37 lines
1.8 KiB
Markdown
37 lines
1.8 KiB
Markdown
# /onboard365 — Single-consent M365 tenant onboarding
|
|
|
|
Onboard a customer Microsoft 365 tenant to the ComputerGuru remediation app suite with **one**
|
|
customer admin-consent click. Thin entry point to the `onboard365` skill.
|
|
|
|
## Usage
|
|
|
|
```
|
|
/onboard365 <domain|tenant-id> Smart: print the consent link if not yet consented,
|
|
or provision the whole suite if it is.
|
|
/onboard365 link <domain> Just generate the single Tenant Admin consent URL.
|
|
/onboard365 status <domain> Dry-run: show current consent / role state.
|
|
/onboard365 provision <domain> After the customer consents: provision all apps + roles.
|
|
```
|
|
|
|
## What it does
|
|
|
|
The customer Global Admin consents once to **ComputerGuru Tenant Admin**. Using that grant,
|
|
`onboard-tenant.sh` (reused from the `remediation-tool` skill) then creates the service
|
|
principals for Security Investigator, Exchange Operator, User Manager, and (if MDE-licensed)
|
|
Defender Add-on, grants all their Graph/EXO/Defender permissions, and assigns the required
|
|
Entra directory roles — no further customer clicks.
|
|
|
|
## Implementation
|
|
|
|
1. Read the full playbook in `.claude/skills/onboard365/SKILL.md`.
|
|
2. Run `bash .claude/skills/onboard365/scripts/onboard365.sh <subcommand> <domain>`
|
|
(the script auto-locates the reused remediation-tool scripts and the vault).
|
|
3. Confirm the target tenant with the user before generating a link, and again before
|
|
`provision` (high-privilege, customer-facing).
|
|
4. After a clean provision, **record it**: set the tenant's `Onboarded` column to `YES` in the
|
|
REPO copy of `remediation-tool/references/tenants.md` and note the onboarding in the client
|
|
wiki. (See SKILL.md → Recording.)
|
|
|
|
This is the front door; once a tenant is onboarded, breach checks and remediation are the
|
|
`remediation-tool` skill.
|