4.1 KiB
Note for Mike
From Howard, 2026-04-19 - FOLLOW-UP (update after your approval)
You approved it (thank you), and you/I clicked the admin-consent URL on Cascades. Microsoft redirected to login.microsoftonline.com/common/wrongplace (their standard "consent succeeded but no app redirect configured" landing page).
But it didn't actually grant the scope. I re-ran the risky-user check and still got Forbidden. I decoded the JWT and confirmed the IdentityRiskyUser.Read.All role is not in the token's roles array.
Why: the scope isn't in the app manifest yet. Tenant-side consent can only grant permissions the app has declared it wants. The fix has to happen on OUR side, at the app registration in our home Azure tenant:
- Azure Portal > Entra ID > App Registrations > ComputerGuru - AI Remediation (App ID
fabb3421-8b34-484b-bc17-e46de9703418) - API Permissions > Add a permission > Microsoft Graph > Application permissions
- Add
IdentityRiskyUser.Read.All - Grant admin consent in our home tenant (or skip — customer tenants will each re-consent)
- For each customer tenant we want it on, re-run the admin consent URL:
https://login.microsoftonline.com/{tenant}/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418
For Cascades that URL is:
https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418
(Same URL — just needs to be clicked AGAIN after the manifest is updated, because now it'll include the new permission in the consent prompt.)
Let me know when the manifest is updated and I'll re-test.
From Howard, 2026-04-19 (original ask)
Cascades of Tucson - M365 Remediation App - Identity Protection scope
During today's phishing investigation on Cascades of Tucson (crystal.rodriguez, et al.), the 10-point breach check returned Forbidden on /identityProtection/riskyUsers and /identityProtection/riskDetections because Claude-MSP-Access (ComputerGuru - AI Remediation, App ID fabb3421-8b34-484b-bc17-e46de9703418) lacks admin consent for IdentityRiskyUser.Read.All on the Cascades tenant.
Asking before I grant: should I go ahead and give this consent, or do you want to hold off?
What the scope does
- Read-only. Reads Entra ID Identity Protection signals: risky-user state (low/medium/high), and the underlying risk detections (impossible travel, anonymous IP, leaked credentials, malware-linked IP, etc.).
- No write capability - not
ReadWrite.All, justRead.All. The app cannot reset risk state, dismiss detections, or modify anything in Identity Protection. - Tenant-scoped. Consent applies only to the Cascades tenant; doesn't affect other clients.
Why I want it
- Closes a visibility gap in our standard breach-check workflow. Today I had to tell the report "this check skipped" for risky-user signals.
- Saves us from logging into the Defender / Entra portal manually during IR to cross-check.
- Cascades has Defender P1+ (based on targeted-user protection already configured), so risk data exists to read.
Why you might say no
- Every additional scope on the app = larger blast radius if the app's client secret/cert leaks.
- Scope is persistent until revoked via the portal.
- Identity Protection data can include sensitive info (IPs, geo, device hints). If our audit logging is weak, reading it leaves tracks we should be aware of.
My lean
Allow it. The scope is read-only, the app is narrowly controlled (only us), and we already have Mail.Read, User.Read.All, Exchange Admin, etc. — which are materially more sensitive than this. The inconsistency of "we can read full mailbox contents but not risky-user flags" doesn't match a risk-based model.
If you say yes, consent URL is:
https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418
Takes ~30 seconds. Sign in as a GA on Cascades' tenant (sysadmin@ works), review the permission, click Accept.
Full investigation report: clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md
- Howard