Files
claudetools/clients/kittle/reports/2026-07-02-p2-security-scan.md
Winter Williams ac23f17e23 sync: auto-sync from GURU-BEAST-ROG at 2026-07-02 10:55:41
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-02 10:55:41
2026-07-02 10:57:33 -07:00

3.0 KiB

Kittle Design & Construction — P2 Security Scan

Date: 2026-07-02 (UTC) | Tenant: kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0) Requested by: Mike (via Discord) | Executed by: ClaudeTools Discord Bot Scope: Identity Protection (Entra ID P2) data + 30-day tenant sweep, read-only, investigator tier

Identity Protection (P2)

  • Risk detections (30d): NONE
  • Risky users: 5 accounts with prior risk history, ALL currently riskLevel=none / riskState=remediated:
    • wrex@ (remediated 2026-06-08), Ken@ (2026-06-09), Marco@ (2026-06-15), alexis@ (2026-04-24), scott@ (2025-07-18)
  • No active risky sign-ins.

Sign-in activity (30d)

  • Ken@kittlearizona.com: 140 failed foreign sign-in attempts from 140 unique IPs (AU, DE, GB), 2026-06-11 → 2026-06-18. Pattern = distributed password spray. All failed; zero successful non-US sign-ins tenant-wide. CA non-US block is holding.
  • No other accounts targeted from abroad.

Conditional Access (all enabled)

  • ACG - Require MFA for all users
  • ACG - Block legacy authentication
  • ACG - Block non-US sign-ins
  • ACG - Block known attacker IPs
  • Note: no risk-BASED CA policy exists — P2 risk signals are informational only, not enforced.

MFA registration

  • All 15 internal users MFA-registered and capable.
  • Weakest methods: admin@ and scott@ are SMS-only (mobilePhone); sysadmin@ includes email as a method. Recommend Authenticator app or passkey for these.
  • Several users already on passkeys (Accounting, Hayden, Joshua, Neal). Good posture.

Items needing human review

  1. Guest invite created TODAY 2026-07-02 17:02 UTC by Accounting@ for external user darlenecabrera87@gmail.com — verify this was intentional.
  2. Ken@ remains a spray target (also had prior incident — see vault clients/kittle/m365-ken-schagel-incident). Consider risk-based CA or passkey for Ken.
  3. admin@/scott@ SMS-only MFA.
  4. Consider a report-only risk-based CA policy to actually use the P2 licensing they pay for.
  • License moves: wrex@ BP removed (disabled acct); alexis@ + Ken@ moved E3 -> Business Premium. BP now 12/12. Josh.B@ + Tyrele@ still on lapsed E3 (0 purchased / 2 consumed).

Raw JSON: /tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/sweep/ (BEAST)

Addendum — CA hardening deployed (report-only), 2026-07-02

Four new policies created via tenant-admin tier, all enabledForReportingButNotEnforced, all excluding break-glass sysadmin@ (6139d1af-eee3-4e0b-b240-21e4827df756):

  1. ACG - Block device code flow and auth transfer — 61e11a6b-9005-479b-a402-636e5efc8b28
  2. ACG - Admins: 12h sign-in frequency, no persistent sessions — 954bee7c-0440-4f5e-bce0-fefd9752cad1
  3. ACG - Block guest access to admin portals — 69a24225-132c-45df-8438-cf36ab862eb6
  4. ACG - Require MFA to register security info — 70db3c98-bf29-413b-a8df-c58f538246e7

Next: review report-only impact in sign-in logs after ~5-7 days; flip to enabled only with explicit confirmation from Mike.