azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4fdb5a233f4e908e2fb2e38f6ce03d0d276fed7
claudetools/.claude/messages/for-mike.md
Howard Enos c4fdb5a233 sync: auto-sync from ACG-TECH03L at 2026-04-19 12:50:13 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-19 12:50:13
2026-04-19 12:50:24 -07:00

2.5 KiB
Raw Blame History

Note for Mike

From Howard, 2026-04-19

Cascades of Tucson - M365 Remediation App - Identity Protection scope

During today's phishing investigation on Cascades of Tucson (crystal.rodriguez, et al.), the 10-point breach check returned Forbidden on /identityProtection/riskyUsers and /identityProtection/riskDetections because Claude-MSP-Access (ComputerGuru - AI Remediation, App ID fabb3421-8b34-484b-bc17-e46de9703418) lacks admin consent for IdentityRiskyUser.Read.All on the Cascades tenant.

Asking before I grant: should I go ahead and give this consent, or do you want to hold off?

What the scope does

  • Read-only. Reads Entra ID Identity Protection signals: risky-user state (low/medium/high), and the underlying risk detections (impossible travel, anonymous IP, leaked credentials, malware-linked IP, etc.).
  • No write capability - not ReadWrite.All, just Read.All. The app cannot reset risk state, dismiss detections, or modify anything in Identity Protection.
  • Tenant-scoped. Consent applies only to the Cascades tenant; doesn't affect other clients.

Why I want it

  • Closes a visibility gap in our standard breach-check workflow. Today I had to tell the report "this check skipped" for risky-user signals.
  • Saves us from logging into the Defender / Entra portal manually during IR to cross-check.
  • Cascades has Defender P1+ (based on targeted-user protection already configured), so risk data exists to read.

Why you might say no

  • Every additional scope on the app = larger blast radius if the app's client secret/cert leaks.
  • Scope is persistent until revoked via the portal.
  • Identity Protection data can include sensitive info (IPs, geo, device hints). If our audit logging is weak, reading it leaves tracks we should be aware of.

My lean

Allow it. The scope is read-only, the app is narrowly controlled (only us), and we already have Mail.Read, User.Read.All, Exchange Admin, etc. — which are materially more sensitive than this. The inconsistency of "we can read full mailbox contents but not risky-user flags" doesn't match a risk-based model.

If you say yes, consent URL is:

https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418

Takes ~30 seconds. Sign in as a GA on Cascades' tenant (sysadmin@ works), review the permission, click Accept.

Full investigation report: clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md

  • Howard
Reference in New Issue View Git Blame Copy Permalink