A Major Incident is an Incident-class TaskerTask (created with the ITIL Incident profile, §12by) that gets promoted with extra coordination fields: bridge URL, incident commander, subscribers, affected CIs, chronological status updates, and an auto-created post-incident review on resolve.
Lifecycle
- Incident exists as a normal Tasker task. Created via catalog, intake portal, MCP, or web UI.
- Promote to Major Incident: set bridge URL, incident commander, subscribers, affected CIs. Priority is forced to Critical. CMDB lookup rolls up max criticality of affected CIs. Initial status update posted + broadcast.
- Status updates posted during incident. Each one is logged chronologically and broadcast to subscribers via Graph or SMTP. Optional task status transition with each update (e.g. Investigating → Contained → Recovering).
- Subscribe / unsubscribe stakeholders dynamically as scope expands or contracts.
- Resolve: final RESOLVED broadcast, auto-created Post-Incident Review (PIR) task assigned to commander with 14-day due date and pre-filled checklist.
Declaring a major incident
POST /api/tasker/tasks/:id/declare-major (Admin). Required: existing TaskerTask id. Optional: bridgeUrl (Teams/Zoom/phone), incidentCommander (defaults to caller's email), subscribers[] (max 50, validated email format), affectedCiIds[] (up to 100, CMDB lookup rolls up names + max criticality), initialNote (first status update text).
Side effects: forces priority to Critical, sets isMajorIncident=true, denormalizes affected CI names and max criticality onto the task, posts the initial update, broadcasts to subscribers.
Status updates during the incident
POST /api/tasker/tasks/:id/major/status-update (Auditor+). Body: text (≤5000 chars), optional status (new task status, e.g. "Contained"), optional notify (default true).
Each update gets a unique id, timestamp, author, and is appended to the statusUpdates[] log. Broadcast email goes out to all subscribers unless notify=false (use false for internal-only notes).
Managing subscribers
POST /api/tasker/tasks/:id/major/subscribe (Auditor+). Body: emails[], action (add / remove). Email format validated. Subscribers receive every status update via email until removed.
Pattern: add affected user groups when scope expands. Remove people who no longer need updates (e.g. business stakeholder who left for the day).
Resolving + the post-incident review
POST /api/tasker/tasks/:id/major/resolve (Admin). Body: resolutionSummary (≤5000 chars), optional rootCauseCode (short label like "config-drift" / "vendor-outage" / "expired-cert"), optional skipPostIncidentReview (only for trivial false alarms).
What happens:
- Final RESOLVED status update posted with the summary, broadcast to subscribers.
- Task status set to Resolved;
resolvedMajorAt,resolvedAttimestamps stamped. - If
!skipPostIncidentReview: a new TaskerTask is auto-created - title "Post-Incident Review: {original}", assigned to the incident commander (or caller if no commander), 14-day due date, category "post-incident-review", priority High. - PIR task description includes timeline anchors (declared at, resolved at, duration), affected CIs, root cause code, and a pre-filled 8-item checklist (timeline reconstruction, RCA, detection time, response time, communication effectiveness, action items, lessons learned, stakeholder briefing).
- The PIR task id is stored on the original incident as
postIncidentReviewTaskIdfor navigation.
Active incidents dashboard
GET /api/major-incidents/active (Viewer+) returns all currently-active MIs (isMajorIncident=true AND resolvedMajorAt is null) with elapsed time, subscriber/update counts, last status update snippet, max affected criticality. Use to populate war-room dashboards or check end-of-day whether any MIs are still open.
Email broadcast
Subscribers receive HTML emails for declared / update / resolved events. Color-coded headers (red declared / blue update / green resolved). Includes bridge link, commander, current status, posted timestamp, link to the task.
Delivery: Graph email config preferred → SMTP fallback. Per-recipient failure non-fatal - log + continue. Silent skip if neither configured (no error to caller, log only). Configure in Settings → System → Email Delivery.
On-call rotations
On-call rotations define who answers the page when a major incident is declared. A rotation is an ordered list of members plus a shift length and a start-date anchor; "who is on-call right now" is computed deterministically from the anchor, the rotation length, the member count, and the current time - there are no per-shift rows to maintain, so the schedule is self-correcting and never drifts. Requires an Ops product license and the on-call module.
What a rotation gives you:
- Current responder. Each rotation is enriched on read with
currentOnCall(the member whose shift covers now),currentIndex, andnextHandoffAt(the next boundary timestamp). - Hand-offs. Shifts flip every
rotationLengthDaysathandoffTime(HH:MM UTC, default 09:00), walking the member list in order and wrapping back to the first member. No manual rotation editing per week. - Escalation contact. An optional
escalationEmailper rotation is the next person to raise to if the primary responder doesn't engage. - Multiple rotations. Run separate rotations per team (e.g. platform, network, security) and read them all at once.
Endpoints:
GET /api/oncall(Auditor+) - list all rotation definitions, each enriched with the current on-call member and next handoff.GET /api/oncall/current(Auditor+) - flat "who's on-call right now" across every active rotation:onCallEmail,onCallName,nextHandoffAt,escalationEmail.POST /api/oncall(Admin) - create or update a rotation. Body:name(required),members[](1-100, each withemail+ optionalname),rotationLengthDays(1-365, default 7),startDate(YYYY-MM-DD anchor, defaults to today), optionalhandoffTime,escalationEmail,teamId,description,active.DELETE /api/oncall/:id(Admin) - remove a rotation.
How paging ties into major-incident response: before (or right after) declaring a major incident, call GET /api/oncall/current to identify the responder on shift, then use their email as the incidentCommander and/or add them and the rotation's escalationEmail to subscribers[] so they receive every status broadcast. As the incident runs across a hand-off boundary, re-check nextHandoffAt and subscribe the incoming responder so coverage carries over without a gap.
MCP tools (5, HTTP + stdio parity)
list_active_major_incidents(Viewer+)declare_major_incident(Admin)post_major_incident_update(Auditor+)subscribe_major_incident(Auditor+)resolve_major_incident(Admin) - passskip_post_incident_review: trueonly for trivial false alarms
CMDB integration
When declaring, pass affectedCiIds[] from your CMDB. The handler looks up each CI's name (denormalized to affectedCiNames[] on the task) and computes the max criticality across all affected CIs (stored as maxAffectedCriticality). Use get_ci_impact from the CMDB tool set BEFORE declaring to estimate blast radius and decide who to subscribe.
Pitfalls
- Major Incident is fields-on-TaskerTask, not a separate entity. Don't try to query a MajorIncidents container - it doesn't exist. Query TaskerTasks WHERE
isMajorIncident=true. - Email delivery is best-effort. If subscribers don't receive emails, check Graph/SMTP config in Settings → System. Per-recipient failures are logged but don't block the API response.
- StatusUpdates[] is uncapped. No 500-entry cap (yet). For very long-running incidents (multi-day), the doc could approach the 2MB Cosmos limit. Future enhancement: cap at last 500 entries.
- PIR task creation is non-fatal. If PIR creation fails (Cosmos transient), the resolve still succeeds. Log shows the warning; manually create the PIR if needed.
- Don't use Major Incident for routine ticket escalation. Major Incident is for incidents with org-wide impact, multiple affected systems, or executive visibility. Routine "this is important" tickets should just have
priority=High.
Related guides
- CMDB / Configuration Items - affected CI list comes from CMDB
- TaskerProfiles - ITIL Incident profile is the underlying task type
- CAB workflow - emergency changes during MI go through the CAB emergency path