claudetools/clients/quantumwms/session-logs/2026-05-27-session.md

Session Log: 2026-05-27 — Quantum Wealth Management

User

• User: Mike Swanson (mike)
• Machine: GURU-5070
• Role: admin

Session Summary

Worked Syncro ticket #32323 "Mail migration planning" (Quantum Wealth Management, customer_id 7088747). Sheila Peress forwarded an email to Mike; pulled it from Mike's M365 mailbox via Microsoft Graph. The email — FW: Intermedia Concern [#SR-150626] (2026-05-27) — forwarded a reply from IFG Software Support (softwaresupport@ifgsd.com) confirming that Intermedia runs a fully cloud-hosted Exchange (HEX) service, that Microsoft is phasing out support for HEX accounts, and that IFG is therefore phasing out Intermedia and recommending offices migrate their email off it (to Microsoft 365). Sheila's note: "Please talk with Jen Curry. I guess you were onto something."

Posted a customer-visible, emailed update to #32323 acknowledging the forwarded note, confirming that migrating to Microsoft 365 is the right move, and that Mike has scheduled an online meeting with Jennifer (Jen) Curry to plan the migration from Intermedia to M365. Set the ticket to In Progress. The intent of the update was to reassure Sheila that ACG is actively on the task.

Key Decisions

• Customer-visible + emailed update (not internal) — Mike wanted Sheila to see ACG is on task.
• Confirmed migration direction: Intermedia (HEX) → Microsoft 365 — validated by IFG's own guidance that Microsoft is dropping HEX support; this matches the concern Mike had already raised.
• Jen Curry (IFG) is the migration coordinator — Sheila explicitly directed us to her; Mike scheduled an online meeting with her.

Configuration Changes

• No repo changes for this client. Syncro ticket update only.

Credentials & Secrets

• No new client credentials. Mike's mailbox read via the shared Graph app (vault msp-tools/claude-msp-access-graph-api.sops.yaml) — see the root 2026-05-27 log for the /mailbox skill detail.

Infrastructure & Servers

• Email platform (current): Intermedia — fully cloud-hosted Exchange (HEX). Being migrated to Microsoft 365.
• Contacts: Sheila Peress (sheila@quantumwms.com — Licensed Insurance Associate / Admin Assistant to John Velez); John Velez (john@quantumwms.com — Financial Advisor; primary on the Datto account). Office: 14025 N Speckled Burro Lane, Marana AZ 85658; 520.445.8004.
• IFG (broker-dealer / software support): softwaresupport@ifgsd.com. Jennifer "Jen" Curry — migration coordinator at IFG. "Jarod" also referenced at IFG. IFG support ref SR-150626.

Commands & Outputs

• Mailbox read: Graph GET /users/mike@azcomputerguru.com/messages?$search="from:sheila@quantumwms.com" (app fabb3421, ACG tenant) → found FW: Intermedia Concern [#SR-150626], 2026-05-27 13:55.
• Ticket update: POST /tickets/111056440/comment (hidden false, do_not_email false) → comment id 413437310 (emailed to Sheila). Bot alert posted.
• Status: PUT /tickets/111056440 {"status":"In Progress"} → In Progress. Bot alert posted.

Pending / Incomplete Tasks

• Online meeting with Jen Curry (IFG) — Mike scheduled it; discuss/plan the Intermedia → M365 migration. Then scope and execute the mailbox migration.
• John Velez consent (carried) — the M365/migration work likely needs John Velez's sign-off (he's primary). Confirm before cutover.
• Keep #32323 updated as the plan and timing firm up.

Reference Information

• Ticket: #32323 (id 111056440), customer_id 7088747 — https://computerguru.syncromsp.com/tickets/111056440 — comment id 413437310.
• Source email: Sheila Peress (sheila@quantumwms.com), "FW: Intermedia Concern [#SR-150626]", 2026-05-27 13:55, forwarding IFG Software Support (softwaresupport@ifgsd.com).
• Wiki: wiki/clients/quantumwms.md.

---

Update: 14:49 PT — M365 migration: tenant onboarded, security baseline started

Session Summary

Major progress on the Intermedia -> M365 migration (#32323). Jen Curry (IFG) called back and approved + strongly encouraged the move; emailed Sheila the update, set up appointments (Wed 5/27 2:00 PM with Sheila for licensing + PST backup kickoff; Thu 5/28 1:00 PM with Jen to finalize DNS for archival + sent-mail encryption), created a PST-backup TODO, and created an empty "365 Services" recurring invoice template (schedule 509862, Monthly, next run 2026-06-01) for Pax8 to populate.

Resolved the tenant question. Pax8 reported quantumwms.com "attached to a tenant" — discovery found a dormant GoDaddy-provisioned tenant (ddf3d2c9..., netorg18235235.onmicrosoft.com, brand "quantumwms.com") that had the domain parked but unverified. Mike chose to spin up a fresh tenant (only 2 users; cleaner than a GoDaddy takeover). Pax8 provisioned new tenant 2fd0092b-e9b7-474c-ad73-301f34dd6b64 ("Quantum Wealth Management", quantumwms.onmicrosoft.com); quantumwms.com verified + primary there; john@/sheila@ licensed (Business Premium); sysadmin@ is the ACG admin (GA). The GoDaddy tenant was bypassed.

