sync: auto-sync from GURU-5070 at 2026-06-29 15:30:34
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-29 15:30:34
This commit is contained in:
@@ -29,10 +29,19 @@
|
||||
| Delete SMS auth method (`+1 602-228-3396`) | HTTP 204 |
|
||||
| Delete Microsoft Authenticator (iPhone 14 Plus) | HTTP 204 |
|
||||
| Revoke all sign-in sessions | `value: true` |
|
||||
| Block sign-in (`accountEnabled=false`) | HTTP 204 — verified false |
|
||||
| Remove User Administrator directory role | HTTP 204 — role now has zero members; user has no roles |
|
||||
| Verify auth methods | Only `passwordAuthenticationMethod` remains (no MFA) |
|
||||
|
||||
New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. Account left
|
||||
**enabled** with license + mailbox retained for handoff (not disabled per Mike's scope).
|
||||
Account is **cloud-only** (`onPremisesSyncEnabled: null`) — the on-prem AD account is a separate
|
||||
identity. New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. License +
|
||||
mailbox retained for handoff (account disabled, not deleted).
|
||||
|
||||
**Billing:** Syncro **#32487** (Emergency offboarding) — 1.0 hr emergency remote billed as `26184`
|
||||
@ qty 1.5 (prepaid premium); invoice $0.00, block 15.5 → 14.0 hrs.
|
||||
|
||||
**Rose access:** could not verify delegate/SendAs — EXO read returns HTTP 401 (Security Investigator
|
||||
SP lacks Exchange Admin role on this tenant). Earlier breach check showed no foreign delegates.
|
||||
|
||||
## [CRITICAL] Cleanup required — human Global Admin action
|
||||
|
||||
@@ -47,12 +56,19 @@ PAA is now on our SP in the VWP tenant and must be removed by a human Global Adm
|
||||
This is a script design flaw (logged to errorlog) — likely also left standing PAA on
|
||||
**birthbiologic.com** (the 2026-06-08 reset). Worth a fleet sweep.
|
||||
|
||||
## Still open (Mike's decision / separate access)
|
||||
## Still open
|
||||
|
||||
- **Block sign-in / remove User Administrator role** — not done (scope was sessions+pw+MFA).
|
||||
Recommended for a clean offboard.
|
||||
- **On-prem AD `VWP.US`** — disable her personal user; the **`VWP\Payroll`** account she used on
|
||||
the XP Orders VM is likely *shared* — confirm before disabling.
|
||||
- **On-prem AD `VWP.US`** — disable her personal user. **BLOCKED on VPN** (no route to
|
||||
192.168.0.25; needs VWP OpenVPN connected). The **`VWP\Payroll`** account she used on the XP
|
||||
Orders VM is likely *shared* — confirm before disabling.
|
||||
- Shared mailboxes `payroll@` / `orders@` — rotate / remove her access if delegated.
|
||||
- VPN (OpenVPN on UDM), RDP/RemoteApp to VWP-QBS, QuickBooks login.
|
||||
- Optional: convert her mailbox to shared or set a manager delegate for handoff.
|
||||
|
||||
## Handoff (done 2026-06-29)
|
||||
|
||||
Granted **`payroll@valleywideplastering.com` FullAccess** on `teresa@` (InheritanceType All,
|
||||
AutoMapping on) via Exchange Operator — Teresa's mailbox auto-mounts in the payroll Outlook
|
||||
profile. FullAccess only; no Send-As/Send-on-Behalf. Verified (not inherited, Deny: False).
|
||||
Documented on Syncro #32487 (public + emailed comment). Note: the **Exchange Operator** SP
|
||||
IS consented + Exchange-Admin-roled on VWP — the earlier 401 was the *Security Investigator*
|
||||
SP (different app); gotchas tenant table is stale on VWP.
|
||||
|
||||
Reference in New Issue
Block a user