claudetools/clients/cascades-tucson/session-logs/2026-05-19-howard-alma-montt-account-completion.md

# Cascades of Tucson — Alma Montt Account Completion and Syncro Billing

**Date:** 2026-05-19
**Syncro tickets:** #109316879 (New user Alma Montt — Resolved), #110120097 (New workstation Alma Montt — Resolved)

## User
- **User:** Howard Enos (howard)
- **Machine:** HOWARD-HOME
- **Role:** tech

---

## Session Summary

Session resumed from 2026-05-18 where Alma Montt's AD account had been created in `OU=Administrative` but never propagated to M365 via Entra Connect. Graph API confirmed she was absent from the Cascades tenant after an overnight wait. Root cause identified: Entra Connect on CS-SERVER is scoped to sync only the Caregivers OU (and likely other care-staff OUs); `OU=Administrative` is outside the sync boundary and will never produce a cloud object via the normal sync path.

Alma Montt was created as a cloud-only M365 user directly via Graph API using the user-manager app (`64fac46b-8b44-41ad-93ee-7da03927576c`). Account created at `Alma.Montt@cascadestucson.com`, SPB license (`cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`) assigned, and Exchange Online mailbox provisioning initiated. Alma was added to `SG-SSPR-Eligible` (ID: `d6044864-a0ef-4c30-ba37-cdba7074437e`) to match Shelby Trozzi and Meredith's group membership for self-service password reset.

Howard reported Alma was not being prompted to set up Microsoft Authenticator after logging in onsite. CA policy audit via Graph confirmed the "Require multifactor authentication for all users" policy (ID: `7e87a1c7-4836-49df-8769-c4cccadd9dbe`) excludes `AllTrusted` named locations. Since Alma logged in from the Cascades network (a trusted location), the CA policy did not fire and no MFA registration prompt was shown. She is not in the SG-Caregivers-Pilot bypass group — she will be prompted for MFA setup automatically when signing in from outside the network. For immediate onsite setup, she was directed to `https://aka.ms/mysecurityinfo` to register the Authenticator app manually.

Syncro billing completed for both tickets. Ticket #109316879 received a resolution comment documenting the M365 account creation, license assignment, SSPR group addition, and MFA registration guidance, with 0.5 hours remote labor. Ticket #110120097 received a resolution comment documenting the onsite visit: Windows 11 Pro upgrade, domain join, and Alma's domain user account configuration on the machine, with 1.0 hour onsite labor. Both tickets marked Resolved. Cascades prepay balance decreased from 39.5 to 37.5 hours.

Also resolved a carryover from 2026-05-18: the sync.sh script had failed with "Not in a git working tree" because the candidate path list in sync.sh does not include `C:/claudetools` (only `D:/claudetools` variants). The four files from that session were committed and pushed directly via git commands, bypassing sync.sh.

---

## Key Decisions

- **Alma as cloud-only M365 user** — `OU=Administrative` is outside Entra Connect sync scope. Creating via Graph directly rather than moving her to a synced OU avoids disrupting the AD org structure and is cleaner for an admin-class user who doesn't need the same caregiver CA policies.
- **MFA not prompting onsite** — The "Require MFA for all users" CA policy excludes `AllTrusted` locations. This is by design for onsite workers; Alma will be prompted on first external login. Directed to `https://aka.ms/mysecurityinfo` for immediate manual setup rather than modifying the CA policy or creating a registration-only policy.
- **SG-SSPR-Eligible group** — Howard confirmed Alma should be in the same group as Shelby Trozzi and Meredith. Both were in SG-SSPR-Eligible; Alma added to match.
- **charge_timer_entry: timer ID in body** — The `POST /tickets/{id}/charge_timer_entry/{timer_id}` path (ID in URL) returns 404. Correct form is `POST /tickets/{id}/charge_timer_entry` with `timer_entry_id` in the JSON body.

---

## Problems Encountered

- **sync.sh "Not in a git working tree" (carryover from 2026-05-18)** — sync.sh searches a hardcoded candidate list for the repo root; `C:/claudetools` is not in it. Fixed by running `git add`, `git commit`, `git pull --rebase`, `git push` directly. The candidate list in `.claude/scripts/sync.sh` (lines 26-31) should be updated to include `C:/claudetools`.
- **Alma not in M365 after overnight Entra sync** — Entra Connect scope does not include `OU=Administrative`. Fixed by creating her as a cloud-only user directly via Graph API.
- **charge_timer_entry 404 with timer ID in URL** — `POST /tickets/{id}/charge_timer_entry/{timer_id}` returns 404. Fixed: pass `timer_entry_id` in the request body instead. `POST /tickets/{id}/charge_timer_entry` with `{"timer_entry_id": N, ...}`.
- **product_id override not respected on charge_timer_entry** — Ticket #109316879 should have been Remote Business (1190473, $150/hr) but the charge response showed product_id 26118 (Onsite, $175/hr) — the timer's default. The body `product_id` field was ignored. No financial impact since Cascades is prepaid (hours deducted by quantity, not rate). Reported for future awareness.

---

## Configuration Changes

No files created or modified this session (all changes were API calls to M365/Graph and Syncro).

