azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b626f0dfca634a8fb226cae67da863a4c9727f2f
claudetools/clients/dataforth/session-logs/2026-05-03-session.md
Mike Swanson 72dab09d3a Session log: Dataforth M365 follow-up investigation - jantar@dataforth.com 
Follow-up on three pending items from breach check:
- IdentityRiskyUser scope: consented but requires P2 license
- Dime Client app: internal app requiring verification with Dan Center
- Microsoft Authenticator: drafted upgrade plan and recommendations

Created comprehensive follow-up report with action items.

Machine: Mikes-MacBook-Air
User: Mike Swanson (mike)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-05-03 15:00:30 -04:00

15 KiB
Raw Blame History

Session Log: 2026-05-03

User

  • User: Mike Swanson (mike)
  • Machine: GURU-BEAST-ROG
  • Role: admin

Session Summary

A request was made to perform an M365 remediation check on jantar@dataforth.com following a darkweb scan indicating her credentials had been breached on a third-party site. The tenant ID for dataforth.com was resolved to 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584. Graph and Exchange tokens were acquired using certificate authentication. A full 10-point M365 breach check was executed, revealing no indicators of compromise. One disabled graymail inbox rule was identified, but no mailbox forwarding, delegates, or suspicious permissions were found. All sign-ins originated from a consistent IP address in Salt Lake City, and SMS MFA was configured.

An eM Client application with high-privilege IMAP/EWS scopes was found connected to the user account. The client confirmed eM Client is no longer in use at Dataforth. The OAuth grant and app role assignment were revoked for jantar@dataforth.com. A tenant sweep confirmed no other users had the app connected. The eM Client service principal was then disabled tenant-wide to prevent future re-authorization.

A breach check report was saved to the client reports directory. A Syncro ticket was created, billed against Dataforth's prepaid block (1hr), and marked Resolved.

Key Decisions

  • Checked tenant-wide for other eM Client users before disabling the SP — confirmed jantar was the only connected user, making the tenant-wide disable clean with no user impact.
  • Used user-manager tier for grant/role revocation (minimum necessary privilege) and escalated to tenant-admin only for the SP disable — kept to least-privilege throughout.
  • Billed against Dataforth's prepaid block (47.5 hrs available) rather than standard remote rate — appropriate for a security task under their managed agreement.
  • Contact set to Dan Center (IT admin) rather than Jacque Antar (end user) — ticket is an IT security action, not an end-user support request.

Problems Encountered

  • IdentityRiskyUser scope not consented: The Security Investigator app lacks IdentityRiskyUser.Read.All consent in the Dataforth tenant, causing a 403 on the risky user check. Risk detections came back 0 via an alternate endpoint. Not resolved this session — documented in the report with consent URL for follow-up.
  • Graph replication lag: POST responses for grant/SP deletions returned stale data immediately after HTTP 204. Re-queried after 5-6 second delay each time; all changes verified confirmed.
  • eM Client SP not found by appId filter: GET /servicePrincipals?$filter=appId eq '...' returned empty under both investigator and tenant-admin tiers. Resolved by querying the SP directly by its object ID (sourced from the resourceId field in the app role assignment).

Breach Check: jantar@dataforth.com

Trigger: Darkweb scan report — credentials found in third-party breach User: Jacque Antar | Object ID: daa60027-be31-47a5-87af-d728499a9cc4 Tenant: dataforth.com | 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584 Verdict: No indicators of compromise

Check Result
Account status Enabled, pw changed 2026-03-09
Inbox rules (Graph) 1 — "Move Graymail to folder", disabled. Clean.
Hidden inbox rules (Exchange) None
Mailbox forwarding None
Mailbox delegates None
SendAs None
OAuth grants Apple Internet Accounts (EAS) + eM Client (IMAP/EWS) — eM Client revoked
Auth methods Password + Phone SMS (+1 520-245-6929). No authenticator app.
Sign-ins (30d) 8 — all from 67.206.163.122, Salt Lake City US, Windows 10. No foreign logins.
Directory audits (30d) 3 system updates + 2 group adds by dcenter@dataforth.com. Routine.
Identity risk 403 (scope not consented) / 0 risk detections

