claudetools/session-logs/2026-04-21-session.md

Session Log: 2026-04-21

User

• User: Mike Swanson (mike)
• Machine: DESKTOP-0O8A1RL
• Role: admin

Session Summary

This session completed the M365 multi-tenant onboarding initiative. The goal was to onboard all 41 CIPP-managed partner tenants to the ComputerGuru app suite (Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on) with minimal customer interaction — customers click one URL (Tenant Admin consent), then the onboard-tenant.sh script handles all remaining programmatic consent and role assignments automatically.

Accomplishments

1. Tenant Admin manifest fix (from previous session): Added AppRoleAssignment.ReadWrite.All (GUID: 06b708a9-e830-4db3-a914-8e69da51d44f) to Tenant Admin app. This was required for the script to programmatically grant appRoleAssignments to other SPs in customer tenants. Fixed via Management app PATCH.

2. Re-onboarded martylryan.com and grabblaw.com: These two were consented before the manifest fix. Both needed Tenant Admin re-consent (done by Mike), then script re-run. Both now fully onboarded with all apps and directory roles.

   • martylryan.com: All 4 apps + Exchange Admin + User Admin + Auth Admin assigned
   • grabblaw.com: 3 apps (no MDE) + Exchange Admin + User Admin + Auth Admin assigned; Defender skipped (no MDE license)

3. Cascades Tucson GoDaddy admin account (from previous session):

   • Found disabled account admin@NETORGFT4257522.onmicrosoft.com
   • Renamed UPN to admin@cascadestucson.com (domain was verified default)
   • Enabled account, reset password to Gptf*ttb123!@#-cs
   • Vaulted at D:/vault/clients/cascades-tucson/m365-admin.sops.yaml

4. Batch tenant sweep: Ran onboard-tenant.sh against all 40 pending tenants. 17 were already fully consented and onboarded successfully. 23 still need initial Tenant Admin consent.

5. tenant-consent.html: Updated to show only remaining pending tenants. 19 tenants now marked done (including martylryan + grabblaw post re-consent). 22 still pending.

Files Modified This Session

File	Change
.claude/skills/remediation-tool/scripts/onboard-tenant.sh	Major rewrite: programmatic consent for all 4 non-admin apps after Tenant Admin consent
.claude/skills/remediation-tool/references/tenants.md	NEW: full 41-tenant list with display names, domains, tenant IDs, onboarding status, consent URLs
.claude/skills/remediation-tool/references/tenant-consent.html	NEW + updated: dark-theme HTML page with clickable consent links; 19 tenants marked done
.claude/skills/remediation-tool/references/gotchas.md	Updated: Grabblaw and martylryan marked fully onboarded with dates
D:/vault/clients/cascades-tucson/m365-admin.sops.yaml	NEW: SOPS-encrypted admin credentials for Cascades Tucson

---

Credentials

Cascades Tucson M365 Admin

• Username: admin@cascadestucson.com
• Password: Gptf*ttb123!@#-cs
• Vault: D:/vault/clients/cascades-tucson/m365-admin.sops.yaml
• Notes: Renamed from admin@NETORGFT4257522.onmicrosoft.com (original GoDaddy provisioned account)

---

onboard-tenant.sh Architecture

Flow

1. Resolve domain → tenant GUID (openid-configuration)
2. Acquire Tenant Admin token (client_credentials) to verify consent
3. Locate resource SPs in tenant: Microsoft Graph, Exchange Online, Defender ATP
4. For each app (Security Investigator, Exchange Operator, User Manager, Defender Add-on):
   • Create SP if missing (POST /servicePrincipals) — sleep 5 after creation for replication
   • Grant all appRoleAssignments idempotently
5. Assign directory roles (Exchange Admin to Sec Inv SP; User Admin + Auth Admin to User Mgr SP)
6. Print status table

Key GUIDs

Permission resource app IDs:

• Microsoft Graph: 00000003-0000-0000-c000-000000000000
• Exchange Online: 00000002-0000-0ff1-ce00-000000000000
• Defender ATP: fc780465-2017-40d4-a0c5-307022471b92

App IDs:

