Howard Enos
6608c05674
Cloud-only M365 user created, SPB license assigned, SSPR group added, CA/MFA audit, Syncro billing for tickets #109316879 and #110120097. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
9.4 KiB
Cascades of Tucson — Alma Montt Account Completion and Syncro Billing
Date: 2026-05-19 Syncro tickets: #109316879 (New user Alma Montt — Resolved), #110120097 (New workstation Alma Montt — Resolved)
User
- User: Howard Enos (howard)
- Machine: HOWARD-HOME
- Role: tech
Session Summary
Session resumed from 2026-05-18 where Alma Montt's AD account had been created in OU=Administrative but never propagated to M365 via Entra Connect. Graph API confirmed she was absent from the Cascades tenant after an overnight wait. Root cause identified: Entra Connect on CS-SERVER is scoped to sync only the Caregivers OU (and likely other care-staff OUs); OU=Administrative is outside the sync boundary and will never produce a cloud object via the normal sync path.
Alma Montt was created as a cloud-only M365 user directly via Graph API using the user-manager app (64fac46b-8b44-41ad-93ee-7da03927576c). Account created at Alma.Montt@cascadestucson.com, SPB license (cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46) assigned, and Exchange Online mailbox provisioning initiated. Alma was added to SG-SSPR-Eligible (ID: d6044864-a0ef-4c30-ba37-cdba7074437e) to match Shelby Trozzi and Meredith's group membership for self-service password reset.
Howard reported Alma was not being prompted to set up Microsoft Authenticator after logging in onsite. CA policy audit via Graph confirmed the "Require multifactor authentication for all users" policy (ID: 7e87a1c7-4836-49df-8769-c4cccadd9dbe) excludes AllTrusted named locations. Since Alma logged in from the Cascades network (a trusted location), the CA policy did not fire and no MFA registration prompt was shown. She is not in the SG-Caregivers-Pilot bypass group — she will be prompted for MFA setup automatically when signing in from outside the network. For immediate onsite setup, she was directed to https://aka.ms/mysecurityinfo to register the Authenticator app manually.
Syncro billing completed for both tickets. Ticket #109316879 received a resolution comment documenting the M365 account creation, license assignment, SSPR group addition, and MFA registration guidance, with 0.5 hours remote labor. Ticket #110120097 received a resolution comment documenting the onsite visit: Windows 11 Pro upgrade, domain join, and Alma's domain user account configuration on the machine, with 1.0 hour onsite labor. Both tickets marked Resolved. Cascades prepay balance decreased from 39.5 to 37.5 hours.
Also resolved a carryover from 2026-05-18: the sync.sh script had failed with "Not in a git working tree" because the candidate path list in sync.sh does not include C:/claudetools (only D:/claudetools variants). The four files from that session were committed and pushed directly via git commands, bypassing sync.sh.
Key Decisions
- Alma as cloud-only M365 user —
OU=Administrativeis outside Entra Connect sync scope. Creating via Graph directly rather than moving her to a synced OU avoids disrupting the AD org structure and is cleaner for an admin-class user who doesn't need the same caregiver CA policies. - MFA not prompting onsite — The "Require MFA for all users" CA policy excludes
AllTrustedlocations. This is by design for onsite workers; Alma will be prompted on first external login. Directed tohttps://aka.ms/mysecurityinfofor immediate manual setup rather than modifying the CA policy or creating a registration-only policy. - SG-SSPR-Eligible group — Howard confirmed Alma should be in the same group as Shelby Trozzi and Meredith. Both were in SG-SSPR-Eligible; Alma added to match.
- charge_timer_entry: timer ID in body — The
POST /tickets/{id}/charge_timer_entry/{timer_id}path (ID in URL) returns 404. Correct form isPOST /tickets/{id}/charge_timer_entrywithtimer_entry_idin the JSON body.
Problems Encountered
- sync.sh "Not in a git working tree" (carryover from 2026-05-18) — sync.sh searches a hardcoded candidate list for the repo root;
C:/claudetoolsis not in it. Fixed by runninggit add,git commit,git pull --rebase,git pushdirectly. The candidate list in.claude/scripts/sync.sh(lines 26-31) should be updated to includeC:/claudetools. - Alma not in M365 after overnight Entra sync — Entra Connect scope does not include
OU=Administrative. Fixed by creating her as a cloud-only user directly via Graph API. - charge_timer_entry 404 with timer ID in URL —
POST /tickets/{id}/charge_timer_entry/{timer_id}returns 404. Fixed: passtimer_entry_idin the request body instead.POST /tickets/{id}/charge_timer_entrywith{"timer_entry_id": N, ...}. - product_id override not respected on charge_timer_entry — Ticket #109316879 should have been Remote Business (1190473, $150/hr) but the charge response showed product_id 26118 (Onsite, $175/hr) — the timer's default. The body
product_idfield was ignored. No financial impact since Cascades is prepaid (hours deducted by quantity, not rate). Reported for future awareness.
Configuration Changes
No files created or modified this session (all changes were API calls to M365/Graph and Syncro).
