claudetools/.claude/commands/onboard365.md

/onboard365 — Single-consent M365 tenant onboarding

Onboard a customer Microsoft 365 tenant to the ComputerGuru remediation app suite with one customer admin-consent click. Thin entry point to the onboard365 skill.

Usage

/onboard365 <domain|tenant-id>            Smart: print the consent link if not yet consented,
                                          or provision the whole suite if it is.
/onboard365 link <domain>                 Just generate the single Tenant Admin consent URL.
/onboard365 status <domain>               Dry-run: show current consent / role state.
/onboard365 provision <domain>            After the customer consents: provision all apps + roles.

What it does

The customer Global Admin consents once to ComputerGuru Tenant Admin. Using that grant, onboard-tenant.sh (reused from the remediation-tool skill) then creates the service principals for Security Investigator, Exchange Operator, User Manager, and (if MDE-licensed) Defender Add-on, grants all their Graph/EXO/Defender permissions, and assigns the required Entra directory roles — no further customer clicks.

Implementation

1. Read the full playbook in .claude/skills/onboard365/SKILL.md.
2. Run bash .claude/skills/onboard365/scripts/onboard365.sh <subcommand> <domain> (the script auto-locates the reused remediation-tool scripts and the vault).
3. Confirm the target tenant with the user before generating a link, and again before provision (high-privilege, customer-facing).
4. After a clean provision, record it: set the tenant's Onboarded column to YES in the REPO copy of remediation-tool/references/tenants.md and note the onboarding in the client wiki. (See SKILL.md → Recording.)

This is the front door; once a tenant is onboarded, breach checks and remediation are the remediation-tool skill.