diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-12-howard-shared-mailboxes-grievances-surveys.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-12-howard-shared-mailboxes-grievances-surveys.md
new file mode 100644
index 0000000..662b7f7
--- /dev/null
+++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-12-howard-shared-mailboxes-grievances-surveys.md
@@ -0,0 +1,75 @@
+# Cascades of Tucson — Shared Mailboxes (Grievances + Surveys) + Delegation
+
+## User
+- **User:** Howard Enos (howard)
+- **Machine:** Howard-Home
+- **Role:** tech
+
+## Session Summary
+
+Created two new shared mailboxes in the Cascades of Tucson M365 tenant (cascadestucson.com): `grievances@cascadestucson.com` and `Surveys@cascadestucson.com`. Both were delegated to Meredith Kuhn (`meredith.kuhn@cascadestucson.com`) and Ashley Jensen (`ashley.jensen@cascadestucson.com`) with Full Access (auto-mapping enabled) and Send As, so each delegate can read the mailboxes from within Outlook and send mail that originates from the shared address.
+
+Work was done via Exchange Online PowerShell using app-only authentication (ComputerGuru Exchange Operator MSP app, cert-based). The `ExchangeOnlineManagement` PowerShell module was not present on this machine — it was installed from PSGallery (v3.10.0) after trusting the repository. An EXO-scoped access token was acquired with the remediation-tool `get-token.sh` script (tier `exchange-op`, cert assertion) and passed to `Connect-ExchangeOnline -AccessToken`, bypassing the missing-cert-in-store and interactive-MFA constraints noted in the client wiki.
+
+Preconditions were verified before any write: both delegate UserMailboxes exist, and both target addresses (`grievances@`, `Surveys@`) were free. After creation, all eight permission grants (2 mailboxes x 2 users x [FullAccess + SendAs]) were applied and then re-verified with `Get-MailboxPermission` / `Get-RecipientPermission`. The `Surveys` mailbox emitted the standard new-mailbox replication notice ("available for logon in approximately 15 minutes") — this did not affect permission application.
+
+Billing for 0.5h Remote was requested. A Syncro ticket-create + bill preview was produced (new ticket, since no existing ticket fit the shared-mailbox work) and is **awaiting user confirmation** — no Syncro write has been performed. The `/save` was invoked before that confirmation, so billing remains pending.
+
+## Key Decisions
+
+- **Send As (not Send on Behalf):** User chose Send As so outbound mail appears strictly from the shared address with no trace of the individual sender — standard for role mailboxes.
+- **Full Access with auto-mapping:** delegates' Outlook auto-surfaces the mailboxes; no manual account-add needed.
+- **Shared mailboxes, cloud-only:** no license consumed (shared mailboxes are free under 50GB); they do not require an on-prem AD object and are unaffected by Entra Connect sync.
+- **App-only EXO via access token:** used the cert-based `get-token.sh` flow rather than interactive sign-in, consistent with the client's documented EXO MSP-app auth note.
+- **New Syncro ticket for billing:** none of Cascades' open tickets map to shared-mailbox creation, so a dedicated ticket is the right home for the 0.5h.
+
+## Problems Encountered
+
+- **`ExchangeOnlineManagement` module missing:** `Install-Module` first failed in NonInteractive mode (untrusted PSGallery prompt). Resolved by setting TLS 1.2, bootstrapping the NuGet provider, and `Set-PSRepository -Name PSGallery -InstallationPolicy Trusted`, then re-running the install — succeeded at v3.10.0.
+- **`get-token.sh` could not find vault_path:** the skill resolves identity from the user-global `~/.claude/identity.json` (which lacks `vault_path`), not the repo `.claude/identity.json`. Resolved by passing `VAULT_ROOT_ENV=D:/vault` (read from the repo identity file).
+- **Vault field name:** `client_secret` lives under `credentials.client_secret` (dot notation), not a top-level field; the initial flat lookup returned `null`. Cert auth was used in the end regardless.
+
+## Configuration Changes
+
+- **M365 tenant cascadestucson.com (live):**
+  - Created shared mailbox `grievances@cascadestucson.com` (alias `Grievances`, DisplayName "Grievances").
+  - Created shared mailbox `Surveys@cascadestucson.com` (alias `Surveys`, DisplayName "Surveys").
