10 KiB
Session Log: 2026-05-01
User
- User: Mike Swanson (mike)
- Machine: GURU-BEAST-ROG
- Role: admin
Session Summary
Investigated M365 license inventories for BG Builders and Kittle Arizona, identifying license usage, assignment status, and subscription expiration dates. Corrected earlier misinterpretation of CSP billing channel detection limitations, clarifying that Graph API does not reliably detect CSP through resellers like Pax8 — it only surfaces DAP/GDAP delegated admin relationships, not billing channel. Both clients' license procurement channels remain unconfirmed via API and require verification in Pax8 portal or Partner Center.
Conducted a 10-point breach check on an internal user account (wwilliams@azcomputerguru.com), revealing an active credential spray attack with 50 failed non-US login attempts in 30 days from Vultr IPv6 infrastructure. All attempts failed due to Smart Lockout and wrong password codes. Password was last set in 2017 and MFA is configured only via email (personal Gmail) and phone — no Authenticator app. Attempted automated password reset, which was blocked by Entra's protection on privileged accounts (User Administrator role). Reset requires manual action in Admin Center.
Investigated Joel Lohr's (azlohr@comcast.net) email delivery issue to Dataforth recipients ghaubner@dataforth.com and jantar@dataforth.com. Exchange Operator app was already consented in the Dataforth tenant. No per-mailbox blocks or transport rules were found. The blocking is occurring at the EOP spam policy level. Whitelist attempt via the EXO REST API failed because the relevant cmdlets (Set-MailboxJunkEmailConfiguration, Set-HostedContentFilterPolicy) are not REST-enabled. Provided PowerShell commands for manual resolution.
Key Decisions
- Corrected confident "direct from Microsoft" claim after user pushed back — Graph
/contractsonly shows DAP/GDAP, not billing channel. CSP via Pax8 cannot be confirmed or denied via API from the customer tenant side. - Escalated wwilliams password reset from user-manager to tenant-admin tier on 403, confirmed the issue is an Entra hard protection on privileged accounts — not an app permission gap.
- Chose to provide PowerShell commands for Dataforth whitelist rather than attempting further REST workarounds — the cmdlets are not REST-enabled and the path was exhausted.
Problems Encountered
- Graph API CSP detection:
/contracts,partnerTenantType,offerId, andownerTenantIdall returned null for both BG Builders and Kittle, leading to incorrect initial claim of "direct from Microsoft." Corrected after user challenged it. CSP billing relationships are not visible from the customer tenant side via Graph. - wwilliams password reset blocked: user-manager returned 403, tenant-admin also 403. Root cause: Entra blocks app-only tokens from resetting passwords of accounts with privileged directory roles (User Administrator). Must be done via delegated auth (human Global Admin).
- Dataforth EXO access: Security Investigator returned 401 for EXO endpoints (app not consented for Exchange in Dataforth tenant). Exchange Operator was consented (200 OK for /Mailbox), but HostedContentFilterPolicy, MailboxJunkEmailConfiguration, and MessageTraceV2 are not exposed via the EXO REST API. Whitelist could not be completed via API.
Clients Worked
BG Builders (bgbuildersllc.com)
- Tenant ID: ededa4fb-f6eb-4398-851d-5eb3e11fab27
- CIPP Name: sonorangreenllc.com
License Inventory:
| SKU | Assigned | Total | Expires | Status |
|---|---|---|---|---|
| M365 Business Premium (SPB) | 7 | 14 | 2026-12-25 | Enabled |
| Exchange Online Plan 1 | 4 | 4 | 2027-04-21 | Enabled |
User-License Mapping (Business Premium):
- Balynda Western — balynda@bgbuildersllc.com
- Barry Walling — barry@bgbuildersllc.com
- Barry Walling — Barry@sonorangreenllc.com (second account, same person)
- Chad Bradford — chad@bgbuildersllc.com
- Lesley Roth — lesley@bgbuildersllc.com (account shows Enabled: true — verify, was disabled March 2026)
- Site Operations — operations@bgbuildersllc.com
- Shelly Dooley — Shelly@bgbuildersllc.com
User-License Mapping (Exchange Online Plan 1):
- Accounting — Accounting@sonorangreenllc.com
- Accounts Payable — accountspayable@sonorangreenllc.com
- admin — admin@bgbuildersllc.com
- Projects — projects@bgbuildersllc.com
Flags:
- Lesley Roth shows
accountEnabled: truevia Graph — was set to False per March 2026 session. May have been re-enabled. Needs verification. - Barry has two licensed accounts (bgbuildersllc.com + sonorangreenllc.com) — 2 of 14 seats on one person.
- CSP/reseller status: indeterminate via Graph. Pax8 portal must be checked directly.
Kittle Arizona (kittlearizona.com)
- Tenant ID: 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
- Display Name: Kittle Design & Construction
License Inventory:
| SKU | Assigned | Total | Expires | Status |
|---|---|---|---|---|
| M365 Business Premium | 12 | 12 | 2026-05-31 | Enabled |
| Office 365 E3 (no Teams) | 4 | 4 | 2026-05-31 | Enabled |
[WARNING] Both subscriptions expire 2026-05-31 — 30 days from today. All 16 licenses consumed, no buffer.