Onboarded ACG management access: Pax8 GDAP approved (relationship "Default_Ariz_Quantum Weal_704149625747913", 180 days), then ran onboard-tenant.sh against 2fd0092b — only the Tenant Admin app needed a manual consent click; the script programmatically consented the rest (Security Investigator, Exchange Operator, User Manager, Defender) and assigned directory roles. Verified with a live Graph read. (Hit a wrong-tenant snag first: I'd pointed consent at the GoDaddy ddf3d2c9 and sysadmin@ bounced — re-discovery showed the domain had since verified into the new 2fd0092b.)

Started the security baseline (Mike chose Conditional Access over Security Defaults — Business Premium includes Entra P1). Set John's initial password. Created a break-glass GA (breakglass@quantumwms.onmicrosoft.com, excluded from CA). Created CA001 (MFA all) + CA002 (block legacy) in report-only programmatically (Mike relaxed the "CA stays manual" rule given break-glass + report-only = near-zero blast radius). Emailed Sheila for the office Comcast static IP (for a trusted-location CA policy). Enforcement deferred until after tomorrow's mail cutover (Security Defaults covers MFA in the interim).

Key Decisions

• Fresh tenant, not GoDaddy takeover — only 2 users; the GoDaddy tenant (ddf3d2c9) is a Managed tenant (no DNS takeover possible) and dormant, so a clean new tenant (2fd0092b) was simpler. The domain wasn't verified in GoDaddy's, so the new tenant claimed it.
• Conditional Access over Security Defaults — they pay for Business Premium (P1); CA is granular + break-glass-excludable + audit-friendly for a compliance-sensitive financial firm.
• CA created in report-only, programmatically — Mike opted to enable programmatic CA writes; safe here (break-glass excluded + report-only enforces nothing). Enforce after the mail cutover so block-legacy is observed against real mail traffic.
• Single GA + break-glass — sysadmin@ (daily) + breakglass@ (emergency, CA-excluded, password-never-expires) to prevent lockout before enforcing CA.

Configuration Changes

• Syncro #32323: appointments 5598140927 (Wed 2PM Sheila) + 5598140928 (Thu 1PM Jen); recurring schedule 509862 ("365 Services", empty); comments for migration updates.
• M365 tenant 2fd0092b: full ComputerGuru app suite consented + directory roles; CA001 22cd5d4b + CA002 52db2b88 (report-only); break-glass GA created; John password set.

Credentials & Secrets

• M365 tenant: 2fd0092b-e9b7-474c-ad73-301f34dd6b64 ("Quantum Wealth Management", quantumwms.onmicrosoft.com, quantumwms.com primary). Old GoDaddy tenant ddf3d2c9-b76c-40d9-a216-9f11a1a26f97 (netorg18235235.onmicrosoft.com) — dormant, bypassed.
• john@quantumwms.com — initial password set 2026-05-27 by Mike: SheilaDeena1952# (forceChange=false; John MFA-enrolls at first sign-in). Licensed Business Premium.
• sysadmin@quantumwms.com — ACG admin, Global Admin (id 003cacd2-dc29-4fb6-9da4-756927c91e16).
• breakglass@quantumwms.onmicrosoft.com — emergency GA (id ad4a7a5c-a030-4e6f-bcd6-a0e7c7630f99), cloud-only, password-never-expires, excluded from all CA. Password VAULTED at clients/quantumwms/m365-breakglass.sops.yaml (vault commit f08f339).
• GDAP: Pax8 US, relationship "Default_Ariz_Quantum Weal_704149625747913", Approved, 180 days.

Infrastructure & Servers

• Email today: Intermedia HEX (*.exch090.serverdata.net), migrating to M365 tenant 2fd0092b. License SKU: SPB (Business Premium) ×2.
• CA policies (report-only): CA001 Require MFA all users (22cd5d4b-5e6a-4fbe-ad50-e57555b12d8d), CA002 Block legacy auth (52db2b88-55bf-4e7d-b060-ea4b14a253e2), both exclude break-glass. Security Defaults still ON (interim).

Commands & Outputs

• Onboard: bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh 2fd0092b-... → [SUCCESS] (re-ran once to clear Graph replication-lag perm errors).
• Tenant discovery: getuserrealm/openid-config for quantumwms.com → first "Unknown"/not-found (GoDaddy parked), later Managed → 2fd0092b.
• CA create: POST /identity/conditionalAccess/policies (tenant-admin token, state: enabledForReportingButNotEnforced).

Pending / Incomplete Tasks

• Thu 5/28 1:00 PM: Jen Curry (IFG) — finalize DNS (archival + sent-mail encryption), then mail cutover ~1 PM.
• PST backups of John + Sheila mailboxes before cutover (todo d3623023) — Intermedia has no server-side export.
• CA enforcement (todo 6be618e1): after mail cutover, disable Security Defaults + flip CA001/CA002 to enabled; add office static-IP named-location policy once Sheila sends the Comcast IP (requested).
• Defender for Business onboarding (BP-included, app consented).
• John Velez consent / Sheila's static IP reply.

Reference Information

• Tenant 2fd0092b; GoDaddy ddf3d2c9. GDAP "Default_Ariz_Quantum Weal_704149625747913" (Pax8). CA001 22cd5d4b, CA002 52db2b88. Schedule 509862. Appts 5598140927/5598140928. Todos d3623023 (PST), 6be618e1 (CA baseline), 06c16144 is RMM (unrelated). Break-glass id ad4a7a5c. Memory: project_quantum_godaddy_m365_tenant.md.