8.9 KiB
Session Log — 2026-06-01 — Client work review, QWM M365, GDAP docs
User
- User: Howard Enos (howard)
- Machine: Howard-Home
- Role: tech
Session Summary
Reviewed outstanding client work across the books (excluding Cascades) by pulling the coord API todos + component states, then drilled into Quantum Wealth Management (QWM) M365. Performed a read-only Graph review of the live QWM tenant 2fd0092b using the ComputerGuru Security Investigator app. Found the wiki article was stale (still described the abandoned GoDaddy/johnvelez 8f7eaff4 tenant) and corrected it. Confirmed the 2026-06-03 license-lapse deadline objective is MET: both John and Sheila are Business Premium licensed and activated Office (signed into Microsoft Office + Authentication Broker from the Tucson office 5/27). The broader Intermedia->M365 migration remains in progress.
The significant QWM finding: john@quantumwms.com is under an active distributed password-spray — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess), 0 successful malicious logins (account NOT breached). Risk is real because John is not MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (CA001 require-MFA, CA003 block-non-US) are still report-only. Saved a full report, updated the wiki + coord, closed the deadline todo, and filed urgent security + migration-remainder todos. Mike is taking over QWM.
Ran a status pass on the remaining client items, then live-verified three: Deere Park WiFi quote (Syncro #32279 — still New, quote never sent, overdue), Len's Auto Brokerage + Sombra Residential GuruRMM deployments (live API), and Birth Biologic Datto SmartBadge (live RMM dispatch — PASS). Recorded all findings as coord components. Filed a todo for a new finding: Sombra's Server2013 (Win Server 2012/R2, EOL) GuruRMM agent has been offline since 2026-05-14 (~18 days), unmonitored.
Investigated whether documented rules exist for onboarding a client to a Granular admin relationship (GDAP). Found ACG runs two delegated-admin models: (1) the ComputerGuru app-consent suite, well documented in the remediation-tool skill (gotchas.md, tenants.md, onboard-tenant.sh); (2) true Pax8/Partner-Center GDAP, which has NO requirements doc — only a group-membership script and scattered session-log mentions. The wiki has no onboarding article (wiki/patterns/ is empty). While reading the GDAP script, found a plaintext ClientSecret committed in the repo and flagged it as a security todo.
Key Decisions
- Treated the live tenant
2fd0092bas authoritative and rewrote the stale QWM wiki (was pointing at the abandoned johnvelez8f7eaff4tenant). - Closed the 6/03 license-lapse todo (
46bda3ec) because its named objective (license + Office activation before lapse) is verified met; created a migration-remainder todo (72060fc8) to preserve the personal-domain + GoDaddy-cancellation steps so nothing was lost. Left the stale johnvelez-tenant todo37f2196copen but flagged for cleanup (it's Mike's). - Filed the QWM password-spray finding as its own urgent todo (
bf09d843) rather than un-parking the existing security-baseline todo, because the active attack + no-MFA + report-only-CA combination is new and time-sensitive. - Recorded all live-check results as coord components (the live-status tracker the team reads) rather than only in chat. Used hyphenated client project keys (e.g.
clients-lens-auto-brokerage) — the slash form 404s on the component PUT endpoint. - Made NO tenant changes anywhere (QWM and others) — all read-only per the request.
Problems Encountered
- Coord component PUT returned
Not Foundwith the slashed keyclients/quantumwms/m365; resolved by using the hyphenated keyclients-quantumwms/m365(matches how existing client components are stored). - Graph
auditLogs/signIns$filteronuserPrincipalName/statusreturned empty silently, and$top=999returned an emptyvalue; resolved by pulling unfiltered at$top=200and filtering client-side with jq. - Coord todo POST initially failed validation (missing
created_by_user/created_by_machine); resolved by adding both required fields. - Briefly suspected a sync collision because the rebase diffstat showed the QWM report + wiki under "incoming"; verified it was just the pre-rebase comparison direction — Mike's same-day commits were for Jupiter/GURU-KALI/EZ Fast Auto Glass, zero QWM overlap. Files intact after rebase.
Configuration Changes
Created:
clients/quantumwms/reports/2026-06-01-m365-review.md— full read-only M365 review (committed earlier this session, commit847d634).
Modified:
wiki/clients/quantumwms.md— corrected tenant to2fd0092b, rewrote users/CA section, added Current Status + security block, updated Open Items (committed847d634).
