27 — Quantum M365 onboarding, IX autodiscover fix, Syncro emergency/labor/attribution rules 
Session logs: root (Michael #32329 hosting offer + IX simplehost.email autodiscover DNS fix + Cascades #32332 emergency correction) + Quantum client log (M365 tenant 2fd0092b onboarding, break-glass GA, CA report-only).

Syncro rule overhaul:
- Emergency billing: prepaid -> 26184 @ hours x1.5 (was 26118); non-prepaid -> 26184 with channel rate (onsite $262.50 / remote+inshop $225)
- Never make up labor items (existing product + real name; QuickBooks sync)
- Corrections preserve original tech's user_id (commission); adding notes/labor never changes ticket owner

/remediation-tool: Conditional Access may be managed programmatically (report-only first + exclude break-glass + confirm before enforce); fabb3421 deprecated for customer tenants; Quantum tenant onboarded (gotchas table).

Memory: 4 new (no-madeup-labor, corrections-preserve-tech, ca-programmatic, quantum-godaddy-tenant) + updates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 14:57:55 -07:00

108 lines
10 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Session Log: 2026-05-27 — Quantum Wealth Management
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
## Session Summary
Worked Syncro ticket **#32323 "Mail migration planning"** (Quantum Wealth Management, customer_id 7088747). Sheila Peress forwarded an email to Mike; pulled it from Mike's M365 mailbox via Microsoft Graph. The email — **FW: Intermedia Concern [#SR-150626]** (2026-05-27) — forwarded a reply from **IFG Software Support** (softwaresupport@ifgsd.com) confirming that Intermedia runs a **fully cloud-hosted Exchange (HEX)** service, that **Microsoft is phasing out support for HEX accounts**, and that IFG is therefore **phasing out Intermedia and recommending offices migrate their email off it** (to Microsoft 365). Sheila's note: *"Please talk with Jen Curry. I guess you were onto something."*
Posted a **customer-visible, emailed** update to #32323 acknowledging the forwarded note, confirming that migrating to Microsoft 365 is the right move, and that Mike has **scheduled an online meeting with Jennifer (Jen) Curry to plan the migration from Intermedia to M365**. Set the ticket to **In Progress**. The intent of the update was to reassure Sheila that ACG is actively on the task.
## Key Decisions
- **Customer-visible + emailed update** (not internal) — Mike wanted Sheila to see ACG is on task.
- **Confirmed migration direction: Intermedia (HEX) → Microsoft 365** — validated by IFG's own guidance that Microsoft is dropping HEX support; this matches the concern Mike had already raised.
- **Jen Curry (IFG) is the migration coordinator** — Sheila explicitly directed us to her; Mike scheduled an online meeting with her.
## Configuration Changes
- No repo changes for this client. Syncro ticket update only.
## Credentials & Secrets
- No new client credentials. Mike's mailbox read via the shared Graph app (vault `msp-tools/claude-msp-access-graph-api.sops.yaml`) — see the root 2026-05-27 log for the `/mailbox` skill detail.
## Infrastructure & Servers
- **Email platform (current):** Intermedia — fully cloud-hosted Exchange (HEX). Being migrated to **Microsoft 365**.
- **Contacts:** Sheila Peress (sheila@quantumwms.com — Licensed Insurance Associate / Admin Assistant to John Velez); John Velez (john@quantumwms.com — Financial Advisor; primary on the Datto account). Office: 14025 N Speckled Burro Lane, Marana AZ 85658; 520.445.8004.
- **IFG** (broker-dealer / software support): softwaresupport@ifgsd.com. **Jennifer "Jen" Curry** — migration coordinator at IFG. "Jarod" also referenced at IFG. IFG support ref **SR-150626**.
## Commands & Outputs
- Mailbox read: Graph `GET /users/mike@azcomputerguru.com/messages?$search="from:sheila@quantumwms.com"` (app fabb3421, ACG tenant) → found FW: Intermedia Concern [#SR-150626], 2026-05-27 13:55.
- Ticket update: `POST /tickets/111056440/comment` (hidden false, do_not_email false) → comment id `413437310` (emailed to Sheila). Bot alert posted.
