azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
70aa4c484b253b3df44b85cb55ee2ba2f20439dc
claudetools/.claude/memory/feedback_ca_programmatic_management.md
Mike Swanson a42d657c55 docs(session)+rules: 2026-05-27 — Quantum M365 onboarding, IX autodiscover fix, Syncro emergency/labor/attribution rules 
Session logs: root (Michael #32329 hosting offer + IX simplehost.email autodiscover DNS fix + Cascades #32332 emergency correction) + Quantum client log (M365 tenant 2fd0092b onboarding, break-glass GA, CA report-only).

Syncro rule overhaul:
- Emergency billing: prepaid -> 26184 @ hours x1.5 (was 26118); non-prepaid -> 26184 with channel rate (onsite $262.50 / remote+inshop $225)
- Never make up labor items (existing product + real name; QuickBooks sync)
- Corrections preserve original tech's user_id (commission); adding notes/labor never changes ticket owner

/remediation-tool: Conditional Access may be managed programmatically (report-only first + exclude break-glass + confirm before enforce); fabb3421 deprecated for customer tenants; Quantum tenant onboarded (gotchas table).

Memory: 4 new (no-madeup-labor, corrections-preserve-tech, ca-programmatic, quantum-godaddy-tenant) + updates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 14:57:55 -07:00

20 lines
1.8 KiB
Markdown
Raw Blame History

---
name: feedback-ca-programmatic-management
description: Conditional Access MAY be managed programmatically via the remediation-tool Tenant Admin app (overrides the old "CA stays manual in portal" boundary); strict report-only-first + break-glass-exclude discipline required
metadata:
type: feedback
---
Conditional Access policies **may be created/modified programmatically** via the `/remediation-tool` **Tenant Admin tier** (`709e6eed` — carries `Policy.ReadWrite.ConditionalAccess` + the Conditional Access Administrator directory role). This **overrides** the prior scope boundary ("CA stays manual in the portal").
**Why:** Mike explicitly directed it 2026-05-27 (Quantum onboarding). His rationale: with a **break-glass account excluded** and policies in **report-only**, the blast radius is near zero, and he wants the capability for scale (templated CA baselines across tenants).
**How to apply — mandatory discipline every time:**
1. Create/modify in **report-only first**`state: "enabledForReportingButNotEnforced"`. Never create a policy directly `enabled`.
2. Always **exclude the tenant's break-glass account** in `conditions.users.excludeUsers` (create the break-glass GA first if none exists).
3. **Verify impact** in Entra sign-in logs (report-only logs what *would* happen) before enforcing.
4. Get **explicit user confirmation before flipping any policy to `enabled`** on a tenant with real users.
5. Entra **app registrations** still stay manual — only CA is in scope for programmatic management.
Endpoint: `POST/PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies` with the tenant-admin token. Verified working on Quantum tenant 2fd0092b (CA001 MFA-all + CA002 block-legacy, report-only). See [[365-remediation-tool-reference]].
Reference in New Issue View Git Blame Copy Permalink