Credentials & Secrets
Alma Montt M365 / domain credentials:
- UPN:
Alma.Montt@cascadestucson.com - AD SamAccountName:
Alma.Montt - Temp password:
Cascades2026! - Must change at first login: yes (AD account); yes (M365 cloud account —
forceChangePasswordNextSignIn: true)
Graph API — user-manager app (used this session):
- App ID:
64fac46b-8b44-41ad-93ee-7da03927576c - Vault:
msp-tools/computerguru-user-manager.sops.yaml
Graph API — security investigator (used for read/audit):
- App ID:
bfbc12a4-f0dd-4e12-b06d-997e7271e10c - Vault:
msp-tools/computerguru-security-investigator.sops.yaml
Infrastructure & Servers
| Resource | Detail |
|---|---|
| Cascades tenant ID | 207fa277-e9d8-4eb7-ada1-1064d2221498 |
| Alma Montt M365 user ID | b2fb546e-687a-4647-b286-9c8edd3d989f |
| SPB SKU ID | cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46 |
| SG-SSPR-Eligible group ID | d6044864-a0ef-4c30-ba37-cdba7074437e |
| SG-Caregivers-Pilot group ID | 0674f0bc-6ff4-49c7-802d-2abf591ba371 (CA bypass — not relevant to Alma) |
| CA policy: Require MFA all users | 7e87a1c7-4836-49df-8769-c4cccadd9dbe — excludes AllTrusted locations |
| CS-SERVER agent ID | 6766e973-e703-47c1-be56-76950290f87c |
| Entra Connect sync scope | Caregivers OU only (Administrative OU excluded) |
Commands & Outputs
Create cloud-only M365 user:
POST https://graph.microsoft.com/v1.0/users
{
"accountEnabled": true,
"displayName": "Alma Montt",
"givenName": "Alma",
"surname": "Montt",
"mailNickname": "Alma.Montt",
"userPrincipalName": "Alma.Montt@cascadestucson.com",
"passwordProfile": {"forceChangePasswordNextSignIn": true, "password": "Cascades2026!"},
"usageLocation": "US"
}
# Response: id = b2fb546e-687a-4647-b286-9c8edd3d989f
Assign SPB license:
POST https://graph.microsoft.com/v1.0/users/b2fb546e-687a-4647-b286-9c8edd3d989f/assignLicense
{"addLicenses": [{"skuId": "cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46"}], "removeLicenses": []}
Add to SG-SSPR-Eligible:
POST https://graph.microsoft.com/v1.0/groups/d6044864-a0ef-4c30-ba37-cdba7074437e/members/$ref
{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/b2fb546e-687a-4647-b286-9c8edd3d989f"}
# HTTP 204
Correct charge_timer_entry pattern (Syncro):
# WRONG — 404:
POST /tickets/{id}/charge_timer_entry/{timer_id}
# CORRECT:
POST /tickets/{id}/charge_timer_entry
{"timer_entry_id": 39315669, "product_id": 1190473, "price_retail": 150.0, "quantity": 0.5}
Syncro billing summary:
| Ticket | Comment ID | Timer ID | Line Item ID | Product | Qty | Status |
|---|---|---|---|---|---|---|
| #109316879 | 411802954 | 39315669 | 42503459 | 26118 (Onsite — product override not respected) | 0.5 hr | Resolved |
| #110120097 | 411803311 | 39315735 | 42503478 | 26118 (Onsite Business) | 1.0 hr | Resolved |
Cascades prepay balance: 39.5 → 38.5 → 37.5 hrs (deducted 0.5 + 1.0)
Pending / Incomplete Tasks
| Item | Status | Notes |
|---|---|---|
| Alma Montt — MFA Authenticator setup | Pending | Directed to https://aka.ms/mysecurityinfo; needs to complete on her phone |
| Alma Montt — credentials delivery to Meredith | Pending | UPN: Alma.Montt@cascadestucson.com / pw: Cascades2026! |
| n.castro — M365 block sign-in | Pending (from 2026-05-18) | Run Update-MgUser -UserId n.castro@cascadestucson.com -AccountEnabled:$false |
| Shontiel.Nunn old account | On hold (from 2026-05-18) | Keep until Howard confirms not in use on a machine |
| k.flores, g.williford, m.kariuki | On hold (from 2026-05-18) | Employment status unconfirmed |
| SG-MedTech / SG-CCG groups | Deferred (from 2026-05-18) | Create when ALIS licensing tiers confirmed |
| sync.sh — add C:/claudetools to candidate list | Deferred | Lines 26-31 of .claude/scripts/sync.sh |
Reference Information
- Syncro ticket #109316879: https://computerguru.syncromsp.com/tickets/109316879 (Resolved)
- Syncro ticket #110120097: https://computerguru.syncromsp.com/tickets/110120097 (Resolved)
- MFA self-registration: https://aka.ms/mysecurityinfo
- Prior session log:
clients/cascades-tucson/session-logs/2026-05-18-howard-caregiver-reconciliation-and-new-accounts.md - AD structure reference:
clients/cascades-tucson/docs/servers/active-directory.md - Cascades CONTEXT.md:
clients/cascades-tucson/CONTEXT.md