31 lines
1.8 KiB
Markdown
31 lines
1.8 KiB
Markdown
---
|
|
name: 365 Remediation Tool Reference
|
|
description: "365 remediation tool" always means the Claude-MSP-Access Graph API app (fabb3421-8b34-484b-bc17-e46de9703418), not CIPP
|
|
type: feedback
|
|
---
|
|
|
|
When user says "365 remediation tool" or "remediation tool", they ALWAYS mean the Claude-MSP-Access Graph API application (App ID: fabb3421-8b34-484b-bc17-e46de9703418). This is NOT CIPP.
|
|
|
|
**Why:** User explicitly clarified this after I incorrectly navigated to CIPP. The remediation tool is direct Graph API access using client credentials flow against customer tenants.
|
|
|
|
**How to apply:** Authenticate directly via Graph API using the app's client secret from SOPS vault (`msp-tools/claude-msp-access-graph-api.sops.yaml`), get tenant ID from OpenID discovery for the target domain, and query Graph API endpoints directly. No browser/UI needed.
|
|
|
|
### Directory Role Requirements (discovered 2026-04-01)
|
|
|
|
Graph API permissions alone are NOT sufficient for privileged operations. The service principal also needs Entra directory roles assigned per-tenant:
|
|
|
|
| Operation | Required Directory Role |
|
|
|-----------|----------------------|
|
|
| Password reset | User Administrator |
|
|
| Exchange transport rules, mailbox permissions | Exchange Administrator |
|
|
|
|
**Roles assigned so far:**
|
|
- Valleywide Plastering (5c53ae9f...): User Administrator
|
|
- Dataforth (7dfa3ce8...): User Administrator, Exchange Administrator
|
|
|
|
**For new tenants:** After admin consent, manually assign roles via Entra portal > Roles and administrators. The app cannot self-assign directory roles.
|
|
|
|
### Exchange Online REST API
|
|
|
|
For Exchange cmdlets (Get-TransportRule, Add-MailboxPermission, etc.), use scope `https://outlook.office365.com/.default` and POST to `https://outlook.office365.com/adminapi/beta/$TENANT_ID/InvokeCommand` with `{"CmdletInput":{"CmdletName":"...", "Parameters":{...}}}`.
|