Recommendations noted in report:

  • Upgrade MFA from SMS to Microsoft Authenticator
  • Confirm "Dime Client" app is authorized (7/8 sign-ins)
  • Consent IdentityRiskyUser scope for full risk signal visibility

Remediation Actions

1. eM Client OAuth Grant Revoked (jantar@dataforth.com)

  • Grant ID: CBzbJaD1bE-73ac4aJsVh1kfp75Wee1Bj5lF8xxKY0InAKbaMb6lR4ev1yhJmpzE
  • Scopes removed: IMAP.AccessAsUser.All EWS.AccessAsUser.All offline_access email openid
  • Tier: user-manager | Result: HTTP 204 | Verified

2. eM Client App Role Assignment Revoked (jantar@dataforth.com)

  • Assignment ID: JwCm2jG-pUeHr9coSZqcxBZRSQMEXYFOsp2E7viR7Xo
  • Tier: user-manager | Result: HTTP 204 | Verified

3. eM Client Service Principal Disabled (tenant-wide)

  • SP Object ID: 25db1c08-f5a0-4f6c-bbdd-a738689b1587
  • SP appId: e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd
  • Change: accountEnabled: trueaccountEnabled: false
  • Tier: tenant-admin | Result: HTTP 204 | Verified accountEnabled: false
  • Scope: Tenant-wide — no user in Dataforth tenant can authorize eM Client going forward

Syncro Ticket

Field Value
Ticket # #109790034
Subject M365 Security Investigation - jantar@dataforth.com
Customer Dataforth Corp (id: 578095)
Contact Dan Center (id: 2774091)
Assigned Mike Swanson (1735)
Issue Type Security
Status Resolved
Invoice # #1650179002
Labor Prepaid Project Labor (9269129), 1.0 hr @ $0.00
Prepaid hrs 47.5 → 46.5 hrs remaining

Files Created / Modified

File Action
clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md Created — full 10-point breach check report
clients/dataforth/session-logs/2026-05-03-session.md Created — this file

Raw Artifacts

Breach check JSON artifacts at (local, not committed):

/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/user-breach/jantar_dataforth_com/

Pending / Follow-Up

  • Consent IdentityRiskyUser.Read.All scope in Dataforth tenant for full Identity Protection visibility Consent URL: https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent
  • Confirm "Dime Client" app with Dataforth — verify it is an authorized internal application
  • Consider pushing Jacque Antar to Microsoft Authenticator (currently SMS-only MFA)

Update: 18:56 UTC (Mikes-MacBook-Air)

User: Mike Swanson (mike) Machine: Mikes-MacBook-Air Work Mode: remediation

Session Summary

Follow-up investigation on the three pending items from the jantar@dataforth.com breach check. Verified IdentityRiskyUser.Read.All scope consent status, investigated the "Dime Client" application, and drafted Microsoft Authenticator upgrade recommendations. Created comprehensive follow-up report documenting findings and next steps.

Work Completed

1. IdentityRiskyUser.Read.All Scope Investigation

Finding: Scope IS consented, but licensing issue prevents usage

  • Acquired Graph token using REMEDIATION_AUTH=secret (PyJWT/cryptography not installed on Mac, fell back to client_secret auth)
  • Verified Security Investigator app token includes IdentityRiskyUser.Read.All in roles claim
  • Tested risky users API endpoint: returned 403 with "Your tenant is not licensed for this feature"
  • Root Cause: Dataforth tenant lacks Microsoft Entra ID P2 licensing required for Identity Protection
  • Outcome: Permission is consented correctly; feature unavailable due to licensing tier
  • Status: Documented in follow-up report with recommendation to either purchase P2 or accept limitation