Flags:
- E3 (no Teams) SKU suggests they migrated away from Teams or use a third-party calling platform.
- CSP/reseller status: indeterminate via Graph. Client believes some are through Pax8 — verify in Pax8 portal.
azcomputerguru.com (Our Tenant) — wwilliams Breach Check
- Tenant ID: ce61461e-81a0-4c84-bb4a-7b354a9a356d
- Target UPN: wwilliams@azcomputerguru.com
Breach Check Results:
| Check | Result |
|---|---|
| Account enabled | true |
| Password last changed | 2017-09-29 (nearly 9 years) |
| Forwarding | None |
| Inbox rules | 69 — all legitimate server notification sorters (Datto, cPanel, IX Server, etc.) |
| OAuth grants | 1 — openid/profile/email only (low risk) |
| Risky user score | Forbidden (no P2 license) |
| Successful foreign logins | Zero |
Active Spray Attack:
| Country | Attempts (30d) | App | Error Codes |
|---|---|---|---|
| Luxembourg | 27 | Microsoft Azure CLI | 50053 (Smart Lockout), 50126 (bad pw) |
| Germany | 11 | AAD PowerShell | 50053 |
| Japan | 8 | AAD PowerShell | 50053 |
| Russia / Korea / India / China | 1 each | AAD PowerShell | 50053 |
All IPs from Vultr IPv6 range 2605:6400: — automated spray tooling cycling addresses.
Auth Methods:
- Password (set 2017)
- Email MFA: azcomputerguru2@gmail.com
- Phone MFA: +1 415-497-2335
- No Microsoft Authenticator app, no FIDO2
Directory Roles:
- User Administrator
- AdminAgents (CSP delegated admin across customer tenants)
Password Reset Status: NOT completed. Graph app-only tokens cannot reset passwords of accounts with privileged directory roles. Must be done manually:
https://admin.microsoft.com > Users > Active users > W Williams > Reset password
Temporary password generated this session (unused): ACG-l1x73DfqY9!78
Recommended Actions:
- Reset password immediately (9-year-old password + active spray)
- Add Microsoft Authenticator with number matching
- Remove email MFA from personal Gmail
- Consider Conditional Access blocking non-US interactive sign-ins for admin accounts
Dataforth — Joel Lohr Email Delivery Issue
- Tenant ID: 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
- Issue: Joel Lohr (azlohr@comcast.net) emails not reaching ghaubner@dataforth.com or jantar@dataforth.com
- Reported: April 27, 2026
Investigation Results:
| Check | Result |
|---|---|
| ghaubner blocked senders | None (null) |
| jantar blocked senders | None (null) |
| Transport rules | None found |
| Message trace | Not accessible via EXO REST API |
| HostedContentFilterPolicy | Not REST-enabled |
| EOP tenant block list | Not accessible via REST |
Root Cause: EOP spam scoring (likely Comcast outbound IP/sender reputation). No explicit hard block configured.
Whitelist Status: NOT completed. EXO REST API does not expose the required cmdlets. PowerShell required:
Connect-ExchangeOnline -AppId b43e7342-5b4b-492f-890f-bb5a4f7f40e9 `
-Organization dataforth.com
Set-MailboxJunkEmailConfiguration ghaubner@dataforth.com `
-TrustedSendersAndDomains @{Add="azlohr@comcast.net"}
Set-MailboxJunkEmailConfiguration jantar@dataforth.com `
-TrustedSendersAndDomains @{Add="azlohr@comcast.net"}
# Optional: tenant-wide allow
Set-HostedContentFilterPolicy -Identity Default `
-AllowedSenders @{Add="azlohr@comcast.net"}
Note: Exchange Operator app (b43e7342) is consented in Dataforth tenant. Security Investigator EXO is NOT consented (401). Connect-ExchangeOnline with app credentials requires certificate — check vault for Exchange Operator cert.
Pending Tasks
- wwilliams password reset — manual via Admin Center. Urgency: HIGH (active spray, 9-year-old password)
- wwilliams MFA upgrade — add Microsoft Authenticator, remove Gmail email method
- BG Builders CSP check — verify bgbuildersllc.com in Pax8 portal
- Kittle Arizona CSP check — verify kittlearizona.com in Pax8 portal
- Kittle renewal alert — both subscriptions expire 2026-05-31, all seats consumed
- Lesley Roth account status — verify if re-enabled since March 2026 disable
- Dataforth whitelist — Joel Lohr (azlohr@comcast.net) needs manual PowerShell or Admin Center whitelist for ghaubner and jantar
- Security Investigator EXO consent for Dataforth — get Dataforth admin to consent at:
https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent
API / Tool Notes
- CSP detection via Graph:
/contractsendpoint only shows DAP/GDAP admin relationships, not billing channel.offerId,ownerTenantId,partnerTenantTypeare also unreliable for CSP detection from the customer tenant side. Always verify CSP in Pax8 portal or Partner Center. - Privileged account password reset: Entra blocks
User.ReadWrite.Alland all app-only permissions from resetting passwords of accounts with any privileged directory role. Delegated auth required. - EXO REST API limitations:
HostedContentFilterPolicy,MailboxJunkEmailConfiguration,MessageTraceV2,TransportRule— not all available via the REST API exposed atoutlook.office365.com/adminapi/beta. Use PowerShell EXO module for these.