azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
db4e3c25a53db4a2c482bbdd6a26f1f50558eed7
claudetools/clients/mvan-inc/reports/2026-04-21-risky-signins.md
Mike Swanson db4e3c25a5 Session log: GuruRMM MSI build fix + DESIGN.md + BirthBiologic onboarding 
- Fixed MSI build on Pluto (missing WixToolset.Util.wixext in install.rs)
- Created docs/DESIGN.md in gururmm repo (per-component design guide)
- Saved BirthBiologic GuruRMM site credentials to vault
- Added birth-biologic and mvan-inc client session logs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-21 12:02:23 -07:00

4.0 KiB
Raw Blame History

Risky Sign-In Investigation — MVAN Inc

Date: 2026-04-21 UTC
Tenant: mvaninc.com (5affaf1e-de89-416b-a655-1b2cf615d5b1)
Requested by: Mike Swanson
Scope: Identity Protection risky users review

Summary

Three accounts with active or recent risk events. Two are already remediated. One (alisha.p@mvaninc.com) remains atRisk with no action taken. The most concerning event is our own sysadmin@mvaninc.com (Global Admin) being flagged and remediated by password reset just 4 days ago (2026-04-17).

Active Risks

alisha.p@mvaninc.com — LOW / atRisk (OPEN)

  • Display name: Alisha Park
  • Risk level: Low
  • Risk state: atRisk (no remediation performed)
  • Risk first detected: 2025-12-01
  • Last password change: 2025-11-13 (before risk event — password reset has NOT occurred)
  • Admin roles: None
  • Recommendation: Force password reset or dismiss if confirmed false positive

Recently Remediated (past 90 days)

sysadmin@mvaninc.com — REMEDIATED 2026-04-17 [PRIORITY]

  • Display name: Computer Guru (our managed service account)
  • Risk state: Remediated via userPerformedSecuredPasswordReset
  • Remediation date: 2026-04-17T17:33:21Z (4 days ago)
  • Admin roles: Global Administrator, Intune Administrator, Cloud Device Administrator
  • Last password change: 2026-04-17T17:33:21Z (matches remediation)
  • Notes: This is a high-privilege account. Cannot determine what triggered the risk detection without AuditLog.Read.All. The password reset was performed — determine who initiated it and whether any suspicious activity occurred before remediation.

mitch.v@mvaninc.com — REMEDIATED 2026-04-07

  • Display name: Mitch VanDeveer (client's primary admin)
  • Risk state: Remediated via userPerformedSecuredPasswordReset
  • Remediation date: 2026-04-07T13:12:55Z (~2 weeks ago)
  • Admin roles: Global Administrator, Windows 365 Administrator
  • Last password change: 2026-04-07T13:12:55Z (matches remediation)

Historical / Other

Account Risk State Level Detail Last Updated
mitch@mvan.onmicrosoft.com remediated none passwordReset 2025-10-24
june.b@mvaninc.com remediated none passwordReset 2026-01-27
j.bradford@modernstile.com atRisk medium none 2020-12-25 (stale — different domain)
june@jemaenterprises.com dismissed none 2022-04-26

Global Admin Inventory (6 accounts — excessive)

Account Notes
mitch.v@mvaninc.com Client owner
admin@mvan.onmicrosoft.com Break-glass / legacy
mitch@mvan.onmicrosoft.com Alternate admin account
june.b@mvaninc.com Non-admin user with GA role
sysadmin@mvaninc.com Our managed service account
ryan@mvan.onmicrosoft.com Unknown

6 Global Admins is excessive for a tenant this size. Recommend reducing to 2-3 and using dedicated roles where possible.

Recommended Actions

  1. [URGENT] Investigate what triggered the risk on sysadmin@mvaninc.com — review in Entra ID > Identity Protection > Risk detections portal. Confirm no unauthorized access occurred before the 2026-04-17 reset.
  2. [ACTION REQUIRED] Remediate alisha.p@mvaninc.com — force password reset or dismiss with documented justification.
  3. [ADVISORY] Review MFA registration status for all 6 Global Admins — confirm MFA is enforced.
  4. [ADVISORY] Reduce Global Admin count. june.b@mvaninc.com and ryan@mvan.onmicrosoft.com should be reviewed for necessity.
  5. [MISSING VISIBILITY] Add AuditLog.Read.All to the Security Investigator app manifest to enable sign-in log and risk detection queries in future investigations.

Tool Limitations This Run

  • AuditLog.Read.All not in investigator app manifest: could not pull sign-in logs or risk detection details (IP addresses, geolocations, detection types)
  • IdentityRiskEvent.Read.All not in investigator app manifest: could not pull riskDetections endpoint
  • Used identityProtection/riskyUsers (requires IdentityRiskyUser.Read.All) — available
Reference in New Issue View Git Blame Copy Permalink