Files
claudetools/.claude/commands/onboard365.md
Mike Swanson 15d582845f sync: auto-sync from GURU-5070 at 2026-06-10 16:02:59
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-10 16:02:59
2026-06-10 16:03:13 -07:00

37 lines
1.8 KiB
Markdown

# /onboard365 — Single-consent M365 tenant onboarding
Onboard a customer Microsoft 365 tenant to the ComputerGuru remediation app suite with **one**
customer admin-consent click. Thin entry point to the `onboard365` skill.
## Usage
```
/onboard365 <domain|tenant-id> Smart: print the consent link if not yet consented,
or provision the whole suite if it is.
/onboard365 link <domain> Just generate the single Tenant Admin consent URL.
/onboard365 status <domain> Dry-run: show current consent / role state.
/onboard365 provision <domain> After the customer consents: provision all apps + roles.
```
## What it does
The customer Global Admin consents once to **ComputerGuru Tenant Admin**. Using that grant,
`onboard-tenant.sh` (reused from the `remediation-tool` skill) then creates the service
principals for Security Investigator, Exchange Operator, User Manager, and (if MDE-licensed)
Defender Add-on, grants all their Graph/EXO/Defender permissions, and assigns the required
Entra directory roles — no further customer clicks.
## Implementation
1. Read the full playbook in `.claude/skills/onboard365/SKILL.md`.
2. Run `bash .claude/skills/onboard365/scripts/onboard365.sh <subcommand> <domain>`
(the script auto-locates the reused remediation-tool scripts and the vault).
3. Confirm the target tenant with the user before generating a link, and again before
`provision` (high-privilege, customer-facing).
4. After a clean provision, **record it**: set the tenant's `Onboarded` column to `YES` in the
REPO copy of `remediation-tool/references/tenants.md` and note the onboarding in the client
wiki. (See SKILL.md → Recording.)
This is the front door; once a tenant is onboarded, breach checks and remediation are the
`remediation-tool` skill.