diff --git a/clients/cascades-tucson/docs/cloud/m365.md b/clients/cascades-tucson/docs/cloud/m365.md index 5e354eb..7f516e4 100644 --- a/clients/cascades-tucson/docs/cloud/m365.md +++ b/clients/cascades-tucson/docs/cloud/m365.md @@ -188,24 +188,24 @@ AD account + Entra sync, no M365 license. Access shared mailboxes via outlook.of | Display Name | UPN | Sign-in Blocked | Notes | |---|---|---|---| -| Jeff Bristol | jeff.bristol@cascadestucson.com | Yes | Former employee — unlicensed, shared mailbox exists | -| Nela Durut-Azizi | nela.durut-azizi@cascadestucson.com | Yes | Former employee — unlicensed, shared mailbox exists | -| Stephanie Devin | Stephanie.Devin@cascadestucson.com | Yes | Former? Unlicensed, blocked | +| ~~Jeff Bristol~~ | ~~jeff.bristol@cascadestucson.com~~ | ~~Yes~~ | **DELETED 2026-04-22** — orphan cleanup. Soft-delete recoverable 30 days (id `8ec8248a-46e8-4771-9220-047887928777`). | +| ~~Nela Durut-Azizi~~ | ~~nela.durut-azizi@cascadestucson.com~~ | ~~Yes~~ | **DELETED 2026-04-22** — orphan cleanup. Soft-delete recoverable 30 days (id `84cef8a2-6988-44ea-bf20-a72fe622750d`). | +| Stephanie Devin | Stephanie.Devin@cascadestucson.com | Yes | Former? Unlicensed, blocked. Ask Meredith before deleting. | #### Tenant admin | Display Name | UPN | License | Notes | |---|---|---|---| -| cascadestucson.com (Sandra Fish) | admin@NETORGFT4257522.onmicrosoft.com | **Unlicensed** (P2 removed) | **BLOCKED** — Former director. Global admin revoked, sign-in blocked 2026-04-14. Delete when ready. | +| ~~cascadestucson.com (Sandra Fish)~~ | ~~admin@NETORGFT4257522.onmicrosoft.com~~ | — | **Confirmed absent 2026-04-22** — already deleted at some point. No further action. | ## Shared Mailboxes | Name | Email | Notes | |---|---|---| -| Anna Pitzlin | anna.pitzlin@cascadestucson.com | **Former employee** — was forwarded to Meredith, HR says DELETE | +| ~~Anna Pitzlin~~ | ~~anna.pitzlin@cascadestucson.com~~ | **DELETED 2026-04-22** — orphan cleanup. Soft-delete recoverable 30 days (id `06aa2955-f124-447d-8a16-cc7779aaf28f`). | | Fax Cascades | fax@cascadestucson.com | Fax-to-email service | -| Jeff Bristol | jeff.bristol@cascadestucson.com | **Former employee** — sign-in blocked, keep for mail forwarding? | -| Nela Durut-Azizi | nela.durut-azizi@cascadestucson.com | **Former employee** — was forwarded to Meredith, HR says DELETE | +| ~~Jeff Bristol~~ | ~~jeff.bristol@cascadestucson.com~~ | (see Blocked section — deleted 2026-04-22) | +| ~~Nela Durut-Azizi~~ | ~~nela.durut-azizi@cascadestucson.com~~ | (see Blocked section — deleted 2026-04-22) | ## Exchange Online - Mail Domain(s): cascadestucson.com diff --git a/clients/cascades-tucson/reports/2026-04-22-m365-orphan-deletes.md b/clients/cascades-tucson/reports/2026-04-22-m365-orphan-deletes.md new file mode 100644 index 0000000..6235a33 --- /dev/null +++ b/clients/cascades-tucson/reports/2026-04-22-m365-orphan-deletes.md @@ -0,0 +1,94 @@ +# M365 Orphan / Stale User Deletes - 2026-04-22 + +## Scope + +Pre-Entra-Connect cleanup. Remove confirmed former employees and zombie accounts from M365 so they don't sync/mismatch when Entra Connect goes live. Per Howard's direction 2026-04-22: delete orphans/stale users; leave role-based accounts alone until delegation decisions are made. + +## Pre-check results + +Queried Graph for each candidate. One already gone (`admin@NETORGFT4257522.onmicrosoft.com` Sandra Fish blocked admin). 