1.8 KiB
When user says "365 remediation tool" or "remediation tool", they ALWAYS mean the Claude-MSP-Access Graph API application (App ID: fabb3421-8b34-484b-bc17-e46de9703418). This is NOT CIPP.
Why: User explicitly clarified this after I incorrectly navigated to CIPP. The remediation tool is direct Graph API access using client credentials flow against customer tenants.
How to apply: Authenticate directly via Graph API using the app's client secret from SOPS vault (msp-tools/claude-msp-access-graph-api.sops.yaml), get tenant ID from OpenID discovery for the target domain, and query Graph API endpoints directly. No browser/UI needed.
Directory Role Requirements (discovered 2026-04-01)
Graph API permissions alone are NOT sufficient for privileged operations. The service principal also needs Entra directory roles assigned per-tenant:
| Operation | Required Directory Role |
|---|---|
| Password reset | User Administrator |
| Exchange transport rules, mailbox permissions | Exchange Administrator |
Roles assigned so far:
- Valleywide Plastering (5c53ae9f...): User Administrator
- Dataforth (7dfa3ce8...): User Administrator, Exchange Administrator
For new tenants: After admin consent, manually assign roles via Entra portal > Roles and administrators. The app cannot self-assign directory roles.
Exchange Online REST API
For Exchange cmdlets (Get-TransportRule, Add-MailboxPermission, etc.), use scope https://outlook.office365.com/.default and POST to https://outlook.office365.com/adminapi/beta/$TENANT_ID/InvokeCommand with {"CmdletInput":{"CmdletName":"...", "Parameters":{...}}}.