2. "Dime Client" Application Verification

Finding: Internal application requiring client confirmation

  • Reviewed breach check data: 7 out of 8 sign-ins for jantar@dataforth.com were "Dime Client"
  • All sign-ins from consistent IP 67.206.163.122 (Salt Lake City, UT) - no geographic anomalies
  • Searched tenant service principals: no match for "Dime" in displayName
  • NOT a standard Microsoft 365 application (not Outlook, Teams, Excel, etc.)
  • Assessment: Likely custom line-of-business (LOB) app or internal Dataforth tool
  • No security concerns: Usage pattern is consistent and legitimate
  • Status: Flagged for verification with Dan Center (dcenter@dataforth.com) in follow-up report

3. Microsoft Authenticator MFA Upgrade Recommendation

Current State: Jacque Antar uses SMS-based MFA (phone: +1 520-245-6929)

Drafted Comprehensive Upgrade Plan:

  • Documented SMS vulnerabilities (SIM swapping, interception, social engineering)
  • Comparison table: SMS MFA vs Microsoft Authenticator features
  • Step-by-step enrollment process for pilot deployment
  • Phased rollout plan (IT admins → executives → general users)
  • Recommendation: Keep SMS as backup during initial 30-day pilot
  • Priority: [INFO] level - security hardening, not urgent breach response
  • Decision Authority: Dan Center (IT Admin) + Dataforth management

Files Created

Report: clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md

  • IdentityRiskyUser scope status and P2 licensing requirement
  • Dime Client app details and verification request
  • Microsoft Authenticator upgrade plan with implementation steps
  • Summary action table with owners and next steps

Key Technical Details

Dataforth Tenant:

  • Tenant ID: 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
  • Domain: dataforth.com
  • Current Licensing: Microsoft 365 (NOT Entra ID P2)
  • IT Contact: Dan Center (dcenter@dataforth.com)

User Account:

  • UPN: jantar@dataforth.com
  • Object ID: daa60027-be31-47a5-87af-d728499a9cc4
  • Display Name: Jacque Antar
  • MFA Method: SMS (+1 520-245-6929)

Security Investigator App:

  • App ID: bfbc12a4-f0dd-4e12-b06d-997e7271e10c
  • Display Name: ComputerGuru - Security Investigator
  • SP Object ID (in Dataforth): e560423e-7747-481e-bb9d-affeaabda258
  • Token Scope: Graph API (read-only)
  • IdentityRiskyUser.Read.All: Consented but unusable without P2 license

Authentication Used:

  • Method: Client secret (via REMEDIATION_AUTH=secret env override)
  • Reason: PyJWT and cryptography Python modules not installed on Mac
  • Vault Path: /Users/azcomputerguru/vault (from .claude/identity.json)
  • SOPS File: msp-tools/computerguru-security-investigator.sops.yaml
  • Token Cache: /tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/investigator.jwt (55-min TTL)

API Calls Performed

# Get Security Investigator service principal
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq 'bfbc12a4-f0dd-4e12-b06d-997e7271e10c'

# Test Identity Protection risky users endpoint
GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$top=5
Response: 403 Forbidden - "Your tenant is not licensed for this feature"

# Get user OAuth grants
GET https://graph.microsoft.com/v1.0/users/daa60027-be31-47a5-87af-d728499a9cc4/oauth2PermissionGrants
Found: Apple Internet Accounts (EAS) - eM Client was already removed in previous session

# Lookup service principal by object ID
GET https://graph.microsoft.com/v1.0/servicePrincipals/85e650f8-5eec-4523-a9ef-fc1a031fb1d6
Result: Apple Internet Accounts (appId: f8d98a96-0999-43f5-8af3-69971c7bb423)

# Search for Dime Client
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith(displayName,'Dime')
Result: Empty array - not found

# Attempted sign-in queries (timed out)
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq 'jantar@dataforth.com'
Result: Connection timeouts - relied on breach check report data instead