7 candidates remained: + +| UPN | Display | Enabled | Licenses | Proxies | Why delete | +|---|---|---|---|---|---| +| `ann.dery@cascadestucson.com` | Ann Dery | False | 0 | 2 | Already deleted from AD (2026-04-13) | +| `anna.pitzlin@cascadestucson.com` | Anna Pitzlin | False | 0 | 2 | HR confirmed DELETE (per m365.md) | +| `jeff.bristol@cascadestucson.com` | Jeff Bristol | False | 0 | 1 | Former Business Office Director, replaced by Lauren Hasselman | +| `jodi.ramstack@cascadestucson.com` | Jodi Ramstack | **True** | **1 Business Standard** | 2 | **Zombie** — enabled in M365 but deleted from AD in 2026-04-13 cleanup. Wasting a $12.50/mo seat. | +| `kristiana.dowse@cascadestucson.com` | Kristiana Dowse (Shared) | False | 0 | 1 | HR confirmed not an employee | +| `nela.durut-azizi@cascadestucson.com` | Nela Durut-Azizi | False | 0 | 1 | HR confirmed DELETE (per m365.md) | +| `nick.pavloff@cascadestucson.com` | nick pavloff | False | 0 | 1 | Disabled in M365, never had an AD account | + +## Actions executed + +Tier: `user-manager` (Graph write permissions). + +All 7 deletes returned HTTP 204. After 15 sec propagation delay: + +- All 7 verified deleted: HTTP 404 on GET `/users/{id}` +- All 7 confirmed in `directory/deletedItems/microsoft.graph.user` (30-day soft-delete recovery window) + +| User | Object ID | +|---|---| +| ann.dery | `103b3ac4-2302-4334-8c8e-e66d383c883d` | +| anna.pitzlin | `06aa2955-f124-447d-8a16-cc7779aaf28f` | +| jeff.bristol | `8ec8248a-46e8-4771-9220-047887928777` | +| jodi.ramstack | `b7cddbeb-6026-436b-a3aa-67c4be43e3fb` | +| kristiana.dowse | `0c501281-3e80-48e0-8a3f-e460a15df470` | +| nela.durut-azizi | `84cef8a2-6988-44ea-bf20-a72fe622750d` | +| nick.pavloff | `4b46f47a-6c57-477d-bd6d-53f99324aee4` | + +**License freed:** 1 Business Standard seat (from jodi.ramstack). Next account-creation event (Alma.Montt or Kyla.QuickTiffany in Wave 1) can take that seat without new purchase. + +**Mail forwarding consideration:** Jeff Bristol and Anna Pitzlin/Nela Durut-Azizi historically had mail forwarded to Meredith per `docs/cloud/m365.md`. If Cascades needs any legacy mail that was routed through those boxes, restore from the soft-delete bin within 30 days (`Restore-MgDirectoryDeletedItem -DirectoryObjectId `) or keep a backup. + +## NOT deleted (role-based / service accounts) + +Deferred pending delegation decisions per Howard's direction: + +| UPN | Disposition | +|---|---| +| accounting@cascadestucson.com | Pending Gate G2 conversion (→ shared, delegate: Ashley, Lauren) | +| accountingassistant@ | Pending Gate G2 (→ shared, delegate: Allison) | +| boadmin@ | Pending Gate G2 (delegates TBD) | +| frontdesk@ | Pending Gate G2 (delegates: Cathy, Shontiel, Kyla, Michelle, Sebastian, Sheldon, Ray) | +| hr@ | Pending Gate G2 (delegate: Meredith) | +| medtech@ | Pending Gate G2 (delegates TBD) | +| memcarereceptionist@ | Pending Gate G2 (delegates: Michelle, Matt) | +| nurse@ | Pending Gate G2 (delegates: Lois, Karen) | +| security@ | Pending Gate G2 (delegates TBD) | +| Training@ | Pending Gate G2 (delegates TBD) | +| transportation@ | Pending Gate G2 (retain? drivers being disabled — ask Meredith) | +| fax@ | Keep (fax-to-email service) | +| Kitchenipad@ | Keep (iPad device account) | +| MDMS@ | Keep (active Intune service account) | +| sysadmin@ | Keep (MSP Global Admin path) | + +## Not deleted (yet) — pending your confirmation + +| UPN | Reason to delete | Reason to keep | +|---|---|---| +| `Stephanie.Devin@cascadestucson.com` | Disabled member, appears to be former employee | Description says "Accounting Assist" — may still be in a grace window post-departure? | + +Ask Meredith before deleting. + +## Rollback + +All deletes recoverable within 30 days via: + +```powershell +Connect-MgGraph -Scopes 'Directory.Read.All','User.ReadWrite.All' +Restore-MgDirectoryDeletedItem -DirectoryObjectId +``` + +## Impact on Entra Connect + +- Duplicate-match risk reduced — 7 fewer cloud orphans to collide with AD sync targets +- `jodi.ramstack` was the most dangerous: enabled member with no AD counterpart. If left in place and AD was re-synced, Entra Connect would have seen her as a dangling member. +- Zero impact on currently-active users + +## Next steps (unchanged) + +- Gate G2 role-account conversion (pending delegation decisions from Meredith) +- Sign Microsoft BAA +- Create break-glass admin +- Gate G3 Entra Connect install (staging mode)