azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a8abe4a14b194e484b17a086fee09a2aa9a4e88d
claudetools/clients/rednour/session-logs/2026-06-02-session.md
Mike Swanson c52faa24a8 sync: auto-sync from GURU-5070 at 2026-06-02 07:33:26 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-02 07:33:26
2026-06-02 07:33:31 -07:00

9.4 KiB
Raw Blame History

User

  • User: Mike Swanson (mike)
  • Machine: GURU-5070
  • Role: admin

Session Summary

Resolved a follow-up to last week's Rednour Law mailbox rename (Emma -> Carla). Carrie Rednour (tenant Global Admin) texted Mike that inbound mail from Carla still displayed under the old name "Emma - Rednour Law" and asked if it could be fixed. Mike pulled up the issue and Claude investigated via the remediation tool against the rednourlaw.com tenant (4a4ca18a-f516-478b-99da-2e0722c5dc18).

First verified the server side was actually correct: Carla's Azure AD displayName (Graph) and her Exchange mailbox DisplayName (Get-Mailbox via Exchange REST) were both "Carla Skinner". An initial wrong hypothesis — that "Emma - Rednour Law" was never a server value because the other mailboxes follow a "First Last" naming convention — was corrected by Mike and confirmed against the 2026-05-31 audit report, which showed the mailbox's pre-rename displayName had in fact been literally "Emma - Rednour Law". That reframed the problem as a stale client-side artifact on Carrie's end.

Graph apps in the suite have no Contacts.Read permission (confirmed 403 on a Graph contacts call, and no Contacts/Mail roles in the user-manager or tenant-admin tokens), so Claude read Carrie's contacts over EWS using the Exchange Operator SP's full_access_as_app role with ExchangeImpersonation of crednour@rednourlaw.com. Her default Contacts folder (237 items) had no Emma/Carla entry, but a deep sweep of all contact folders found the culprit in her Quick Contacts folder (IPF.Contact.MOC.QuickContacts): a pinned contact "Emma - Rednour Law" mapped to emma@rednourlaw.com. Because emma@ is still a live proxy alias on Carla's mailbox (deliberately retained last session), Outlook resolved Carla's new mail to that old pin and rendered its name. With Mike's go-ahead (he chose "delete the pin"), the contact was removed via EWS DeleteItem (MoveToDeletedItems, recoverable) and the removal verified.

Mike then asked to check the other mailboxes. The same EWS contact-folder sweep ran against Nick Pafford, the receptionist mailbox, and Carla's own mailbox — all clean, no stale Emma/Carla entries. The issue was isolated entirely to Carrie. Closed out by writing a follow-up report to clients/rednour/reports/, posting an internal (hidden) documentation comment to Syncro #32343, and posting the mandatory #bot-alerts notification. No time was billed (Mike did not specify minutes/labor type).

Key Decisions

  • Delete the pin rather than rename it or hand it to Carrie. Mike chose deletion via EWS; Carla's mail now falls back to the GAL ("Carla Skinner"). Carrie can re-pin from the GAL if she wants the favorite back.
  • Used EWS, not Graph, to read/modify Carrie's contacts. No app in the suite holds Contacts.Read/ReadWrite on Graph; the Exchange apps' full_access_as_app reaches personal contact folders via EWS impersonation. Per skill scope rules, did not attempt to add a Graph scope to work around it.
  • Left the emma@ alias in place. It's the enabling factor for the shadowing, but mail to emma@ still reaches Carla and it was retained by design last session. Removing it would break delivery to emma@ and only mask the contact issue rather than fix it.
  • No time billed on the follow-up. Mike's standing rule: never assume minutes/labor type. Added a documentation comment only; flagged that time can be added to #32343 on request.
  • Internal/hidden Syncro comment, not customer-visible. Mike is communicating with Carrie directly over text; the ticket note is for the technical record.

Problems Encountered

  • Wrong initial assertion that "Emma - Rednour Law" was never a server value. Based on the other mailboxes' "First Last" convention. Mike corrected it; confirmed against the 2026-05-31 audit report that the pre-rename displayName was exactly that string. Lesson: check the prior session's recorded before-state, don't infer from sibling-object conventions.
  • Security Investigator EXO token 401'd on the InvokeCommand read even though the token had aud=outlook.office365.com and full_access_as_app. Switched to the Exchange Operator SP token (proven on this tenant last session), which returned HTTP 200.
  • py wrote itemid file to the wrong /tmp. open('/tmp/emma-itemid.txt') in Windows Python resolves to C:\tmp, not the msys /tmp that bash reads — so the delete step initially got an empty ItemId. Fixed by piping the ItemId/ChangeKey through stdout (read IID CK < <(py -c ...)) and copying EWS responses to a repo-relative file both interpreters agree on before parsing.
  • EWS "Id is malformed" when a folder's GUID-style DisplayName was passed as a FolderId. Several MOC contact folders have no friendly name (DisplayName is a GUID); used the real base64 EWS FolderId from FindFolder instead.

