diff --git a/clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md b/clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md
index 518ead8..ea9f0c9 100644
--- a/clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md
+++ b/clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md
@@ -23,7 +23,12 @@
 
 **Prereq:** Domain admin logged into CS-SERVER console. Fresh download of Entra Connect Sync.
 
-Download: https://www.microsoft.com/en-us/download/details.aspx?id=47594
+**Download path (updated 2026-04-24 — Microsoft moved distribution away from Download Center):**
+1. Sign in to https://entra.microsoft.com as Cascades tenant Global Admin
+2. Navigate: **Identity → Hybrid management → Microsoft Entra Connect → Connect Sync**
+3. Download the installer MSI from that blade
+
+The public Download Center now returns only a "DecommissionDownloadCentre" PDF notice. New versions are only released via the Entra admin portal.
 
 ### Installer wizard — field-by-field
 
diff --git a/clients/cascades-tucson/reports/2026-04-24-jeff-restore-ashley-access.md b/clients/cascades-tucson/reports/2026-04-24-jeff-restore-ashley-access.md
index 57ba2c3..44e0276 100644
--- a/clients/cascades-tucson/reports/2026-04-24-jeff-restore-ashley-access.md
+++ b/clients/cascades-tucson/reports/2026-04-24-jeff-restore-ashley-access.md
@@ -121,6 +121,12 @@ All 6 returned HTTP 200:
 
 Exchange REST `Set-Mailbox -Type Shared` et al. returned HTTP 401 (RBAC not yet propagated after onboard-tenant.sh assigned Exchange Administrator role this session). Retries pending.
 
+**Retry log:**
+- 14:25 PDT — initial attempt, HTTP 401
+- 15:13 PDT — first scheduled retry (cron fe0046b1), HTTP 401, still not propagated
+- 16:19 PDT — second scheduled retry, HTTP 401, still not propagated (~2h after role assignment)
+- 18:23 PDT — third (final auto) retry scheduled. If this also fails, RBAC is clearly not propagating normally and manual portal path is needed.
+
 For each of the 7 restored mailboxes (6 above + Jeff):
 1. `Set-Mailbox -Identity <upn> -Type Shared`
 2. `Set-Mailbox -Identity <upn> -HiddenFromAddressListsEnabled $true`