azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cascades: M365 orphan/stale user cleanup (pre-Entra Connect)

Browse Source 
Deleted 7 former-employee / zombie accounts via Graph user-manager tier.
All verified in soft-delete bin (30-day recovery):

- ann.dery, anna.pitzlin, jeff.bristol, kristiana.dowse, nela.durut-azizi,
  nick.pavloff (all were disabled already)
- jodi.ramstack (was a zombie: enabled in M365 with 1 Business Standard
  license but deleted from AD 2026-04-13. Freed $12.50/mo seat.)

admin@NETORGFT... (Sandra Fish) confirmed already gone from tenant.

Role-based accounts (accounting@, frontdesk@, hr@, etc.) NOT touched —
pending delegation decisions before shared-mailbox conversion. Stephanie.Devin
left alone pending Meredith confirmation.

Report: reports/2026-04-22-m365-orphan-deletes.md
Docs updated: docs/cloud/m365.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-22 22:10:49 -07:00
parent 5c6f7dca5e
commit abfb0a18b0
2 changed files with 101 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
clients/cascades-tucson/docs/cloud/m365.md
View File

@@ -188,24 +188,24 @@ AD account + Entra sync, no M365 license. Access shared mailboxes via outlook.of
| Display Name | UPN | Sign-in Blocked | Notes |
|---|---|---|---|
| Jeff Bristol | jeff.bristol@cascadestucson.com | Yes | Former employee — unlicensed, shared mailbox exists |
| Nela Durut-Azizi | nela.durut-azizi@cascadestucson.com | Yes | Former employee — unlicensed, shared mailbox exists |
| Stephanie Devin | Stephanie.Devin@cascadestucson.com | Yes | Former? Unlicensed, blocked |
| ~~Jeff Bristol~~ | ~~jeff.bristol@cascadestucson.com~~ | ~~Yes~~ | **DELETED 2026-04-22** — orphan cleanup. Soft-delete recoverable 30 days (id `8ec8248a-46e8-4771-9220-047887928777`). |
| ~~Nela Durut-Azizi~~ | ~~nela.durut-azizi@cascadestucson.com~~ | ~~Yes~~ | **DELETED 2026-04-22** — orphan cleanup. Soft-delete recoverable 30 days (id `84cef8a2-6988-44ea-bf20-a72fe622750d`). |
| Stephanie Devin | Stephanie.Devin@cascadestucson.com | Yes | Former? Unlicensed, blocked. Ask Meredith before deleting. |
#### Tenant admin
| Display Name | UPN | License | Notes |
|---|---|---|---|
| cascadestucson.com (Sandra Fish) | admin@NETORGFT4257522.onmicrosoft.com | **Unlicensed** (P2 removed) | **BLOCKED** — Former director. Global admin revoked, sign-in blocked 2026-04-14. Delete when ready. |
| ~~cascadestucson.com (Sandra Fish)~~ | ~~admin@NETORGFT4257522.onmicrosoft.com~~ | — | **Confirmed absent 2026-04-22** — already deleted at some point. No further action. |
## Shared Mailboxes
| Name | Email | Notes |
|---|---|---|
| Anna Pitzlin | anna.pitzlin@cascadestucson.com | **Former employee** — was forwarded to Meredith, HR says DELETE |
| ~~Anna Pitzlin~~ | ~~anna.pitzlin@cascadestucson.com~~ | **DELETED 2026-04-22** — orphan cleanup. Soft-delete recoverable 30 days (id `06aa2955-f124-447d-8a16-cc7779aaf28f`). |
| Fax Cascades | fax@cascadestucson.com | Fax-to-email service |
| Jeff Bristol | jeff.bristol@cascadestucson.com | **Former employee** — sign-in blocked, keep for mail forwarding? |
| Nela Durut-Azizi | nela.durut-azizi@cascadestucson.com | **Former employee** — was forwarded to Meredith, HR says DELETE |
| ~~Jeff Bristol~~ | ~~jeff.bristol@cascadestucson.com~~ | (see Blocked section — deleted 2026-04-22) |
| ~~Nela Durut-Azizi~~ | ~~nela.durut-azizi@cascadestucson.com~~ | (see Blocked section — deleted 2026-04-22) |
## Exchange Online
- Mail Domain(s): cascadestucson.com

94
clients/cascades-tucson/reports/2026-04-22-m365-orphan-deletes.md Normal file
View File