- Status: `PUT /tickets/111056440` `{"status":"In Progress"}` → In Progress. Bot alert posted.
## Pending / Incomplete Tasks
- **Online meeting with Jen Curry (IFG)** — Mike scheduled it; discuss/plan the Intermedia → M365 migration. Then scope and execute the mailbox migration.
- **John Velez consent** (carried) — the M365/migration work likely needs John Velez's sign-off (he's primary). Confirm before cutover.
- Keep #32323 updated as the plan and timing firm up.
## Reference Information
- Ticket: #32323 (id 111056440), customer_id 7088747 — https://computerguru.syncromsp.com/tickets/111056440 — comment id 413437310.
- Source email: Sheila Peress (sheila@quantumwms.com), "FW: Intermedia Concern [#SR-150626]", 2026-05-27 13:55, forwarding IFG Software Support (softwaresupport@ifgsd.com).
- Wiki: wiki/clients/quantumwms.md.
---
## Update: 14:49 PT — M365 migration: tenant onboarded, security baseline started
### Session Summary
Major progress on the Intermedia -> M365 migration (#32323). Jen Curry (IFG) called back and **approved + strongly encouraged** the move; emailed Sheila the update, set up appointments (Wed 5/27 2:00 PM with Sheila for licensing + PST backup kickoff; Thu 5/28 1:00 PM with Jen to finalize DNS for archival + sent-mail encryption), created a PST-backup TODO, and created an empty **"365 Services" recurring invoice template** (schedule 509862, Monthly, next run 2026-06-01) for Pax8 to populate.
Resolved the tenant question. Pax8 reported `quantumwms.com` "attached to a tenant" — discovery found a dormant **GoDaddy-provisioned tenant** (`ddf3d2c9...`, `netorg18235235.onmicrosoft.com`, brand "quantumwms.com") that had the domain parked but unverified. Mike chose to **spin up a fresh tenant** (only 2 users; cleaner than a GoDaddy takeover). Pax8 provisioned **new tenant `2fd0092b-e9b7-474c-ad73-301f34dd6b64`** ("Quantum Wealth Management", `quantumwms.onmicrosoft.com`); `quantumwms.com` verified + primary there; `john@`/`sheila@` licensed (Business Premium); `sysadmin@` is the ACG admin (GA). The GoDaddy tenant was bypassed.
Onboarded ACG management access: Pax8 **GDAP approved** (relationship "Default_Ariz_Quantum Weal_704149625747913", 180 days), then ran `onboard-tenant.sh` against `2fd0092b` — only the **Tenant Admin** app needed a manual consent click; the script programmatically consented the rest (Security Investigator, Exchange Operator, User Manager, Defender) and assigned directory roles. Verified with a live Graph read. (Hit a wrong-tenant snag first: I'd pointed consent at the GoDaddy `ddf3d2c9` and `sysadmin@` bounced — re-discovery showed the domain had since verified into the new `2fd0092b`.)
Started the **security baseline** (Mike chose Conditional Access over Security Defaults — Business Premium includes Entra P1). Set John's initial password. Created a **break-glass GA** (`breakglass@quantumwms.onmicrosoft.com`, excluded from CA). Created **CA001 (MFA all) + CA002 (block legacy) in report-only** programmatically (Mike relaxed the "CA stays manual" rule given break-glass + report-only = near-zero blast radius). Emailed Sheila for the office Comcast **static IP** (for a trusted-location CA policy). Enforcement deferred until after tomorrow's mail cutover (Security Defaults covers MFA in the interim).
### Key Decisions
- **Fresh tenant, not GoDaddy takeover** — only 2 users; the GoDaddy tenant (`ddf3d2c9`) is a Managed tenant (no DNS takeover possible) and dormant, so a clean new tenant (`2fd0092b`) was simpler. The domain wasn't verified in GoDaddy's, so the new tenant claimed it.
- **Conditional Access over Security Defaults** — they pay for Business Premium (P1); CA is granular + break-glass-excludable + audit-friendly for a compliance-sensitive financial firm.