Configuration Changes

ClaudeTools repo (committed this session):

  • clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md — new follow-up report documenting diagnosis, fix, and the all-mailbox sweep.
  • clients/rednour/session-logs/2026-06-02-session.md — this log.
  • wiki/clients/rednour.md + wiki/index.md — seeded/updated in Phase 3 (if synthesis ran).

rednourlaw.com tenant (mailbox data):

  • Deleted the "Emma - Rednour Law" -> emma@rednourlaw.com contact from Carrie Rednour's (crednour@) Quick Contacts folder (IPF.Contact.MOC.QuickContacts) via EWS DeleteItem (MoveToDeletedItems — recoverable from her Deleted Items).

Syncro:

  • Internal/hidden comment 416427937 on ticket #32343 (id 111409967). No line item, no invoice.

Credentials & Secrets

No new credentials created or discovered this session. Tokens used were app-only client-credentials flows for the existing ComputerGuru MSP SPs (cached under /tmp/remediation-tool/<tenant>/):

  • Exchange Operator SP b43e7342-5b4b-492f-890f-bb5a4f7f40e9 (full_access_as_app, aud https://outlook.office365.com) — used for EWS reads + the contact delete.
  • Security Investigator SP bfbc12a4-f0dd-4e12-b06d-997e7271e10c — Graph read (displayName); its EXO token 401'd for InvokeCommand.

Infrastructure & Servers

  • Tenant: rednourlaw.com = 4a4ca18a-f516-478b-99da-2e0722c5dc18
  • EWS endpoint: https://outlook.office365.com/EWS/Exchange.asmx (SOAP; ExchangeImpersonation via <t:ConnectingSID><t:SmtpAddress> header)
  • Exchange REST InvokeCommand: https://outlook.office365.com/adminapi/beta/<tenant>/InvokeCommand
  • Mailboxes (5 recipients): carla@ (Carla Skinner, was Emma; obj 93074d1a-6db2-4794-8f7d-c84a619e4494), crednour@ (Carrie Rednour, Global Admin, obj a0fc8517-1c2a-4d72-b774-c0d5c929167a), npafford@ (Nick Pafford, alias nick@), receptionist@, + system DiscoverySearchMailbox.
  • Carla proxyAddresses: SMTP:carla@, smtp:emma@, smtp:dgarcia@, smtp:alee@, smtp:dgarcia@rednourlaw.onmicrosoft.com.

Commands & Outputs

# Tokens
bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant> investigator      # Graph read
bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant> exchange-op       # EXO/EWS (worked)

# Graph: Carla displayName -> "Carla Skinner"
curl -H "Authorization: Bearer $GTOK" \
  "https://graph.microsoft.com/v1.0/users/93074d1a-...?$select=displayName,proxyAddresses"

# Exchange: Get-Mailbox carla -> DisplayName "Carla Skinner" (HTTP 200 with exchange-op token;
#           investigator-exo token 401'd)
POST .../adminapi/beta/<tenant>/InvokeCommand  {"CmdletInput":{"CmdletName":"Get-Mailbox",...}}

# EWS: enumerate contact folders (FindFolder Deep, msgfolderroot) then FindItem per folder.
# Hit: folder IPF.Contact.MOC.QuickContacts -> contact "Emma - Rednour Law" / emma@rednourlaw.com
# EWS DeleteItem DeleteType="MoveToDeletedItems" -> ResponseClass="Success" / NoError
# Verify: folder TotalItemsInView 2 -> 1; "Emma - Rednour Law" no longer present

# Sweep other boxes (npafford@, receptionist@, carla@): contact folders enumerated, 0 matches
# Counts: Carrie 237 contacts / Nick 0 / receptionist 34 / Carla 40

# Syncro internal comment
POST /tickets/111409967/comment  (hidden:true, do_not_email:true) -> comment.id 416427937
bash .claude/scripts/post-bot-alert.sh "[SYNCRO] Mike commented #32343 ..."  # message_id 1511375413711212665

Pending / Incomplete Tasks

  • Billing on #32343: no time logged for this follow-up. Add minutes + labor type if Mike wants it billed. The earlier 0.5h remote line from 2026-05-31 still sits on the (Resolved) ticket pending final close-out.
  • Shared-drive access for Nick Pafford (#32343) — still deferred from the 2026-05-31 session.
  • emma@ alias remains on Carla's mailbox by design; revisit only if the firm wants emma@ decommissioned.
  • If Carrie still sees the old name after sync, a one-time Outlook restart (cached mode) forces the contact change down.

Reference Information

  • Syncro: Customer Rednour Law id 1224246; Ticket #32343 id 111409967 (Resolved); comment 416427937. URL: https://computerguru.syncromsp.com/tickets/111409967
  • Report: clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md
  • Prior session: session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md and clients/rednour/reports/2026-05-31-onboard-and-rename-emma-to-carla.md
  • Stale-pin folder class: IPF.Contact.MOC.QuickContacts (Outlook/Skype pinned favorites) — resolves sender display names ahead of the GAL.
Reference in New Issue View Git Blame Copy Permalink