claudetools/clients/glaztech/session-logs/2026-04-21-session.md

Session Log: 2026-04-21

User

• User: Mike Swanson (mike)
• Machine: DESKTOP-0O8A1RL
• Role: admin

Session Summary

Two distinct work items for GlazTech this session:

1. clearcutglass.com DMARC — Team Logic IT (Jordan Fox) made DNS changes to clearcutglass.com to fix a DMARC rejection issue affecting email to GlazTech. Verified DNS, removed the temporary Exchange transport rule bypass we had set, communicated findings and recommendations to client and IT vendor.

2. M365 Security Review — Routine check of GlazTech's 365 tenant surfaced no MFA enforcement, an external Global Admin from tomakkglass.com (Team Logic IT), and several service accounts that need to be audited before MFA rollout. External GA removed. New ticket created for MFA implementation project. Client-facing and internal comments posted.

---

Client: GlazTech

• Syncro Customer ID: 143932
• M365 Tenant ID: 82931e3c-de7a-4f74-87f7-fe714be1f160
• M365 Tenant Domain: glaztech.com / glaztechindustries.onmicrosoft.com
• Steve Eastman: seastman@glaztech.com — GlazTech internal IT, ~200 users, 9 locations. Desktop-level tech, guides technical direction. We implement.

---

Work Item 1: clearcutglass.com DMARC Transport Rule

Background

Corena Spottsville (clearcutglass.com) emails to seastman@glaztech.com and zulema@glaztech.com were being rejected with DMARC p=reject. We had set a temporary transport rule in GlazTech's Exchange Online to bypass DMARC filtering for clearcutglass.com. Team Logic IT (Jordan Fox, jfox@tlit60302.com) made DNS changes to fix clearcutglass.com's DMARC alignment.

DNS Review (clearcutglass.com)

SPF:   v=spf1 include:mailgun.org include:spf.protection.outlook.com ~all
DMARC: v=DMARC1;p=reject;rua=mailto:teamlogicit@clearcutglass.com;...
MX:    clearcutglass.com.1.0001.arsmtp.com (pri 10) — AppRiver inbound filter

Finding: SPF uses ~all (softfail) instead of -all (hardfail). With DMARC p=reject, if DKIM doesn't align DMARC will still reject. Recommended Team Logic IT change to -all and confirm DKIM signing is enabled in M365 for clearcutglass.com.

Transport Rule Removal

Rule name: TEMP - Allow DMARC fail from clearcutglass.com

• Matched sender domain: clearcutglass.com
• Set SCL: -1 (bypass all spam/DMARC filtering)

Removed via EXO cmdlet invocation:

curl -X POST "https://outlook.office365.com/adminapi/beta/${TENANT}/InvokeCommand" \
  -H "Authorization: Bearer ${EXO_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"CmdletInput": {"CmdletName": "Remove-TransportRule", "Parameters": {"Identity": "TEMP - Allow DMARC fail from clearcutglass.com", "Confirm": false}}}'

Verified via Get-TransportRule — no rules remain in tenant.

Syncro

• Ticket #32176 (ID: 109216691) — "Exchange Online - DMARC override for clearcutglass.com" — Status: Invoiced
• Comment posted: "Update - Rule Removed + DNS Review" (ID: 406843369)

Communication

Email sent to seastman@glaztech.com, zulema@glaztech.com, CC: jfox@tlit60302.com advising:

• Transport rule removed on our end
• SPF ~all finding and recommendation to harden to -all
• Request test email to confirm clean delivery

---

Work Item 2: M365 Security Review

Remediation Tool Access

• App used: ComputerGuru Security Investigator (investigator tier) + ComputerGuru Exchange Operator (exchange-op) + ComputerGuru Tenant Admin (tenant-admin)
• Token location: /tmp/remediation-tool/82931e3c-de7a-4f74-87f7-fe714be1f160/{tier}.jwt

Findings

[DONE] External Global Admin removed

• glaztechadmin_tomakkglass.com#EXT#@glaztechindustries.onmicrosoft.com (Glaztech Admin, object ID: 517a22b0-cf46-4b60-8d8d-893fb9bc4698) had Global Administrator rights
• tomakkglass.com = Team Logic IT's domain
• Removed via DELETE /directoryRoles/{roleId}/members/{userId}/$ref using tenant-admin token
• GA Role ID: 67ea6bf1-dc3c-418f-b151-817936d65a52
• Verified: only admin@glaztechindustries.onmicrosoft.com (ACG admin) remains as GA

