sync: auto-sync from GURU-5070 at 2026-06-29 15:30:34

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-29 15:30:34
This commit is contained in:
2026-06-29 15:31:29 -07:00
parent a88a360450
commit 9a6e1157a7
9 changed files with 275 additions and 1014 deletions

View File

@@ -0,0 +1,73 @@
# BirthBiologic — "Quality Department" (old site) archival plan
> **STATUS: COMPLETED 2026-06-29.** Old `Quality Department` group/site soft-deleted via Graph
> (User Manager app — the Tenant Admin app 403s on group DELETE; it only has group *membership*
> write, not Group.ReadWrite.All). Group restorable ~30 days, site recycle ~93 days. Pre-delete
> safety delta confirmed 0 recent old-site edits unaccounted for in QSD. QSD verified to fully
> mirror the Datto source (0 Datto files missing). Group id `f24b2e10-2d73-49d7-ab06-fe63065301d1`,
> deletedDateTime 2026-06-29T22:23:15Z.
Prepared 2026-06-29. Goal: retire the duplicate **Quality Department** site once content and access
are fully consolidated into the canonical **Quality Systems Department** site.
## Why there are two sites
- **Quality Department** (`/sites/QualityDepartment`) — the ORIGINAL, created 2026-04-20 as the first
migration landing target (OneDrive-sync target on ACG-DWP-X-BB). Group email `QualityDepartment@birthbiologic.com`.
- **Quality Systems Department** (`/sites/QualitySystemsDepartment`) — the CANONICAL site, created
2026-06-02 to use the department's real name. Group email `QualitySystemsDepartment@birthbiologic.com`.
This was a rename-by-recreate (new site stood up instead of renaming the old). Content was migrated
old -> new on 2026-06-26, but the old site remained in active use afterward.
## Verification (2026-06-29)
- **Content parity:** 0 name-orphans. OLD = 4,743 files, NEW = 4,740+ (new has the migrated set plus
files added directly to it). Every file present in OLD exists by path in NEW.
- **Post-migration edits in OLD (after the 6/26 copy):** only 2 files.
- `Donor Placement Log - ported over 6.29.26.xlsx` (Julie Beck, 6/29 15:18) — **already superseded in
NEW** (NEW copy modified 6/29 20:45). No action needed.
- `Processor Contact Information/Processor Contact Information.In Process 5.16.24. updated Surgenex
8.21.24.xlsx` (Alicia Meneely, 6/29 15:54, 20 KB) — was FORKED vs NEW copy (6/27 00:55, 64 KB).
**RESOLVED 2026-06-29:** old-site version copied into QSD alongside its counterpart as
`...Surgenex 8.21.24 (old QualityDepartment copy 6.29.26).xlsx` (20 KB). Both versions now coexist
in QSD/Processor Contact Information/ for the Quality team to merge. No data lost on archival.
- **Group footprint:** old group `QualityDepartment@` has proxy addresses `QualityDepartment@birthbiologic.com`
+ `QualityDepartment@birthbiologic.onmicrosoft.com`. It is **not** nested in any other group (memberOf empty).
- **Active use:** users (Alicia Meneely, Julie Beck) were still editing in the OLD site on 6/29 — cutover
to the new site has not fully landed. This must be addressed or new divergence will keep appearing.
## Blockers to resolve before deletion
1. **Resolve the forked file** `Processor Contact Information...Surgenex 8.21.24.xlsx` (old 20 KB vs new
64 KB). Decide which is authoritative; copy the winner into NEW.
2. **Stop users editing the old site.** Repoint any OneDrive sync still aimed at `Quality Department` on
ACG-DWP-X-BB to `Quality Systems Department`, and tell Quality staff to use the new site. Without this,
files keep landing in the soon-to-be-deleted site.
3. **Confirm the `QualityDepartment@` address is unused** — no mail flow / transport rules, no shared
links, not referenced in any process doc. (memberOf already confirmed empty.)
## Archival steps (run after blockers cleared) — Mike, as SharePoint Admin
The tenant-admin app cannot manage site lock/deletion (returns "Unsupported app only token"), so these
run via PnP PowerShell or the SharePoint admin center.
```powershell
# 1) Lock the old site read-only (stops further divergence; immediately signals the cutover)
Connect-PnPOnline -Url https://birthbiologic-admin.sharepoint.com -Interactive
Set-PnPTenantSite -Url https://birthbiologic.sharepoint.com/sites/QualityDepartment -LockState ReadOnly
# 2) After a grace period (e.g. 2 weeks) with no issues, delete the group-connected site.
# Because it is group-connected, removing the M365 group tears down the connected site too.
# Recoverable: group soft-delete ~30 days; site recycle bin ~93 days.
Remove-PnPMicrosoft365Group -Identity f24b2e10-2d73-49d7-ab06-fe63065301d1 # QualityDepartment@ group id
```
## Reference
- Old site id/group id: group `f24b2e10-2d73-49d7-ab06-fe63065301d1`
- Old drive total: ~29.1 GB / 4,743 files
- Orphan diff tool: `scratchpad/bb_quality_diff.py`; full (now-empty) orphan list: `quality-orphaned-files.txt`
- Access state (2026-06-29): sysadmin@ is owner+member on Quality Systems Department (granted today);
was owner on Quality Department.