+  - Granted FullAccess (InheritanceType All, AutoMapping $true) on both to `meredith.kuhn@` and `ashley.jensen@`.
+  - Granted SendAs on both to `meredith.kuhn@` and `ashley.jensen@`.
+- **This machine (Howard-Home):** installed PowerShell module `ExchangeOnlineManagement` 3.10.0 (CurrentUser scope); set PSGallery InstallationPolicy = Trusted.
+- No repo files modified beyond this session log.
+
+## Credentials & Secrets
+
+- No new credentials created. EXO auth used the existing **ComputerGuru Exchange Operator** MSP app (`b43e7342-5b4b-492f-890f-bb5a4f7f40e9`), cert-based, vault `msp-tools/computerguru-exchange-operator.sops.yaml` (cert thumbprint `A615823DE1CAF15229027DEC075AFE32B900D82C`, cert expires 2028-04-30).
+- Transient EXO access token cached at `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/exchange-op.jwt` (55-min TTL) and staged to `%TEMP%\exo.jwt` for the PowerShell session — ephemeral, not a secret to retain.
+
+## Infrastructure & Servers
+
+- **Tenant:** cascadestucson.com — Tenant ID `207fa277-e9d8-4eb7-ada1-1064d2221498`
+- **Exchange Operator app:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` (home tenant ce61461e-81a0-4c84-bb4a-7b354a9a356d)
+- **New shared mailboxes:** `grievances@cascadestucson.com`, `Surveys@cascadestucson.com` (both SharedMailbox)
+- **Delegates:** `meredith.kuhn@cascadestucson.com` (Meredith Kuhn), `ashley.jensen@cascadestucson.com` (Ashley Jensen)
+- **Syncro customer:** Cascades of Tucson, ID 20149445; prepay block 56.25h (live pull 2026-06-12)
+
+## Commands & Outputs
+
+- Token: `VAULT_ROOT_ENV="D:/vault" bash .../remediation-tool/scripts/get-token.sh 207fa277-e9d8-4eb7-ada1-1064d2221498 exchange-op` -> `auth=cert`, 2219-byte JWT.
+- Connect: `Connect-ExchangeOnline -AccessToken $token -Organization 'cascadestucson.com' -ShowBanner:$false` -> CONNECTED.
+- Create: `New-Mailbox -Shared -Name <Name> -DisplayName <Display> -PrimarySmtpAddress <smtp>` — both created (Surveys threw the benign "available for logon in ~15 minutes" replication notice).
+- Permissions: `Add-MailboxPermission -AccessRights FullAccess -InheritanceType All -AutoMapping $true` and `Add-RecipientPermission -AccessRights SendAs` — all 8 succeeded.
+- Verify: `Get-MailboxPermission` / `Get-RecipientPermission` confirmed both delegates hold FullAccess + SendAs on both mailboxes.
+- Module install (after fix): `Set-PSRepository -Name PSGallery -InstallationPolicy Trusted` then `Install-Module ExchangeOnlineManagement -Scope CurrentUser` -> INSTALLED 3.10.0.
+
+## Pending / Incomplete Tasks
+
+- **Billing NOT yet executed (awaiting confirmation):** create Syncro ticket for Cascades (20149445), subject "M365 - Create shared mailboxes Grievances + Surveys, delegate to Meredith & Ashley (Remote)", Issue Type Email, tech Howard (1750), no contact (Cascades rule). Bill 0.5h Remote (product 1190473, $150/hr) — prepaid, invoice nets $0.00, block 56.25 -> 55.75. Then invoice, mark Invoiced, post #bot-alerts.
+- Outlook auto-mapping for delegates may take up to ~1h to surface; immediately usable via OWA.
+
+## Reference Information
+
+- Client wiki: `wiki/clients/cascades-tucson.md`
+- EXO MSP-app auth note (cert-not-in-store -> access-token flow): see client wiki "Email & Identity" / "EXO / Message Trace" sections.
+- Remediation skill scripts: `C:\Users\Howard\.claude\skills\remediation-tool\scripts\` (`get-token.sh` tier `exchange-op`).
+- Vault root on this machine: `D:/vault` (from `.claude/identity.json` `vault_path`).
+- Syncro remote labor product: 1190473 ("Labor - Remote Business", $150.00).