[CRITICAL] Security Defaults: DISABLED

• No Entra ID P1 license — no Conditional Access policies
• No MFA enforcement of any kind on the tenant
• ~160 users signing in with password only

[INFO] No Conditional Access policies — tenant is on basic M365 licensing

[INFO] No Identity Protection — requires P1, not licensed

[INFO] Mailbox forwarding — internal only, low risk

• Payroll@glaztech.com → carmen@glaztech.com (DeliverToMailboxAndForward: true)
• TUCCSR@glaztech.com → bryce@glaztech.com (DeliverToMailboxAndForward: true)

[PENDING] Unlicensed enabled accounts — awaiting Steve confirmation

• Chauntelle@glaztech.com
• Denouser1@glaztech.com (Den OUser1)
• Gti-FaxFinder@glaztech.com

[PENDING] Service accounts to audit before MFA rollout

• Shoretel@glaztech.com — phone system
• mitel@glaztech.com — phone system
• Gti-FaxFinder@glaztech.com — fax-to-email relay
• GTIMail@glaztech.com
• GTIQUOTE@glaztech.com
• CAS1944@glaztechindustries.onmicrosoft.com
• clerk@glaztech.com
• Need to confirm: are any still using SMTP basic auth / password-only flows?

[INFO] 38 OAuth consent grants — not audited this session

MFA Rollout Plan (Internal)

Phase 1 — Communication (Week 1)

• All-user notice: MFA is being enabled, install Microsoft Authenticator
• Set enforcement date ~2 weeks out

Phase 2 — Enable Security Defaults (Week 2)

• Free tier, no P1 required
• 14-day grace period for users to register before enforcement
• Cannot exclude specific accounts — service accounts must be migrated or excluded via alternative

Phase 3 — Follow-up (Week 3+)

• Identify non-registered users, assist stragglers

Phase 4 — Conditional Access (Future, requires Entra P1)

• Location-based policies (trusted office IPs bypass MFA)
• Service account exclusions
• Per-group policies for executives vs. general staff
• Requires Entra ID P1 — included in M365 Business Premium (~$22/user/mo)
• Recommendation: upgrade ~20-25 key accounts (execs, finance, HR, IT, admins) to Business Premium rather than full org

Licensing options presented to Steve:

1. Security Defaults — free, no exclusions possible
2. Per-user MFA — free, legacy, can exclude service accounts
3. Conditional Access (P1/Business Premium) — recommended long-term

Syncro

• Ticket #32186 (ID: 109276671) — "M365 Security Review - MFA Implementation & Account Audit" — Status: In Progress, assigned Mike (1735)
• Comment 1 (client): "M365 Account Review - Questions for Steve" — unlicensed accounts, forwarding confirmation, MFA heads-up, CA location question (ID: 406845279)
• Comment 2 (client): "Service Account Review + MFA Licensing Options" — service account audit request, 3 licensing options explained (ID: 406846347)
• Comment 3 (internal/hidden): Full findings + MFA rollout plan (ID: 406845343)

---

Tone Correction (feedback saved to memory)

Comments to Steve were written too much like first-visit intake ("can you tell us about your setup"). ACG has managed GlazTech for ~15 years. Steve is their internal IT guy who guides direction, we implement. Future comments should lead with what we know, state findings and actions, and ask only one targeted specific question when genuinely needed. Not open-ended discovery.

Also: ALL Syncro comments require a preview and explicit confirmation before posting. No exceptions.

---

Pending / Next Steps

1. Steve reply needed — service account auth methods, unlicensed account disposition, licensing preference (Security Defaults vs. per-user MFA vs. CA/P1)
2. MFA rollout — pending Steve's input. Do not enable Security Defaults until service accounts are confirmed safe.
3. clearcutglass.com — await test email from Jordan Fox / Corena confirming clean delivery after transport rule removal
4. OAuth consent grants — 38 grants not audited; worth reviewing in a future session
5. GlazTech ticket #32186 — no billing yet, waiting on Steve response to scope the MFA work

---

Files Modified

• D:\claudetools\clients\glaztech\session-logs\2026-04-21-session.md — this file
• C:\Users\guru\.claude\projects\D--claudetools\memory\feedback_client_tone.md — new memory: expert partner tone with clients
• C:\Users\guru\.claude\projects\D--claudetools\memory\feedback_syncro_billing.md — updated: always preview ALL comments before posting
• C:\Users\guru\.claude\projects\D--claudetools\memory\MEMORY.md — updated index