sync: auto-sync from GURU-5070 at 2026-06-29 15:30:34
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-29 15:30:34
This commit is contained in:
@@ -0,0 +1,73 @@
|
||||
# BirthBiologic — "Quality Department" (old site) archival plan
|
||||
|
||||
> **STATUS: COMPLETED 2026-06-29.** Old `Quality Department` group/site soft-deleted via Graph
|
||||
> (User Manager app — the Tenant Admin app 403s on group DELETE; it only has group *membership*
|
||||
> write, not Group.ReadWrite.All). Group restorable ~30 days, site recycle ~93 days. Pre-delete
|
||||
> safety delta confirmed 0 recent old-site edits unaccounted for in QSD. QSD verified to fully
|
||||
> mirror the Datto source (0 Datto files missing). Group id `f24b2e10-2d73-49d7-ab06-fe63065301d1`,
|
||||
> deletedDateTime 2026-06-29T22:23:15Z.
|
||||
|
||||
|
||||
Prepared 2026-06-29. Goal: retire the duplicate **Quality Department** site once content and access
|
||||
are fully consolidated into the canonical **Quality Systems Department** site.
|
||||
|
||||
## Why there are two sites
|
||||
|
||||
- **Quality Department** (`/sites/QualityDepartment`) — the ORIGINAL, created 2026-04-20 as the first
|
||||
migration landing target (OneDrive-sync target on ACG-DWP-X-BB). Group email `QualityDepartment@birthbiologic.com`.
|
||||
- **Quality Systems Department** (`/sites/QualitySystemsDepartment`) — the CANONICAL site, created
|
||||
2026-06-02 to use the department's real name. Group email `QualitySystemsDepartment@birthbiologic.com`.
|
||||
|
||||
This was a rename-by-recreate (new site stood up instead of renaming the old). Content was migrated
|
||||
old -> new on 2026-06-26, but the old site remained in active use afterward.
|
||||
|
||||
## Verification (2026-06-29)
|
||||
|
||||
- **Content parity:** 0 name-orphans. OLD = 4,743 files, NEW = 4,740+ (new has the migrated set plus
|
||||
files added directly to it). Every file present in OLD exists by path in NEW.
|
||||
- **Post-migration edits in OLD (after the 6/26 copy):** only 2 files.
|
||||
- `Donor Placement Log - ported over 6.29.26.xlsx` (Julie Beck, 6/29 15:18) — **already superseded in
|
||||
NEW** (NEW copy modified 6/29 20:45). No action needed.
|
||||
- `Processor Contact Information/Processor Contact Information.In Process 5.16.24. updated Surgenex
|
||||
8.21.24.xlsx` (Alicia Meneely, 6/29 15:54, 20 KB) — was FORKED vs NEW copy (6/27 00:55, 64 KB).
|
||||
**RESOLVED 2026-06-29:** old-site version copied into QSD alongside its counterpart as
|
||||
`...Surgenex 8.21.24 (old QualityDepartment copy 6.29.26).xlsx` (20 KB). Both versions now coexist
|
||||
in QSD/Processor Contact Information/ for the Quality team to merge. No data lost on archival.
|
||||
- **Group footprint:** old group `QualityDepartment@` has proxy addresses `QualityDepartment@birthbiologic.com`
|
||||
+ `QualityDepartment@birthbiologic.onmicrosoft.com`. It is **not** nested in any other group (memberOf empty).
|
||||
- **Active use:** users (Alicia Meneely, Julie Beck) were still editing in the OLD site on 6/29 — cutover
|
||||
to the new site has not fully landed. This must be addressed or new divergence will keep appearing.
|
||||
|
||||
## Blockers to resolve before deletion
|
||||
|
||||
1. **Resolve the forked file** `Processor Contact Information...Surgenex 8.21.24.xlsx` (old 20 KB vs new
|
||||
64 KB). Decide which is authoritative; copy the winner into NEW.
|
||||
2. **Stop users editing the old site.** Repoint any OneDrive sync still aimed at `Quality Department` on
|
||||
ACG-DWP-X-BB to `Quality Systems Department`, and tell Quality staff to use the new site. Without this,
|
||||
files keep landing in the soon-to-be-deleted site.
|
||||
3. **Confirm the `QualityDepartment@` address is unused** — no mail flow / transport rules, no shared
|
||||
links, not referenced in any process doc. (memberOf already confirmed empty.)
|
||||
|
||||
## Archival steps (run after blockers cleared) — Mike, as SharePoint Admin
|
||||
|
||||
The tenant-admin app cannot manage site lock/deletion (returns "Unsupported app only token"), so these
|
||||
run via PnP PowerShell or the SharePoint admin center.