@@ -0,0 +1,94 @@
# M365 Orphan / Stale User Deletes - 2026-04-22
## Scope
Pre-Entra-Connect cleanup. Remove confirmed former employees and zombie accounts from M365 so they don't sync/mismatch when Entra Connect goes live. Per Howard's direction 2026-04-22: delete orphans/stale users; leave role-based accounts alone until delegation decisions are made.
## Pre-check results
Queried Graph for each candidate. One already gone (`admin@NETORGFT4257522.onmicrosoft.com` Sandra Fish blocked admin). 7 candidates remained:
| UPN | Display | Enabled | Licenses | Proxies | Why delete |
|---|---|---|---|---|---|
| `ann.dery@cascadestucson.com` | Ann Dery | False | 0 | 2 | Already deleted from AD (2026-04-13) |
| `anna.pitzlin@cascadestucson.com` | Anna Pitzlin | False | 0 | 2 | HR confirmed DELETE (per m365.md) |
| `jeff.bristol@cascadestucson.com` | Jeff Bristol | False | 0 | 1 | Former Business Office Director, replaced by Lauren Hasselman |
| `jodi.ramstack@cascadestucson.com` | Jodi Ramstack | **True** | **1 Business Standard** | 2 | **Zombie** — enabled in M365 but deleted from AD in 2026-04-13 cleanup. Wasting a $12.50/mo seat. |
| `kristiana.dowse@cascadestucson.com` | Kristiana Dowse (Shared) | False | 0 | 1 | HR confirmed not an employee |
| `nela.durut-azizi@cascadestucson.com` | Nela Durut-Azizi | False | 0 | 1 | HR confirmed DELETE (per m365.md) |
| `nick.pavloff@cascadestucson.com` | nick pavloff | False | 0 | 1 | Disabled in M365, never had an AD account |
## Actions executed
Tier: `user-manager` (Graph write permissions).
All 7 deletes returned HTTP 204. After 15 sec propagation delay:
- All 7 verified deleted: HTTP 404 on GET `/users/{id}`
- All 7 confirmed in `directory/deletedItems/microsoft.graph.user` (30-day soft-delete recovery window)
| User | Object ID |
|---|---|
| ann.dery | `103b3ac4-2302-4334-8c8e-e66d383c883d` |
| anna.pitzlin | `06aa2955-f124-447d-8a16-cc7779aaf28f` |
| jeff.bristol | `8ec8248a-46e8-4771-9220-047887928777` |
| jodi.ramstack | `b7cddbeb-6026-436b-a3aa-67c4be43e3fb` |
| kristiana.dowse | `0c501281-3e80-48e0-8a3f-e460a15df470` |
| nela.durut-azizi | `84cef8a2-6988-44ea-bf20-a72fe622750d` |
| nick.pavloff | `4b46f47a-6c57-477d-bd6d-53f99324aee4` |
**License freed:** 1 Business Standard seat (from jodi.ramstack). Next account-creation event (Alma.Montt or Kyla.QuickTiffany in Wave 1) can take that seat without new purchase.
**Mail forwarding consideration:** Jeff Bristol and Anna Pitzlin/Nela Durut-Azizi historically had mail forwarded to Meredith per `docs/cloud/m365.md`. If Cascades needs any legacy mail that was routed through those boxes, restore from the soft-delete bin within 30 days (`Restore-MgDirectoryDeletedItem -DirectoryObjectId <id>`) or keep a backup.
## NOT deleted (role-based / service accounts)
Deferred pending delegation decisions per Howard's direction:
| UPN | Disposition |
|---|---|
| accounting@cascadestucson.com | Pending Gate G2 conversion (→ shared, delegate: Ashley, Lauren) |
| accountingassistant@ | Pending Gate G2 (→ shared, delegate: Allison) |
| boadmin@ | Pending Gate G2 (delegates TBD) |
| frontdesk@ | Pending Gate G2 (delegates: Cathy, Shontiel, Kyla, Michelle, Sebastian, Sheldon, Ray) |
| hr@ | Pending Gate G2 (delegate: Meredith) |
| medtech@ | Pending Gate G2 (delegates TBD) |
| memcarereceptionist@ | Pending Gate G2 (delegates: Michelle, Matt) |
| nurse@ | Pending Gate G2 (delegates: Lois, Karen) |
| security@ | Pending Gate G2 (delegates TBD) |
| Training@ | Pending Gate G2 (delegates TBD) |
| transportation@ | Pending Gate G2 (retain? drivers being disabled — ask Meredith) |
| fax@ | Keep (fax-to-email service) |
| Kitchenipad@ | Keep (iPad device account) |
| MDMS@ | Keep (active Intune service account) |
| sysadmin@ | Keep (MSP Global Admin path) |
## Not deleted (yet) — pending your confirmation
| UPN | Reason to delete | Reason to keep |
|---|---|---|
| `Stephanie.Devin@cascadestucson.com` | Disabled member, appears to be former employee | Description says "Accounting Assist" — may still be in a grace window post-departure? |
Ask Meredith before deleting.
## Rollback
All deletes recoverable within 30 days via:
```powershell
Connect-MgGraph -Scopes 'Directory.Read.All','User.ReadWrite.All'
Restore-MgDirectoryDeletedItem -DirectoryObjectId <object-id>
```
## Impact on Entra Connect
- Duplicate-match risk reduced — 7 fewer cloud orphans to collide with AD sync targets
- `jodi.ramstack` was the most dangerous: enabled member with no AD counterpart. If left in place and AD was re-synced, Entra Connect would have seen her as a dangling member.
- Zero impact on currently-active users
## Next steps (unchanged)
- Gate G2 role-account conversion (pending delegation decisions from Meredith)
- Sign Microsoft BAA
- Create break-glass admin
- Gate G3 Entra Connect install (staging mode)