Coord API (server-side, not repo):
- Component
clients-quantumwms/m365= active (created) - Component
clients-lens-auto-brokerage/gururmm-deployment= pending (verified 0 agents) - Component
clients-sombra-residential/gururmm= degraded (Server2013 offline) - Component
clients-birth-biologic/datto-smartbadge= active (created, PASS verified) - Component
clients-deere-park/wifi-quote= pending (created) - Todo
46bda3ec-> done (QWM 6/03 lapse) - Todos created:
bf09d843(QWM security/spray),72060fc8(QWM migration remainder),7221c025(Sombra Server2013 offline, ->howard),10536f07(exposed secret, ->mike)
Credentials & Secrets
- EXPOSED (flagged, not yet remediated): plaintext
ClientSecretfor appfabb3421-8b34-484b-bc17-e46de9703418(deprecated ComputerGuru AI Remediation app) in ACG partner tenantce61461e-81a0-4c84-bb4a-7b354a9a356d, committed atclients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1line 9 (and in git history). Tracked in todo10536f07— rotate + remove + confirm app retirement. - QWM read performed with ComputerGuru Security Investigator app
bfbc12a4-f0dd-4e12-b06d-997e7271e10c(cert auth, read-only). No new secrets created. - QWM break-glass remains vaulted at
clients/quantumwms/m365-breakglass.sops.yaml.
Infrastructure & Servers
- QWM M365 tenant (current):
2fd0092b-e9b7-474c-ad73-301f34dd6b64("Quantum Wealth Management",quantumwms.comprimary,quantumwms.onmicrosoft.cominitial). Users: john@/sheila@ (Business Premium, not MFA-registered), sysadmin@ (Mike, GA, MFA), breakglass@ (GA, CA-excluded). CA001/CA002/CA003 all report-only; Security Defaults ON. Abandoned tenants:8f7eaff4(johnvelez/NETORGFT2570783),ddf3d2c9(dormant GoDaddy netorg18235235). - GuruRMM: API
http://172.16.3.30:3001. Len's Auto Brokerage clientbc76984f, site "Main" codeUPPER-STAR-2820— 0 agents. Sombra Residential client4143369f: Server2013 (agent5383e9c1, build 9200, OFFLINE last_seen 2026-05-14) + DESKTOP-UQRN4K3 (Win11, online). Birth Biologic KSTEENBB2025 agentee3c6aea(online, verify PASS). - Syncro #32279 "Onsite - Install Office (and new quote for wifi)", customer Deere Park Development (id 7088463), internal id 110305905, status New. DPA Inc tenant
11de2fe0-4fa4-4b28-a430-40bc20c86fc2.
Commands & Outputs
- Graph token:
bash get-token.sh 2fd0092b-... investigator(cert auth). - Sign-in pull (filter quirk workaround):
GET /v1.0/auditLogs/signIns?$top=200then jq client-side. John: 102 events, 4 success (all Tucson 69.254.197.173, 5/27), 98 failures (94x err 50053 malicious-IP block, 4x err 50126 bad password). Foreign: Amsterdam NL192.42.116.61(50053), Praha CZ130.193.15.79(50126). - Component PUT pattern:
PUT /api/coord/components/clients-<slug>/<component>(hyphenated key).
Pending / Incomplete Tasks
- QWM (Mike owns now): security todo
bf09d843(reset John pw, MFA registration, enforce CA001+CA003); migration remainder72060fc8; PST backupsd3623023; close stale37f2196c. - Len's Auto Brokerage GuruRMM deployment — NEXT TASK this session. Site
UPPER-STAR-2820exists, 0 agents. Need site-specific MSI from dashboard, then execute GPO rollout to ~10 endpoints. Prep inclients/lens-auto-brokerage/docs/. - Sombra Server2013 offline — todo
7221c025(investigate power/service/connectivity; EOL box dark). - Deere Park — build + send updated UniFi quote to Richard Glabman, attach to #32279.
- Exposed secret — todo
10536f07. - Doc gap: no GDAP/onboarding rules doc; offered to draft
wiki/patterns/m365-client-onboarding.md.
Reference Information
- QWM report:
clients/quantumwms/reports/2026-06-01-m365-review.md. Prior commit847d634. - Onboarding docs:
.claude/skills/remediation-tool/references/{gotchas.md,tenants.md},scripts/onboard-tenant.sh. GDAP groups:clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1(13 M365 GDAP groups + AdminAgents in tenant ce61461e). - Coord API:
http://172.16.3.30:8001/api/coord. Todos this session: 46bda3ec(done), bf09d843, 72060fc8, 7221c025, 10536f07. - Syncro #32279: https://computerguru.syncromsp.com/tickets/110305905