azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e3f703178a19ae7139a84c6b0d1d30a4c8d6f66f
claudetools/.claude/memory/feedback_365_remediation_tool.md
Mike Swanson 100a491ac6 Session log: multi-user setup, audit + gap fixes, Howard onboarding package 
Two session logs:
- session-logs/2026-04-16-session.md: cross-cutting (multi-user, audit, infrastructure)
- guru-rmm session log appended: MSI installer, Len's Auto Brokerage, Uranus, migration drift

Gap fixes: GrepAI initialized + MCP server added, Ollama models pulling,
settings.json created (bypassPermissions), MCP_SERVERS.md written.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 18:56:26 -07:00

2.2 KiB
Raw Blame History

name: 365 Remediation Tool Reference description: "365 remediation tool" always means the Claude-MSP-Access Graph API app (fabb3421-8b34-484b-bc17-e46de9703418), not CIPP type: feedback

When user says "365 remediation tool" or "remediation tool", they ALWAYS mean the Claude-MSP-Access Graph API application (App ID: fabb3421-8b34-484b-bc17-e46de9703418). This is NOT CIPP.

Why: User explicitly clarified this after I incorrectly navigated to CIPP. The remediation tool is direct Graph API access using client credentials flow against customer tenants.

How to apply: Authenticate directly via Graph API using the app's client secret from SOPS vault (msp-tools/claude-msp-access-graph-api.sops.yaml), get tenant ID from OpenID discovery for the target domain, and query Graph API endpoints directly. No browser/UI needed.

Preferred invocation: use the /remediation-tool skill (.claude/skills/remediation-tool/, also surfaces as a /remediation-tool command). It wraps tenant resolution, token caching, the 10-point user breach check, and tenant-wide sweep. Remediation actions are gated behind explicit YES confirmation. Reference docs at references/gotchas.md, references/graph-endpoints.md, references/checklist.md.

Directory Role Requirements (discovered 2026-04-01)

Graph API permissions alone are NOT sufficient for privileged operations. The service principal also needs Entra directory roles assigned per-tenant:

Operation Required Directory Role
Password reset User Administrator
Exchange transport rules, mailbox permissions Exchange Administrator

Roles assigned so far:

  • Valleywide Plastering (5c53ae9f...): User Administrator
  • Dataforth (7dfa3ce8...): User Administrator, Exchange Administrator

For new tenants: After admin consent, manually assign roles via Entra portal > Roles and administrators. The app cannot self-assign directory roles.

Exchange Online REST API

For Exchange cmdlets (Get-TransportRule, Add-MailboxPermission, etc.), use scope https://outlook.office365.com/.default and POST to https://outlook.office365.com/adminapi/beta/$TENANT_ID/InvokeCommand with {"CmdletInput":{"CmdletName":"...", "Parameters":{...}}}.

Reference in New Issue View Git Blame Copy Permalink