Problems Encountered

PyJWT/cryptography Missing on Mac:

  • Certificate-based authentication requires PyJWT and cryptography Python modules
  • Not installed on Mikes-MacBook-Air (only on GURU-BEAST-ROG)
  • Resolution: Used REMEDIATION_AUTH=secret environment override to force client_secret authentication
  • Impact: None - client_secret works identically for this read-only investigation
  • Future: Consider installing PyJWT/cryptography on Mac or continue using secret auth

Sign-In Log API Timeouts:

  • Multiple attempts to query auditLogs/signIns endpoint timed out after 2-3 seconds
  • Tried various filters and query simplifications - all timed out
  • Resolution: Relied on sign-in data from breach check report (already collected on GURU-BEAST-ROG)
  • Impact: None - breach report contained sufficient sign-in detail for analysis

Recommendations for Dataforth

Immediate Actions (Dan Center):

  1. [ACTION REQUIRED] Verify "Dime Client" app identity - confirm it is authorized internal application
  2. [ACTION REQUIRED] Decide on Entra ID P2 licensing:
    • Purchase P2 if Identity Protection monitoring needed
    • OR document that risky user checks are unavailable, rely on sign-in log analysis

Optional Security Hardening:

  1. [RECOMMENDED] Pilot Microsoft Authenticator with Jacque Antar
  2. [RECOMMENDED] Expand Authenticator to IT team, then executives, then general users (2-4 weeks per phase)
  3. [RECOMMENDED] Document "Dime Client" in Dataforth's authorized apps inventory

Syncro Ticket Reference

Ticket #109790034 (created in previous session on GURU-BEAST-ROG)

  • Subject: M365 Security Investigation - jantar@dataforth.com
  • Status: Resolved
  • Labor: 1.0 hr billed against prepaid block
  • Prepaid Balance: 46.5 hrs remaining
  • Contact: Dan Center (id: 2774091)

Note: Follow-up work in THIS session is informational/analysis only. No additional Syncro ticket created. If Dan Center requests implementation of Authenticator upgrade or further investigation, create new ticket.

Next Steps

For Dataforth (Dan Center to action):

  1. Review follow-up report: clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md
  2. Confirm Dime Client app is authorized
  3. Decide on P2 licensing (purchase or accept limitation)
  4. Approve/decline Microsoft Authenticator pilot

For Arizona Computer Guru:

  1. Wait for Dan Center's response on Dime Client verification
  2. If Authenticator pilot approved: schedule enrollment session with Jacque Antar
  3. If P2 licensing purchased: re-test Identity Protection APIs and document capabilities

Files Modified

File Action
clients/dataforth/reports/2026-05-03-followup-jantar-investigation.md Created - comprehensive follow-up report
clients/dataforth/session-logs/2026-05-03-session.md Updated - this section appended

Credentials Reference

SOPS Vault Path: /Users/azcomputerguru/vault Identity File: /Users/azcomputerguru/ClaudeTools/.claude/identity.json

Remediation Tool Tiers:

  • investigator: Graph read-only (Security Investigator app)
  • investigator-exo: Exchange Online read (Security Investigator app)
  • user-manager: Graph user/group write (User Manager app)
  • tenant-admin: Graph high-privilege (Tenant Admin app)

Authentication Methods:

  • Preferred: Certificate (requires PyJWT + cryptography)
  • Fallback: Client secret (via REMEDIATION_AUTH=secret)
  • Token cache: /tmp/remediation-tool/{tenant-id}/{tier}.jwt (55-min TTL)

Vault Files:

  • Security Investigator: msp-tools/computerguru-security-investigator.sops.yaml
  • User Manager: msp-tools/computerguru-user-manager.sops.yaml
  • Tenant Admin: msp-tools/computerguru-tenant-admin.sops.yaml

Session Duration: ~25 minutes Total Tasks Completed: 3/3 follow-up items investigated and documented

Reference in New Issue View Git Blame Copy Permalink