- **CA created in report-only, programmatically** — Mike opted to enable programmatic CA writes; safe here (break-glass excluded + report-only enforces nothing). Enforce after the mail cutover so block-legacy is observed against real mail traffic.
- **Single GA + break-glass** — `sysadmin@` (daily) + `breakglass@` (emergency, CA-excluded, password-never-expires) to prevent lockout before enforcing CA.
### Configuration Changes
- Syncro #32323: appointments `5598140927` (Wed 2PM Sheila) + `5598140928` (Thu 1PM Jen); recurring schedule **509862** ("365 Services", empty); comments for migration updates.
- M365 tenant `2fd0092b`: full ComputerGuru app suite consented + directory roles; CA001 `22cd5d4b` + CA002 `52db2b88` (report-only); break-glass GA created; John password set.
### Credentials & Secrets
- **M365 tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` ("Quantum Wealth Management", `quantumwms.onmicrosoft.com`, `quantumwms.com` primary). Old GoDaddy tenant `ddf3d2c9-b76c-40d9-a216-9f11a1a26f97` (`netorg18235235.onmicrosoft.com`) — dormant, bypassed.
- **john@quantumwms.com** — initial password set 2026-05-27 by Mike: `SheilaDeena1952#` (forceChange=false; John MFA-enrolls at first sign-in). Licensed Business Premium.
- **sysadmin@quantumwms.com** — ACG admin, Global Admin (id `003cacd2-dc29-4fb6-9da4-756927c91e16`).
- **breakglass@quantumwms.onmicrosoft.com** — emergency GA (id `ad4a7a5c-a030-4e6f-bcd6-a0e7c7630f99`), cloud-only, password-never-expires, excluded from all CA. Password VAULTED at `clients/quantumwms/m365-breakglass.sops.yaml` (vault commit f08f339).
- **GDAP:** Pax8 US, relationship "Default_Ariz_Quantum Weal_704149625747913", Approved, 180 days.
### Infrastructure & Servers
- Email today: Intermedia HEX (`*.exch090.serverdata.net`), migrating to M365 tenant `2fd0092b`. License SKU: **SPB** (Business Premium) ×2.
- CA policies (report-only): CA001 Require MFA all users (`22cd5d4b-5e6a-4fbe-ad50-e57555b12d8d`), CA002 Block legacy auth (`52db2b88-55bf-4e7d-b060-ea4b14a253e2`), both exclude break-glass. Security Defaults still ON (interim).
### Commands & Outputs
- Onboard: `bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh 2fd0092b-...` → [SUCCESS] (re-ran once to clear Graph replication-lag perm errors).
- Tenant discovery: `getuserrealm`/`openid-config` for quantumwms.com → first "Unknown"/not-found (GoDaddy parked), later Managed → `2fd0092b`.
- CA create: `POST /identity/conditionalAccess/policies` (tenant-admin token, `state: enabledForReportingButNotEnforced`).
### Pending / Incomplete Tasks
- **Thu 5/28 1:00 PM:** Jen Curry (IFG) — finalize DNS (archival + sent-mail encryption), then mail cutover ~1 PM.
- **PST backups** of John + Sheila mailboxes before cutover (todo `d3623023`) — Intermedia has no server-side export.
- **CA enforcement** (todo `6be618e1`): after mail cutover, disable Security Defaults + flip CA001/CA002 to enabled; add office static-IP named-location policy once Sheila sends the Comcast IP (requested).
- **Defender for Business** onboarding (BP-included, app consented).
- John Velez consent / Sheila's static IP reply.
### Reference Information
- Tenant `2fd0092b`; GoDaddy `ddf3d2c9`. GDAP "Default_Ariz_Quantum Weal_704149625747913" (Pax8). CA001 `22cd5d4b`, CA002 `52db2b88`. Schedule `509862`. Appts `5598140927`/`5598140928`. Todos `d3623023` (PST), `6be618e1` (CA baseline), `06c16144` is RMM (unrelated). Break-glass id `ad4a7a5c`. Memory: `project_quantum_godaddy_m365_tenant.md`.
Reference in New Issue View Git Blame Copy Permalink