---

## Credentials & Secrets

**Alma Montt M365 / domain credentials:**
- UPN: `Alma.Montt@cascadestucson.com`
- AD SamAccountName: `Alma.Montt`
- Temp password: `Cascades2026!`
- Must change at first login: yes (AD account); yes (M365 cloud account — `forceChangePasswordNextSignIn: true`)

**Graph API — user-manager app (used this session):**
- App ID: `64fac46b-8b44-41ad-93ee-7da03927576c`
- Vault: `msp-tools/computerguru-user-manager.sops.yaml`

**Graph API — security investigator (used for read/audit):**
- App ID: `bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
- Vault: `msp-tools/computerguru-security-investigator.sops.yaml`

---

## Infrastructure & Servers

| Resource | Detail |
|---|---|
| Cascades tenant ID | `207fa277-e9d8-4eb7-ada1-1064d2221498` |
| Alma Montt M365 user ID | `b2fb546e-687a-4647-b286-9c8edd3d989f` |
| SPB SKU ID | `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46` |
| SG-SSPR-Eligible group ID | `d6044864-a0ef-4c30-ba37-cdba7074437e` |
| SG-Caregivers-Pilot group ID | `0674f0bc-6ff4-49c7-802d-2abf591ba371` (CA bypass — not relevant to Alma) |
| CA policy: Require MFA all users | `7e87a1c7-4836-49df-8769-c4cccadd9dbe` — excludes AllTrusted locations |
| CS-SERVER agent ID | `6766e973-e703-47c1-be56-76950290f87c` |
| Entra Connect sync scope | Caregivers OU only (Administrative OU excluded) |

---

## Commands & Outputs

**Create cloud-only M365 user:**
```bash
POST https://graph.microsoft.com/v1.0/users
{
  "accountEnabled": true,
  "displayName": "Alma Montt",
  "givenName": "Alma",
  "surname": "Montt",
  "mailNickname": "Alma.Montt",
  "userPrincipalName": "Alma.Montt@cascadestucson.com",
  "passwordProfile": {"forceChangePasswordNextSignIn": true, "password": "Cascades2026!"},
  "usageLocation": "US"
}
# Response: id = b2fb546e-687a-4647-b286-9c8edd3d989f
```

**Assign SPB license:**
```bash
POST https://graph.microsoft.com/v1.0/users/b2fb546e-687a-4647-b286-9c8edd3d989f/assignLicense
{"addLicenses": [{"skuId": "cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46"}], "removeLicenses": []}
```

**Add to SG-SSPR-Eligible:**
```bash
POST https://graph.microsoft.com/v1.0/groups/d6044864-a0ef-4c30-ba37-cdba7074437e/members/$ref
{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/b2fb546e-687a-4647-b286-9c8edd3d989f"}
# HTTP 204
```

**Correct charge_timer_entry pattern (Syncro):**
```bash
# WRONG — 404:
POST /tickets/{id}/charge_timer_entry/{timer_id}

# CORRECT:
POST /tickets/{id}/charge_timer_entry
{"timer_entry_id": 39315669, "product_id": 1190473, "price_retail": 150.0, "quantity": 0.5}
```

**Syncro billing summary:**

| Ticket | Comment ID | Timer ID | Line Item ID | Product | Qty | Status |
|---|---|---|---|---|---|---|
| #109316879 | 411802954 | 39315669 | 42503459 | 26118 (Onsite — product override not respected) | 0.5 hr | Resolved |
| #110120097 | 411803311 | 39315735 | 42503478 | 26118 (Onsite Business) | 1.0 hr | Resolved |

**Cascades prepay balance:** 39.5 → 38.5 → 37.5 hrs (deducted 0.5 + 1.0)

---

## Pending / Incomplete Tasks

| Item | Status | Notes |
|---|---|---|
| Alma Montt — MFA Authenticator setup | Pending | Directed to https://aka.ms/mysecurityinfo; needs to complete on her phone |
| Alma Montt — credentials delivery to Meredith | Pending | UPN: Alma.Montt@cascadestucson.com / pw: Cascades2026! |
| n.castro — M365 block sign-in | Pending (from 2026-05-18) | Run `Update-MgUser -UserId n.castro@cascadestucson.com -AccountEnabled:$false` |
| Shontiel.Nunn old account | On hold (from 2026-05-18) | Keep until Howard confirms not in use on a machine |
| k.flores, g.williford, m.kariuki | On hold (from 2026-05-18) | Employment status unconfirmed |
| SG-MedTech / SG-CCG groups | Deferred (from 2026-05-18) | Create when ALIS licensing tiers confirmed |
| sync.sh — add C:/claudetools to candidate list | Deferred | Lines 26-31 of `.claude/scripts/sync.sh` |

---

## Reference Information

- Syncro ticket #109316879: https://computerguru.syncromsp.com/tickets/109316879 (Resolved)
- Syncro ticket #110120097: https://computerguru.syncromsp.com/tickets/110120097 (Resolved)
- MFA self-registration: https://aka.ms/mysecurityinfo
- Prior session log: `clients/cascades-tucson/session-logs/2026-05-18-howard-caregiver-reconciliation-and-new-accounts.md`
- AD structure reference: `clients/cascades-tucson/docs/servers/active-directory.md`
- Cascades CONTEXT.md: `clients/cascades-tucson/CONTEXT.md`