sync: auto-sync from GURU-5070 at 2026-06-29 11:45:50
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-29 11:45:50
This commit is contained in:
@@ -0,0 +1,58 @@
|
||||
# Offboarding Lockdown — Teresa Carpio (VWP)
|
||||
|
||||
- **Date (UTC):** 2026-06-29
|
||||
- **Tech:** Mike Swanson (GURU-5070)
|
||||
- **Reason:** Employee quit unexpectedly — lock out of all access, primarily email.
|
||||
- **Tenant:** valleywideplastering.com (`5c53ae9f-7071-4248-b834-8685b646450f`)
|
||||
- **Target:** `teresa@valleywideplastering.com` (objectId `615d8ef9-e3cc-49a8-bd56-19921cafea4e`)
|
||||
- **Tooling:** remediation-tool skill (ComputerGuru tiered app suite)
|
||||
|
||||
## Pre-action state (read-only check — clean)
|
||||
|
||||
- Account enabled; created 2023-03-17; last password change 2025-09-04.
|
||||
- Mailbox: **0 inbox rules**, no forwarding, no hidden rules, no foreign delegates/SendAs.
|
||||
- Auth methods (3): password, SMS `+1 602-228-3396`, Microsoft Authenticator (iPhone 14 Plus).
|
||||
- Licenses: M365 Business Premium (no Teams), Flow Free.
|
||||
- **Directory role: User Administrator** (privileged — unusual for payroll staff).
|
||||
- Group memberships: Estimating Archive, Office Archive, QB, Valley Wide Plastering.
|
||||
- Sign-ins (30d interactive): 0 flagged / none non-US. No risky-user/risk detections.
|
||||
- **Sent/Deleted review (per request):** no exfiltration. Sent = routine internal pay
|
||||
sheets/orders/estimating to coworkers + legit vendors (henryproducts.com, engagebp.com);
|
||||
last send 2026-06-29 07:58 MST. Deleted = newsletters/automated notices only (no record
|
||||
destruction / track-covering).
|
||||
|
||||
## Actions taken (confirmed by Mike)
|
||||
|
||||
| Action | Result |
|
||||
|---|---|
|
||||
| Reset password to random value (permanent) | OK — required JIT elevation (she holds User Admin) |
|
||||
| Delete SMS auth method (`+1 602-228-3396`) | HTTP 204 |
|
||||
| Delete Microsoft Authenticator (iPhone 14 Plus) | HTTP 204 |
|
||||
| Revoke all sign-in sessions | `value: true` |
|
||||
| Verify auth methods | Only `passwordAuthenticationMethod` remains (no MFA) |
|
||||
|
||||
New password stored in vault: `clients/valleywide/teresa-m365-offboarded`. Account left
|
||||
**enabled** with license + mailbox retained for handoff (not disabled per Mike's scope).
|
||||
|
||||
## [CRITICAL] Cleanup required — human Global Admin action
|
||||
|
||||
The password reset JIT-granted **Privileged Authentication Administrator** to the ComputerGuru
|
||||
Tenant Admin SP (`fccda86c-77ca-4248-b876-b0cdba8605d4`). The script could not auto-remove it:
|
||||
an app-only SP **cannot remove its own** privileged role ("no privilege to remove self"). Standing
|
||||
PAA is now on our SP in the VWP tenant and must be removed by a human Global Admin:
|
||||
|
||||
> Entra portal → Roles and administrators → Privileged Authentication Administrator →
|
||||
> remove **ComputerGuru Tenant Admin**. (Assignment id `ikzke6-tKk6E1qsmSeCKE2yozfzKd0hCuHawzbqGBdQ-1`.)
|
||||
|
||||
This is a script design flaw (logged to errorlog) — likely also left standing PAA on
|
||||
**birthbiologic.com** (the 2026-06-08 reset). Worth a fleet sweep.
|
||||
|
||||
## Still open (Mike's decision / separate access)
|
||||
|
||||
- **Block sign-in / remove User Administrator role** — not done (scope was sessions+pw+MFA).
|
||||
Recommended for a clean offboard.
|
||||
- **On-prem AD `VWP.US`** — disable her personal user; the **`VWP\Payroll`** account she used on
|
||||
the XP Orders VM is likely *shared* — confirm before disabling.
|
||||
- Shared mailboxes `payroll@` / `orders@` — rotate / remove her access if delegated.
|
||||
- VPN (OpenVPN on UDM), RDP/RemoteApp to VWP-QBS, QuickBooks login.
|
||||
- Optional: convert her mailbox to shared or set a manager delegate for handoff.
|
||||
Reference in New Issue
Block a user