sync: auto-sync from GURU-5070 at 2026-06-29 11:45:50

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-29 11:45:50
This commit is contained in:
2026-06-29 11:46:42 -07:00
parent 1f15a6bc79
commit e99110fdc9
8 changed files with 1245 additions and 2 deletions

View File

@@ -0,0 +1,58 @@
# Offboarding Lockdown — Teresa Carpio (VWP)
- **Date (UTC):** 2026-06-29
- **Tech:** Mike Swanson (GURU-5070)
- **Reason:** Employee quit unexpectedly — lock out of all access, primarily email.
- **Tenant:** valleywideplastering.com (`5c53ae9f-7071-4248-b834-8685b646450f`)
- **Target:** `teresa@valleywideplastering.com` (objectId `615d8ef9-e3cc-49a8-bd56-19921cafea4e`)
- **Tooling:** remediation-tool skill (ComputerGuru tiered app suite)
## Pre-action state (read-only check — clean)
- Account enabled; created 2023-03-17; last password change 2025-09-04.
- Mailbox: **0 inbox rules**, no forwarding, no hidden rules, no foreign delegates/SendAs.
- Auth methods (3): password, SMS `+1 602-228-3396`, Microsoft Authenticator (iPhone 14 Plus).
- Licenses: M365 Business Premium (no Teams), Flow Free.
- **Directory role: User Administrator** (privileged — unusual for payroll staff).
- Group memberships: Estimating Archive, Office Archive, QB, Valley Wide Plastering.
- Sign-ins (30d interactive): 0 flagged / none non-US. No risky-user/risk detections.
- **Sent/Deleted review (per request):** no exfiltration. Sent = routine internal pay
sheets/orders/estimating to coworkers + legit vendors (henryproducts.com, engagebp.com);
last send 2026-06-29 07:58 MST. Deleted = newsletters/automated notices only (no record
destruction / track-covering).
## Actions taken (confirmed by Mike)
| Action | Result |
|---|---|
| Reset password to random value (permanent) | OK — required JIT elevation (she holds User Admin) |
| Delete SMS auth method (`+1 602-228-3396`) | HTTP 204 |
| Delete Microsoft Authenticator (iPhone 14 Plus) | HTTP 204 |
| Revoke all sign-in sessions | `value: true` |
| Verify auth methods | Only `passwordAuthenticationMethod` remains (no MFA) |
New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. Account left
**enabled** with license + mailbox retained for handoff (not disabled per Mike's scope).
## [CRITICAL] Cleanup required — human Global Admin action
The password reset JIT-granted **Privileged Authentication Administrator** to the ComputerGuru
Tenant Admin SP (`fccda86c-77ca-4248-b876-b0cdba8605d4`). The script could not auto-remove it:
an app-only SP **cannot remove its own** privileged role ("no privilege to remove self"). Standing
PAA is now on our SP in the VWP tenant and must be removed by a human Global Admin:
> Entra portal → Roles and administrators → Privileged Authentication Administrator →
> remove **ComputerGuru Tenant Admin**. (Assignment id `ikzke6-tKk6E1qsmSeCKE2yozfzKd0hCuHawzbqGBdQ-1`.)
This is a script design flaw (logged to errorlog) — likely also left standing PAA on
**birthbiologic.com** (the 2026-06-08 reset). Worth a fleet sweep.
## Still open (Mike's decision / separate access)
- **Block sign-in / remove User Administrator role** — not done (scope was sessions+pw+MFA).
Recommended for a clean offboard.
- **On-prem AD `VWP.US`** — disable her personal user; the **`VWP\Payroll`** account she used on
the XP Orders VM is likely *shared* — confirm before disabling.
- Shared mailboxes `payroll@` / `orders@` — rotate / remove her access if delegated.
- VPN (OpenVPN on UDM), RDP/RemoteApp to VWP-QBS, QuickBooks login.
- Optional: convert her mailbox to shared or set a manager delegate for handoff.