sync: auto-sync from GURU-5070 at 2026-06-29 11:45:50
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-29 11:45:50
This commit is contained in:
@@ -12,7 +12,7 @@ Each Datto Project became its own SharePoint **site**, and the files live in tha
|
||||
| **Admin** | Admin | https://birthbiologic.sharepoint.com/sites/admin | Documents library (root) | ~5.8 GB / ~6,300 files |
|
||||
| **Birth Biologic Activity Reports** | Admin (same site) | https://birthbiologic.sharepoint.com/sites/admin | Documents library, subfolder `Birth Biologic Activity Reports` | small |
|
||||
| **Donor Services** | Donor Services | https://birthbiologic.sharepoint.com/sites/donorservices | Documents library (root) | ~109 GB / ~56,800 files |
|
||||
| **Quality Department** | Quality Department | https://birthbiologic.sharepoint.com/sites/QualityDepartment | Documents library (root) | ~28 GB / ~3,700 files |
|
||||
| **Quality Department** | **Quality Systems Department** | https://birthbiologic.sharepoint.com/sites/QualitySystemsDepartment | Documents library (root) | ~28 GB / ~3,700 files |
|
||||
| **Supply Management** | Supply Management | https://birthbiologic.sharepoint.com/sites/SupplyManagement | Documents library (root) | ~33 MB / ~160 files |
|
||||
| **ITSvcs** | — NOT MIGRATED — | — | — | (ACG-owned IT folder, not BirthBiologic data; intentionally excluded) |
|
||||
|
||||
@@ -29,6 +29,13 @@ exact post-migration count.
|
||||
as a subfolder).
|
||||
- **ITSvcs is intentionally excluded** — it is an ACG-owned IT working folder, not BirthBiologic
|
||||
business data, and was never in migration scope.
|
||||
- **Quality split (correction 2026-06-29):** the Quality content exists in two sites — an interim
|
||||
`Quality Department` site (the original OneDrive-sync target on ACG-DWP-X-BB) and the canonical
|
||||
working **`Quality Systems Department`** site. The map points to Quality Systems Department.
|
||||
A file-by-file comparison found ~1,006 files (~2.1 GB) present in the old `Quality Department`
|
||||
site but missing from `Quality Systems Department` (mostly `LOGS` 485/1.6 GB and `Bone Bank Onsite
|
||||
Audit 2025` 427/440 MB) — being migrated/reconciled into Quality Systems Department. Full list:
|
||||
`quality-orphaned-files.txt`. The 4 `Quality Systems Department-*` spoke sites exist but are empty.
|
||||
- The **Attachments** library visible under the synced OneDrive is a default SharePoint library, not
|
||||
part of the Datto migration.
|
||||
|
||||
|
||||
1006
clients/birth-biologic/docs/migration/quality-orphaned-files.txt
Normal file
1006
clients/birth-biologic/docs/migration/quality-orphaned-files.txt
Normal file
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,58 @@
|
||||
# Offboarding Lockdown — Teresa Carpio (VWP)
|
||||
|
||||
- **Date (UTC):** 2026-06-29
|
||||
- **Tech:** Mike Swanson (GURU-5070)
|
||||
- **Reason:** Employee quit unexpectedly — lock out of all access, primarily email.
|
||||
- **Tenant:** valleywideplastering.com (`5c53ae9f-7071-4248-b834-8685b646450f`)
|
||||
- **Target:** `teresa@valleywideplastering.com` (objectId `615d8ef9-e3cc-49a8-bd56-19921cafea4e`)
|
||||
- **Tooling:** remediation-tool skill (ComputerGuru tiered app suite)
|
||||
|
||||
## Pre-action state (read-only check — clean)
|
||||
|
||||
- Account enabled; created 2023-03-17; last password change 2025-09-04.
|
||||
- Mailbox: **0 inbox rules**, no forwarding, no hidden rules, no foreign delegates/SendAs.
|
||||
- Auth methods (3): password, SMS `+1 602-228-3396`, Microsoft Authenticator (iPhone 14 Plus).
|
||||
- Licenses: M365 Business Premium (no Teams), Flow Free.
|
||||
- **Directory role: User Administrator** (privileged — unusual for payroll staff).
|
||||
- Group memberships: Estimating Archive, Office Archive, QB, Valley Wide Plastering.
|
||||
- Sign-ins (30d interactive): 0 flagged / none non-US. No risky-user/risk detections.
|
||||
- **Sent/Deleted review (per request):** no exfiltration. Sent = routine internal pay
|
||||
sheets/orders/estimating to coworkers + legit vendors (henryproducts.com, engagebp.com);
|
||||
last send 2026-06-29 07:58 MST. Deleted = newsletters/automated notices only (no record
|
||||
destruction / track-covering).
|
||||
|
||||
## Actions taken (confirmed by Mike)
|
||||
|
||||
| Action | Result |
|
||||
|---|---|
|
||||
| Reset password to random value (permanent) | OK — required JIT elevation (she holds User Admin) |
|
||||
| Delete SMS auth method (`+1 602-228-3396`) | HTTP 204 |
|
||||
| Delete Microsoft Authenticator (iPhone 14 Plus) | HTTP 204 |
|
||||
| Revoke all sign-in sessions | `value: true` |
|
||||
| Verify auth methods | Only `passwordAuthenticationMethod` remains (no MFA) |
|
||||
|
||||
New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. Account left
|
||||
**enabled** with license + mailbox retained for handoff (not disabled per Mike's scope).
|
||||
|
||||
## [CRITICAL] Cleanup required — human Global Admin action
|
||||
|
||||
The password reset JIT-granted **Privileged Authentication Administrator** to the ComputerGuru
|
||||
Tenant Admin SP (`fccda86c-77ca-4248-b876-b0cdba8605d4`). The script could not auto-remove it:
|
||||
an app-only SP **cannot remove its own** privileged role ("no privilege to remove self"). Standing
|
||||
PAA is now on our SP in the VWP tenant and must be removed by a human Global Admin:
|
||||
|
||||
> Entra portal → Roles and administrators → Privileged Authentication Administrator →
|
||||
> remove **ComputerGuru Tenant Admin**. (Assignment id `ikzke6-tKk6E1qsmSeCKE2yozfzKd0hCuHawzbqGBdQ-1`.)
|
||||
|
||||
This is a script design flaw (logged to errorlog) — likely also left standing PAA on
|
||||
**birthbiologic.com** (the 2026-06-08 reset). Worth a fleet sweep.
|
||||
|
||||
## Still open (Mike's decision / separate access)
|
||||
|
||||
- **Block sign-in / remove User Administrator role** — not done (scope was sessions+pw+MFA).
|
||||
Recommended for a clean offboard.
|
||||
- **On-prem AD `VWP.US`** — disable her personal user; the **`VWP\Payroll`** account she used on
|
||||
the XP Orders VM is likely *shared* — confirm before disabling.
|
||||
- Shared mailboxes `payroll@` / `orders@` — rotate / remove her access if delegated.
|
||||
- VPN (OpenVPN on UDM), RDP/RemoteApp to VWP-QBS, QuickBooks login.
|
||||
- Optional: convert her mailbox to shared or set a manager delegate for handoff.
|
||||
Reference in New Issue
Block a user