sync: auto-sync from GURU-5070 at 2026-06-29 15:30:34

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-29 15:30:34
This commit is contained in:
2026-06-29 15:31:29 -07:00
parent a88a360450
commit 9a6e1157a7
9 changed files with 275 additions and 1014 deletions

View File

@@ -29,10 +29,19 @@
| Delete SMS auth method (`+1 602-228-3396`) | HTTP 204 |
| Delete Microsoft Authenticator (iPhone 14 Plus) | HTTP 204 |
| Revoke all sign-in sessions | `value: true` |
| Block sign-in (`accountEnabled=false`) | HTTP 204 — verified false |
| Remove User Administrator directory role | HTTP 204 — role now has zero members; user has no roles |
| Verify auth methods | Only `passwordAuthenticationMethod` remains (no MFA) |
New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. Account left
**enabled** with license + mailbox retained for handoff (not disabled per Mike's scope).
Account is **cloud-only** (`onPremisesSyncEnabled: null`) — the on-prem AD account is a separate
identity. New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. License +
mailbox retained for handoff (account disabled, not deleted).
**Billing:** Syncro **#32487** (Emergency offboarding) — 1.0 hr emergency remote billed as `26184`
@ qty 1.5 (prepaid premium); invoice $0.00, block 15.5 → 14.0 hrs.
**Rose access:** could not verify delegate/SendAs — EXO read returns HTTP 401 (Security Investigator
SP lacks Exchange Admin role on this tenant). Earlier breach check showed no foreign delegates.
## [CRITICAL] Cleanup required — human Global Admin action
@@ -47,12 +56,19 @@ PAA is now on our SP in the VWP tenant and must be removed by a human Global Adm
This is a script design flaw (logged to errorlog) — likely also left standing PAA on
**birthbiologic.com** (the 2026-06-08 reset). Worth a fleet sweep.
## Still open (Mike's decision / separate access)
## Still open
- **Block sign-in / remove User Administrator role** — not done (scope was sessions+pw+MFA).
Recommended for a clean offboard.
- **On-prem AD `VWP.US`** — disable her personal user; the **`VWP\Payroll`** account she used on
the XP Orders VM is likely *shared* — confirm before disabling.
- **On-prem AD `VWP.US`** — disable her personal user. **BLOCKED on VPN** (no route to
192.168.0.25; needs VWP OpenVPN connected). The **`VWP\Payroll`** account she used on the XP
Orders VM is likely *shared* — confirm before disabling.
- Shared mailboxes `payroll@` / `orders@` — rotate / remove her access if delegated.
- VPN (OpenVPN on UDM), RDP/RemoteApp to VWP-QBS, QuickBooks login.
- Optional: convert her mailbox to shared or set a manager delegate for handoff.
## Handoff (done 2026-06-29)
Granted **`payroll@valleywideplastering.com` FullAccess** on `teresa@` (InheritanceType All,
AutoMapping on) via Exchange Operator — Teresa's mailbox auto-mounts in the payroll Outlook
profile. FullAccess only; no Send-As/Send-on-Behalf. Verified (not inherited, Deny: False).
Documented on Syncro #32487 (public + emailed comment). Note: the **Exchange Operator** SP
IS consented + Exchange-Admin-roled on VWP — the earlier 401 was the *Security Investigator*
SP (different app); gotchas tenant table is stale on VWP.