azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cascades: Exchange REST API propagation status - 28 min elapsed

Browse Source 
HTTP 401 'invalid_token' still persisting despite correct role assignments.
All Graph API verifications pass - this is Exchange cache propagation delay.

Verified working:
- Exchange Administrator role assigned to Security Investigator SP
- Office 365 Exchange Online app role: dc890d15-9560-4a4c-9b7f-a736ec74ec40
- Token acquisition for investigator-exo tier

Timeline:
- 09:05 AM: Role assigned
- 09:33 AM: Still propagating (28 min elapsed)
- 10:00 AM: Recommended retry (55 min)
- 10:30 AM: Escalation point (85 min)

Blocking: Britney Thompson litigation hold verification for HIPAA compliance.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-08 10:34:58 -04:00
parent 9aab0dc35a
commit 8807b1f168
1 changed files with 160 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
clients/cascades-tucson/reports/2026-05-07-exchange-api-propagation-status.md Normal file
View File

@@ -0,0 +1,160 @@
# Exchange REST API Propagation Status - Cascades Tucson
**Date:** 2026-05-07
**Time:** 09:33 AM MST
**Tenant:** Cascades of Tucson (207fa277-e9d8-4eb7-ada1-1064d2221498)
---
## Current Status: PROPAGATION IN PROGRESS
Exchange REST API is still returning HTTP 401 with "invalid_token" error, despite all required permissions and roles being correctly assigned. This is a known Exchange Online propagation delay.
---
## Verification Completed
**[OK] Graph API confirms all assignments are correct:**
1. **Security Investigator SP** (c64ee5c1-a607-46cb-81b8-42de3de98d48)
- Exchange Administrator directory role: ASSIGNED ✓
- Office 365 Exchange Online app role: ASSIGNED ✓
- App role ID: dc890d15-9560-4a4c-9b7f-a736ec74ec40 (full_access_as_app) ✓
2. **Token acquisition:** WORKING ✓
- investigator-exo tier token: ACQUIRED ✓
- Scope: https://outlook.office365.com/.default ✓
3. **Exchange REST API access:** HTTP 401 (propagation delay) ⏳
---
## Error Details
**HTTP Response:**
```
HTTP/2 401
WWW-Authenticate: Bearer client_id="ec156f81-f23a-47bd-b16f-9fb2c66420f9",
token_types="app_asserted_user_v1 service_asserted_app_v1",
authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize",
error="invalid_token"
```
**Analysis:**
- Error "invalid_token" indicates Exchange Online hasn't recognized the new permissions yet
- This is NOT a configuration error (all Graph API checks pass)
- Typical propagation time: 15-60 minutes from role assignment
- Role was assigned: ~09:05 AM MST
- Current time: 09:33 AM MST (28 minutes elapsed)
---
## What's Happening
Exchange Online maintains its own permission cache separate from Entra ID (Graph API). When a new service principal is assigned the Exchange Administrator role:
1. **Immediate:** Graph API recognizes the assignment (verified ✓)
2. **Delayed (15-60 min):** Exchange REST API propagates the permission
3. **Common:** First attempts return HTTP 401 until cache refreshes
This is normal behavior for first-time app onboarding to a tenant.
---
## Next Steps
### Option 1: Wait and Retry (Recommended)
**Retry after:** 10:00 AM MST (27 minutes from now)
```bash
# Clear token cache
rm -f /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/investigator-exo.jwt
# Get fresh token
TOKEN=$(REMEDIATION_AUTH=secret bash scripts/get-token.sh 207fa277-e9d8-4eb7-ada1-1064d2221498 investigator-exo 2>/dev/null)
# Test Exchange REST API
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
"https://outlook.office365.com/adminapi/beta/207fa277-e9d8-4eb7-ada1-1064d2221498/InvokeCommand" \
-d '{"CmdletInput":{"CmdletName":"Get-Mailbox","Parameters":{"Identity":"Britney.Thompson@cascadestucson.com"}}}'
```
If still 401 after 10:00 AM, wait until 10:30 AM and try again.
### Option 2: Manual Portal Verification (If still failing after 1 hour)
If Exchange REST API still returns 401 after 10:30 AM MST:
1. **Check Entra portal:**
- https://entra.microsoft.com → Roles and administrators → Exchange Administrator
- Verify "ComputerGuru - Security Investigator" is listed as a member
2. **Check Conditional Access:**
- Entra → Protection → Conditional Access
- Look for policies that might block service principal sign-ins
- Review "Service provider users" exclusions
3. **Check Exchange Online license:**
- Verify tenant has active Exchange Online licenses
- Admin center → Billing → Licenses
---
## Blocking Issue
**Britney Thompson litigation hold verification** cannot proceed until Exchange REST API access works.
**HIPAA Compliance Risk:**
Per Howard's 2026-05-06 note, this check must complete before Wave 1 caregiver rollout (§164.308(a)(3)(ii)(C) + §164.316(b)(2) requirement).
**Impact:**
- Cannot verify if litigation hold is enabled
- Cannot check mailbox forwarding rules
- Cannot audit inbox rules or delegate permissions
- All Exchange-based compliance checks blocked
---
## Timeline
| Time | Event |
|------|-------|
| 09:05 AM MST | App onboarding completed, Exchange Administrator role assigned |
| 09:07 AM MST | First test: HTTP 401 (expected) |
| 09:15 AM MST | Second test: HTTP 401 (still propagating) |
| 09:33 AM MST | Third test: HTTP 401 (28 min elapsed, still within normal window) |
| **10:00 AM MST** | **Recommended retry time (55 min elapsed)** |
| **10:30 AM MST** | **Escalation point if still failing (85 min elapsed)** |
---
## Workaround Options (If Urgent)
If litigation hold verification is urgent and cannot wait for propagation:
1. **Manual Exchange Online PowerShell:**
```powershell
Connect-ExchangeOnline -UserPrincipalName admin@cascadestucson.com
Get-Mailbox -Identity Britney.Thompson@cascadestucson.com |
Select DisplayName, LitigationHoldEnabled, LitigationHoldDate, InPlaceHolds
```
2. **Exchange Admin Center:**
- https://admin.exchange.microsoft.com
- Recipients → Mailboxes
- Search: Britney Thompson
- Properties → Mailbox features → Litigation hold
3. **Purview Compliance Center:**
- https://compliance.microsoft.com
- Data lifecycle management → Retention
- Check if Britney's mailbox has retention policies applied
---
**Status:** Waiting for Exchange REST API propagation (normal delay).
**Next action:** Retry after 10:00 AM MST.
**Escalation:** If still failing after 10:30 AM MST, investigate manually via portal.