|
||||
|
||||
```powershell
|
||||
# 1) Lock the old site read-only (stops further divergence; immediately signals the cutover)
|
||||
Connect-PnPOnline -Url https://birthbiologic-admin.sharepoint.com -Interactive
|
||||
Set-PnPTenantSite -Url https://birthbiologic.sharepoint.com/sites/QualityDepartment -LockState ReadOnly
|
||||
|
||||
# 2) After a grace period (e.g. 2 weeks) with no issues, delete the group-connected site.
|
||||
# Because it is group-connected, removing the M365 group tears down the connected site too.
|
||||
# Recoverable: group soft-delete ~30 days; site recycle bin ~93 days.
|
||||
Remove-PnPMicrosoft365Group -Identity f24b2e10-2d73-49d7-ab06-fe63065301d1 # QualityDepartment@ group id
|
||||
```
|
||||
|
||||
## Reference
|
||||
|
||||
- Old site id/group id: group `f24b2e10-2d73-49d7-ab06-fe63065301d1`
|
||||
- Old drive total: ~29.1 GB / 4,743 files
|
||||
- Orphan diff tool: `scratchpad/bb_quality_diff.py`; full (now-empty) orphan list: `quality-orphaned-files.txt`
|
||||
- Access state (2026-06-29): sysadmin@ is owner+member on Quality Systems Department (granted today);
|
||||
was owner on Quality Department.
|
||||
File diff suppressed because it is too large
Load Diff
@@ -29,10 +29,19 @@
|
||||
| Delete SMS auth method (`+1 602-228-3396`) | HTTP 204 |
|
||||
| Delete Microsoft Authenticator (iPhone 14 Plus) | HTTP 204 |
|
||||
| Revoke all sign-in sessions | `value: true` |
|
||||
| Block sign-in (`accountEnabled=false`) | HTTP 204 — verified false |
|
||||
| Remove User Administrator directory role | HTTP 204 — role now has zero members; user has no roles |
|
||||
| Verify auth methods | Only `passwordAuthenticationMethod` remains (no MFA) |
|
||||
|
||||
New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. Account left
|
||||
**enabled** with license + mailbox retained for handoff (not disabled per Mike's scope).
|
||||
Account is **cloud-only** (`onPremisesSyncEnabled: null`) — the on-prem AD account is a separate
|
||||
identity. New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. License +
|
||||
mailbox retained for handoff (account disabled, not deleted).
|
||||
|
||||
**Billing:** Syncro **#32487** (Emergency offboarding) — 1.0 hr emergency remote billed as `26184`
|
||||
@ qty 1.5 (prepaid premium); invoice $0.00, block 15.5 → 14.0 hrs.
|
||||
|
||||
**Rose access:** could not verify delegate/SendAs — EXO read returns HTTP 401 (Security Investigator
|
||||
SP lacks Exchange Admin role on this tenant). Earlier breach check showed no foreign delegates.
|
||||
|
||||
## [CRITICAL] Cleanup required — human Global Admin action
|
||||
|
||||
@@ -47,12 +56,19 @@ PAA is now on our SP in the VWP tenant and must be removed by a human Global Adm
|
||||
This is a script design flaw (logged to errorlog) — likely also left standing PAA on
|
||||
**birthbiologic.com** (the 2026-06-08 reset). Worth a fleet sweep.
|
||||
|
||||
## Still open (Mike's decision / separate access)
|
||||
## Still open
|
||||
|
||||
- **Block sign-in / remove User Administrator role** — not done (scope was sessions+pw+MFA).
|
||||
Recommended for a clean offboard.
|
||||
- **On-prem AD `VWP.US`** — disable her personal user; the **`VWP\Payroll`** account she used on
|
||||
the XP Orders VM is likely *shared* — confirm before disabling.
|
||||
- **On-prem AD `VWP.US`** — disable her personal user. **BLOCKED on VPN** (no route to
|
||||
192.168.0.25; needs VWP OpenVPN connected). The **`VWP\Payroll`** account she used on the XP
|
||||
Orders VM is likely *shared* — confirm before disabling.
|
||||
- Shared mailboxes `payroll@` / `orders@` — rotate / remove her access if delegated.
|
||||
- VPN (OpenVPN on UDM), RDP/RemoteApp to VWP-QBS, QuickBooks login.
|
||||
- Optional: convert her mailbox to shared or set a manager delegate for handoff.
|
||||
|
||||
## Handoff (done 2026-06-29)
|
||||
|
||||
Granted **`payroll@valleywideplastering.com` FullAccess** on `teresa@` (InheritanceType All,
|
||||
AutoMapping on) via Exchange Operator — Teresa's mailbox auto-mounts in the payroll Outlook
|
||||
profile. FullAccess only; no Send-As/Send-on-Behalf. Verified (not inherited, Deny: False).
|
||||
Documented on Syncro #32487 (public + emailed comment). Note: the **Exchange Operator** SP
|
||||
IS consented + Exchange-Admin-roled on VWP — the earlier 401 was the *Security Investigator*
|
||||
SP (different app); gotchas tenant table is stale on VWP.
|
||||
|
||||
Reference in New Issue
Block a user