3.0 KiB
3.0 KiB
Kittle Design & Construction — P2 Security Scan
Date: 2026-07-02 (UTC) | Tenant: kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0) Requested by: Mike (via Discord) | Executed by: ClaudeTools Discord Bot Scope: Identity Protection (Entra ID P2) data + 30-day tenant sweep, read-only, investigator tier
Identity Protection (P2)
- Risk detections (30d): NONE
- Risky users: 5 accounts with prior risk history, ALL currently
riskLevel=none / riskState=remediated:- wrex@ (remediated 2026-06-08), Ken@ (2026-06-09), Marco@ (2026-06-15), alexis@ (2026-04-24), scott@ (2025-07-18)
- No active risky sign-ins.
Sign-in activity (30d)
- Ken@kittlearizona.com: 140 failed foreign sign-in attempts from 140 unique IPs (AU, DE, GB), 2026-06-11 → 2026-06-18. Pattern = distributed password spray. All failed; zero successful non-US sign-ins tenant-wide. CA non-US block is holding.
- No other accounts targeted from abroad.
Conditional Access (all enabled)
- ACG - Require MFA for all users
- ACG - Block legacy authentication
- ACG - Block non-US sign-ins
- ACG - Block known attacker IPs
- Note: no risk-BASED CA policy exists — P2 risk signals are informational only, not enforced.
MFA registration
- All 15 internal users MFA-registered and capable.
- Weakest methods: admin@ and scott@ are SMS-only (mobilePhone); sysadmin@ includes email as a method. Recommend Authenticator app or passkey for these.
- Several users already on passkeys (Accounting, Hayden, Joshua, Neal). Good posture.
Items needing human review
- Guest invite created TODAY 2026-07-02 17:02 UTC by Accounting@ for external user
darlenecabrera87@gmail.com— verify this was intentional. - Ken@ remains a spray target (also had prior incident — see vault clients/kittle/m365-ken-schagel-incident). Consider risk-based CA or passkey for Ken.
- admin@/scott@ SMS-only MFA.
- Consider a report-only risk-based CA policy to actually use the P2 licensing they pay for.
Related changes same session
- License moves: wrex@ BP removed (disabled acct); alexis@ + Ken@ moved E3 -> Business Premium. BP now 12/12. Josh.B@ + Tyrele@ still on lapsed E3 (0 purchased / 2 consumed).
Raw JSON: /tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/sweep/ (BEAST)
Addendum — CA hardening deployed (report-only), 2026-07-02
Four new policies created via tenant-admin tier, all enabledForReportingButNotEnforced,
all excluding break-glass sysadmin@ (6139d1af-eee3-4e0b-b240-21e4827df756):
- ACG - Block device code flow and auth transfer — 61e11a6b-9005-479b-a402-636e5efc8b28
- ACG - Admins: 12h sign-in frequency, no persistent sessions — 954bee7c-0440-4f5e-bce0-fefd9752cad1
- ACG - Block guest access to admin portals — 69a24225-132c-45df-8438-cf36ab862eb6
- ACG - Require MFA to register security info — 70db3c98-bf29-413b-a8df-c58f538246e7
Next: review report-only impact in sign-in logs after ~5-7 days; flip to enabled only with explicit confirmation from Mike.