View File

@@ -29,10 +29,19 @@
| Delete SMS auth method (`+1 602-228-3396`) | HTTP 204 |
| Delete Microsoft Authenticator (iPhone 14 Plus) | HTTP 204 |
| Revoke all sign-in sessions | `value: true` |
| Block sign-in (`accountEnabled=false`) | HTTP 204 — verified false |
| Remove User Administrator directory role | HTTP 204 — role now has zero members; user has no roles |
| Verify auth methods | Only `passwordAuthenticationMethod` remains (no MFA) |
New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. Account left
**enabled** with license + mailbox retained for handoff (not disabled per Mike's scope).
Account is **cloud-only** (`onPremisesSyncEnabled: null`) — the on-prem AD account is a separate
identity. New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. License +
mailbox retained for handoff (account disabled, not deleted).
**Billing:** Syncro **#32487** (Emergency offboarding) — 1.0 hr emergency remote billed as `26184`
@ qty 1.5 (prepaid premium); invoice $0.00, block 15.5 → 14.0 hrs.
**Rose access:** could not verify delegate/SendAs — EXO read returns HTTP 401 (Security Investigator
SP lacks Exchange Admin role on this tenant). Earlier breach check showed no foreign delegates.
## [CRITICAL] Cleanup required — human Global Admin action
@@ -47,12 +56,19 @@ PAA is now on our SP in the VWP tenant and must be removed by a human Global Adm
This is a script design flaw (logged to errorlog) — likely also left standing PAA on
**birthbiologic.com** (the 2026-06-08 reset). Worth a fleet sweep.
## Still open (Mike's decision / separate access)
## Still open
- **Block sign-in / remove User Administrator role** — not done (scope was sessions+pw+MFA).
Recommended for a clean offboard.
- **On-prem AD `VWP.US`** — disable her personal user; the **`VWP\Payroll`** account she used on
the XP Orders VM is likely *shared* — confirm before disabling.
- **On-prem AD `VWP.US`** — disable her personal user. **BLOCKED on VPN** (no route to
192.168.0.25; needs VWP OpenVPN connected). The **`VWP\Payroll`** account she used on the XP
Orders VM is likely *shared* — confirm before disabling.
- Shared mailboxes `payroll@` / `orders@` — rotate / remove her access if delegated.
- VPN (OpenVPN on UDM), RDP/RemoteApp to VWP-QBS, QuickBooks login.
- Optional: convert her mailbox to shared or set a manager delegate for handoff.
## Handoff (done 2026-06-29)
Granted **`payroll@valleywideplastering.com` FullAccess** on `teresa@` (InheritanceType All,
AutoMapping on) via Exchange Operator — Teresa's mailbox auto-mounts in the payroll Outlook
profile. FullAccess only; no Send-As/Send-on-Behalf. Verified (not inherited, Deny: False).
Documented on Syncro #32487 (public + emailed comment). Note: the **Exchange Operator** SP
IS consented + Exchange-Admin-roled on VWP — the earlier 401 was the *Security Investigator*
SP (different app); gotchas tenant table is stale on VWP.