diff --git a/clients/cascades-tucson/reports/2026-05-07-exchange-api-propagation-status.md b/clients/cascades-tucson/reports/2026-05-07-exchange-api-propagation-status.md new file mode 100644 index 0000000..091e9f0 --- /dev/null +++ b/clients/cascades-tucson/reports/2026-05-07-exchange-api-propagation-status.md @@ -0,0 +1,160 @@ +# Exchange REST API Propagation Status - Cascades Tucson + +**Date:** 2026-05-07 +**Time:** 09:33 AM MST +**Tenant:** Cascades of Tucson (207fa277-e9d8-4eb7-ada1-1064d2221498) + +--- + +## Current Status: PROPAGATION IN PROGRESS + +Exchange REST API is still returning HTTP 401 with "invalid_token" error, despite all required permissions and roles being correctly assigned. This is a known Exchange Online propagation delay. + +--- + +## Verification Completed + +**[OK] Graph API confirms all assignments are correct:** + +1. **Security Investigator SP** (c64ee5c1-a607-46cb-81b8-42de3de98d48) + - Exchange Administrator directory role: ASSIGNED ✓ + - Office 365 Exchange Online app role: ASSIGNED ✓ + - App role ID: dc890d15-9560-4a4c-9b7f-a736ec74ec40 (full_access_as_app) ✓ + +2. **Token acquisition:** WORKING ✓ + - investigator-exo tier token: ACQUIRED ✓ + - Scope: https://outlook.office365.com/.default ✓ + +3. **Exchange REST API access:** HTTP 401 (propagation delay) ⏳ + +--- + +## Error Details + +**HTTP Response:** +``` +HTTP/2 401 +WWW-Authenticate: Bearer client_id="ec156f81-f23a-47bd-b16f-9fb2c66420f9", + token_types="app_asserted_user_v1 service_asserted_app_v1", + authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", + error="invalid_token" +``` + +**Analysis:** +- Error "invalid_token" indicates Exchange Online hasn't recognized the new permissions yet +- This is NOT a configuration error (all Graph API checks pass) +- Typical propagation time: 15-60 minutes from role assignment +- Role was assigned: ~09:05 AM MST +- Current time: 09:33 AM MST (28 minutes elapsed) + +--- + +## What's Happening + +Exchange Online maintains its own permission cache separate from Entra ID (Graph API). When a new service principal is assigned the Exchange Administrator role: + +1. **Immediate:** Graph API recognizes the assignment (verified ✓) +2. **Delayed (15-60 min):** Exchange REST API propagates the permission +3. **Common:** First attempts return HTTP 401 until cache refreshes + +This is normal behavior for first-time app onboarding to a tenant. + +--- + +## Next Steps + +### Option 1: Wait and Retry (Recommended) + +**Retry after:** 10:00 AM MST (27 minutes from now) + +```bash +# Clear token cache +rm -f /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/investigator-exo.jwt + +# Get fresh token +TOKEN=$(REMEDIATION_AUTH=secret bash scripts/get-token.sh 207fa277-e9d8-4eb7-ada1-1064d2221498 investigator-exo 2>/dev/null) + +# Test Exchange REST API +curl -X POST \ + -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + "https://outlook.office365.com/adminapi/beta/207fa277-e9d8-4eb7-ada1-1064d2221498/InvokeCommand" \ + -d '{"CmdletInput":{"CmdletName":"Get-Mailbox","Parameters":{"Identity":"Britney.Thompson@cascadestucson.com"}}}' +``` + +If still 401 after 10:00 AM, wait until 10:30 AM and try again. + +### Option 2: Manual Portal Verification (If still failing after 1 hour) + +If Exchange REST API still returns 401 after 10:30 AM MST: + +1. **Check Entra portal:** + - https://entra.microsoft.com → Roles and administrators → Exchange Administrator + - Verify "ComputerGuru - Security Investigator" is listed as a member + +2. **Check Conditional Access:** + - Entra → Protection → Conditional Access + - Look for policies that might block service principal sign-ins + - Review "Service provider users" exclusions + +3. **Check Exchange Online license:** + - Verify tenant has active Exchange Online licenses + - Admin center → Billing → Licenses + +--- + +## Blocking Issue + +**Britney Thompson litigation hold verification** cannot proceed until Exchange REST API access works. + +**HIPAA Compliance Risk:** +Per Howard's 2026-05-06 note, this check must complete before Wave 1 caregiver rollout (§164.308(a)(3)(ii)(C) + §164.316(b)(2) requirement). + +**Impact:** +- Cannot verify if litigation hold is enabled +- Cannot check mailbox forwarding rules +- Cannot audit inbox rules or delegate permissions +- All Exchange-based compliance checks blocked + +--- + +## Timeline + +| Time | Event | +|------|-------| +| 09:05 AM MST | App onboarding completed, Exchange Administrator role assigned | +| 09:07 AM MST | First test: HTTP 401 (expected) | +| 09:15 AM MST | Second test: HTTP 401 (still propagating) | +| 09:33 AM MST | Third test: HTTP 401 (28 min elapsed, still within normal window) | +| **10:00 AM MST** | **Recommended retry time (55 min elapsed)** | +| **10:30 AM MST** | **Escalation point if still failing (85 min elapsed)** | + +--- + +## Workaround Options (If Urgent) + +If litigation hold verification is urgent and cannot wait for propagation: + +1. **Manual Exchange Online PowerShell:** + ```powershell + Connect-ExchangeOnline -UserPrincipalName admin@cascadestucson.com + Get-Mailbox -Identity Britney.Thompson@cascadestucson.com | + Select DisplayName, LitigationHoldEnabled, LitigationHoldDate, InPlaceHolds + ``` + +2. **Exchange Admin Center:** + - https://admin.exchange.microsoft.com + - Recipients → Mailboxes + - Search: Britney Thompson + - Properties → Mailbox features → Litigation hold + +3. **Purview Compliance Center:** + - https://compliance.microsoft.com + - Data lifecycle management → Retention + - Check if Britney's mailbox has retention policies applied + +--- + +**Status:** Waiting for Exchange REST API propagation (normal delay). +**Next action:** Retry after 10:00 AM MST. +**Escalation:** If still failing after 10:30 AM MST, investigate manually via portal.