O365 Business — already assigned prior to 2026-06-03
Password policy
PasswordNeverExpires was TRUE; cleared 2026-05-28 (was prerequisite for must-change flag; not restored)
2026-05-28 — AD password reset: Password reset to Temp1234! via Set-ADAccountPassword on SIF-SERVER using GuruRMM remote PowerShell. Must-change flag initially applied then reversed per Mike's revised requirement. PasswordNeverExpires was cleared and NOT restored — improved security posture.
2026-06-03 — M365 password reset: Password reset to user-chosen value Albert#2015 via Graph API PATCH. forceChangePasswordNextSignIn: false (Howard explicitly stated user chose the password).
New user created 2026-06-03. Usage location set to US before license assignment (Graph API requirement). License assignment triggered auto-expansion from 10 to 11 seats.
Confirmed AD cmdlets available:Get-ADUser, Set-ADAccountPassword, Set-ADUser
Execution context: NT AUTHORITY\SYSTEM (via GuruRMM remote PowerShell)
Password complexity: Standard AD complexity (upper, lower, digit, special char required — Temp1234! meets requirements)
jalbert PasswordNeverExpires: Was $true prior to 2026-05-28; cleared and not restored
AD Management Notes
Set-ADUser -PasswordNeverExpires $false -ChangePasswordAtLogon $true fails in a single call — AD rejects both flags simultaneously. Use two sequential calls.
Set-ADUser -ChangePasswordAtLogon $true may fail even after clearing PasswordNeverExpires in the same command string (possible replication delay). Use net user <user> /logonpasswordchg:yes /domain instead — more reliable.
ADSI path with single quotes inside double-quoted JSON strings causes PowerShell parse errors in GuruRMM command payloads. Use DirectorySearcher with double-quoted ADSI path for AD verification.
Syncro
Field
Value
Customer ID
7694718
Customer name
Sif-oidak District - Tohono O'odham Nation
Billing rate
$150/hr remote
Tickets
Ticket
Date
Summary
Status
#32341
2026-05-28
jalbert domain password reset via GuruRMM
Invoiced ($75.00, 0.5h)
#32380
2026-06-03
M365 onboarding, Joshua Albert license/password, Dwayne Ortega new user
On-prem credentials:clients/sif-oidak/laptops.sops.yaml — local admin / standard user creds for Sif-Laptop554/555
M365 admin credentials: NOT vaulted — no shared admin credentials recorded for this tenant
Patterns / Notes
Tenant identification was non-obvious: Initial attempt used toua.net (Tohono O'odham Nation parent org) before Mike confirmed the correct tenant is sifoidak.onmicrosoft.com. Always use the client's specific subdomain, not the tribal parent. The Syncro primary contact (deanna.cruz@tonation-nsn.gov) uses the parent org domain — that does not indicate the correct M365 tenant.
ACG MSP app onboarding order matters: Tenant Admin must be consented first. onboard-tenant.sh then handles all other app SPs and role assignments. Do not skip directly to User Manager or Exchange Operator.
Seat auto-expansion accepted without manual purchase: Microsoft 365 auto-expanded from 10 to 11 seats when Dortega's license was assigned. No manual action required in the moment, but billing implications should be verified with client if they have a fixed-seat contract.
Graph permission replication timing: Two Security Investigator Graph permissions failed immediately after SP creation — standard replication lag. Re-run onboard-tenant.sh sifoidak.onmicrosoft.com to backfill. Non-blocking for user management operations.
SIF-SERVER2 role unknown: Not investigated. Do not assume it is just a member server — it may be a secondary DC. Verify role before any domain-level operations that assume a single DC.
PasswordNeverExpires cleared on jalbert: Pre-2026-05-28 state was PasswordNeverExpires = $true. This was cleared as a prerequisite for must-change and was not restored at Mike's direction. If this account is a service account or has special policy exemption, re-enabling may be needed — confirm at next contact.
Client not yet in CIPP: Tenant is onboarded into ACG MSP apps but has no GDAP / Partner Center delegated admin relationship. For full MSP visibility and CIPP inclusion, a Partner Center delegated admin request is needed.
Add clients/sif-oidak/m365-admin.sops.yaml if client shares admin credentials with ACG
Clarify SIF-SERVER2 role (secondary DC or member server?)
Determine if jalbert's PasswordNeverExpires should be restored (was cleared 2026-05-28)
Consider GDAP / Partner Center delegated admin relationship to get tenant into CIPP
History
2026-05-28 — jalbert AD password reset (GuruRMM)
Howard requested a remote password reset for domain user jalbert (Joshua Albert) on SIF-SERVER. ACG used GuruRMM remote PowerShell (no RDP). SIF-SERVER confirmed online (agent def9fdbb), execution context NT AUTHORITY\SYSTEM. Password reset to Temp1234! via Set-ADAccountPassword. Must-change flag applied then reversed per Mike's direction. PasswordNeverExpires cleared and not restored. Syncro ticket #32341 created, 0.5h billed at $150/hr ($75.00), invoice #1650451827.
2026-06-03 — M365 tenant onboarding + user provisioning
Howard initiated via Discord requesting an O365 license for Joshua Albert. Tenant sifoidak.onmicrosoft.com was not in CIPP and had no ACG MSP app consent. Tenant identified by Mike after toua.net was tried first (wrong). Onboarded via admin consent + onboard-tenant.sh: Tenant Admin, User Manager, Security Investigator, and Exchange Operator all consented; directory roles assigned. Joshua Albert found to already have O365 Business license. Password reset to user-chosen value Albert#2015. New user Dwayne Ortega created (Dortega.sod@sifoidak.onmicrosoft.com), usage location set to US, O365 Business license assigned — tenant auto-expanded 10 → 11 seats. Syncro ticket #32380 created, assigned to Howard.