• Security Investigator: bfbc12a4-f0dd-4e12-b06d-997e7271e10c
• Exchange Operator: b43e7342-5b4b-492f-890f-bb5a4f7f40e9
• User Manager: 64fac46b-8b44-41ad-93ee-7da03927576c
• Tenant Admin: 709e6eed-0711-4875-9c44-2d3518c47063
• Defender Add-on: dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b

Tenant Admin manifest permissions required:

• AppRoleAssignment.ReadWrite.All: 06b708a9-e830-4db3-a914-8e69da51d44f
• Application.ReadWrite.All: 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9
• Directory.ReadWrite.All: 19dbc75e-c2e2-444c-a770-ec69d8559fc7

Bugs Fixed During Development

1. stdout/stderr pollution in create_sp_if_missing: Human-readable status lines were going to stdout, corrupting sp_oid=$(create_sp_if_missing ...). Fix: all status echoes changed to >&2.
2. Graph replication delay: Newly created SPs need ~5s before appRoleAssignments can be granted. Fix: sleep 5 after successful SP creation.
3. jq null iterator: [.value[] | select(...)] threw on fresh SPs with null appRoleAssignments. Fix: [.value[]? | select(...)].

---

Onboarding Status (as of 2026-04-21)

Done (19 tenants)

andysmobilefuel.com, tedards.net, cascadestucson.com, cclac.net, cobaltfinearts.com, dataforth.com, glaztech.com, heieck.org, jemaenterprises.com, mvan.onmicrosoft.com, bestmassageintucson.com, rednourlaw.com, reliantpump.services, ridgetopgroup.com, safesitellc.com, sonorangreenllc.com, valleywideplastering.com, martylryan.com, grabblaw.com

Pending — Needs Tenant Admin Consent (22 tenants)

Brian Kahn (briankahn.onmicrosoft.com), cuadro.design, Curtis Plumbing (cparizona.onmicrosoft.com), cwconcretellc.com, Feline Ltd (felineltd.onmicrosoft.com), ICE INC (iceinc.us.com), Instrumental Music (instrumentalmusic.onmicrosoft.com), JR Kennedy (jrkco.com), Khalsa Montessori (khalsamontessorischools.onmicrosoft.com), Kittle Design (kittlearizona.com), LeeAnn Parkinson (lamaddux.com), Patient Care Advocates (pcatucson.com), Putt Land Surveying (puttsurveying.com), Rincon Vista Vet (rinconvistavet.onmicrosoft.com), Russo Law (rrs-law.com), SANDTEKO (SANDTEKOMACHINERY.com), Shave Kevin (az2son.com), Starr Pass Realty (starrpass.com), The Dumpster Guys (dumpsterguys.onmicrosoft.com), The Prairie Schooner (theprairieschooner.onmicrosoft.com), Tucson Golden Corral (tucsongoldencorral.onmicrosoft.com), Tucson Mountain Motors (tucsonmountainmotors.com), Von's Carstar (vonscarstar.com)

Not in CIPP (needs investigation)

• Len's Auto Brokerage (tenant: 5ba99b55-...) — Mike accidentally opened Brian Kahn consent URL logged in as admin@lensautobrokerage.onmicrosoft.com; Len's may not be in CIPP partner list

---

Pending / Next Steps

1. 22 tenants need initial Tenant Admin consent — use tenant-consent.html to send links or open directly; after each consent, run onboard-tenant.sh <domain>
2. Len's Auto Brokerage — check if in CIPP, add if not, then onboard
3. Brian Kahn — needs Brian Kahn's own Global Admin to click consent URL (not admin@lensautobrokerage.onmicrosoft.com)
4. Tenant-consent.html UUID tenants — three entries show GUIDs not domains (f5f86b40, dfee2224, and cparizona/felineltd/etc use onmicrosoft.com domains) — verify display names in tenants.md match

---

Reference

• Consent HTML: D:/claudetools/.claude/skills/remediation-tool/references/tenant-consent.html
• Tenant list: D:/claudetools/.claude/skills/remediation-tool/references/tenants.md
• Onboarding script: D:/claudetools/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
• Gotchas: D:/claudetools/.claude/skills/remediation-tool/references/gotchas.md
• Cascades vault: D:/vault/clients/cascades-tucson/m365-admin.sops.yaml