## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin

## Session Summary

Resolved a follow-up to last week's Rednour Law mailbox rename (Emma -> Carla). Carrie Rednour
(tenant Global Admin) texted Mike that inbound mail from Carla still displayed under the old name
"Emma - Rednour Law" and asked if it could be fixed. Mike pulled up the issue and Claude
investigated via the remediation tool against the rednourlaw.com tenant
(`4a4ca18a-f516-478b-99da-2e0722c5dc18`).

First verified the server side was actually correct: Carla's Azure AD `displayName` (Graph) and
her Exchange mailbox `DisplayName` (Get-Mailbox via Exchange REST) were both "Carla Skinner". An
initial wrong hypothesis — that "Emma - Rednour Law" was never a server value because the other
mailboxes follow a "First Last" naming convention — was corrected by Mike and confirmed against
the 2026-05-31 audit report, which showed the mailbox's pre-rename `displayName` had in fact been
literally "Emma - Rednour Law". That reframed the problem as a stale client-side artifact on
Carrie's end.

Graph apps in the suite have no `Contacts.Read` permission (confirmed 403 on a Graph contacts
call, and no Contacts/Mail roles in the user-manager or tenant-admin tokens), so Claude read
Carrie's contacts over EWS using the Exchange Operator SP's `full_access_as_app` role with
`ExchangeImpersonation` of crednour@rednourlaw.com. Her default Contacts folder (237 items) had no
Emma/Carla entry, but a deep sweep of all contact folders found the culprit in her Quick Contacts
folder (`IPF.Contact.MOC.QuickContacts`): a pinned contact "Emma - Rednour Law" mapped to
emma@rednourlaw.com. Because emma@ is still a live proxy alias on Carla's mailbox (deliberately
retained last session), Outlook resolved Carla's new mail to that old pin and rendered its name.
With Mike's go-ahead (he chose "delete the pin"), the contact was removed via EWS DeleteItem
(MoveToDeletedItems, recoverable) and the removal verified.

Mike then asked to check the other mailboxes. The same EWS contact-folder sweep ran against Nick
Pafford, the receptionist mailbox, and Carla's own mailbox — all clean, no stale Emma/Carla
entries. The issue was isolated entirely to Carrie. Closed out by writing a follow-up report to
`clients/rednour/reports/`, posting an internal (hidden) documentation comment to Syncro #32343,
and posting the mandatory #bot-alerts notification. No time was billed (Mike did not specify
minutes/labor type).

## Key Decisions

- **Delete the pin rather than rename it or hand it to Carrie.** Mike chose deletion via EWS;
  Carla's mail now falls back to the GAL ("Carla Skinner"). Carrie can re-pin from the GAL if she
  wants the favorite back.
- **Used EWS, not Graph, to read/modify Carrie's contacts.** No app in the suite holds
  `Contacts.Read`/`ReadWrite` on Graph; the Exchange apps' `full_access_as_app` reaches personal
  contact folders via EWS impersonation. Per skill scope rules, did not attempt to add a Graph
  scope to work around it.
- **Left the emma@ alias in place.** It's the enabling factor for the shadowing, but mail to
  emma@ still reaches Carla and it was retained by design last session. Removing it would break
  delivery to emma@ and only mask the contact issue rather than fix it.
- **No time billed on the follow-up.** Mike's standing rule: never assume minutes/labor type.
  Added a documentation comment only; flagged that time can be added to #32343 on request.
- **Internal/hidden Syncro comment, not customer-visible.** Mike is communicating with Carrie
  directly over text; the ticket note is for the technical record.

## Problems Encountered

- **Wrong initial assertion that "Emma - Rednour Law" was never a server value.** Based on the
  other mailboxes' "First Last" convention. Mike corrected it; confirmed against the 2026-05-31
  audit report that the pre-rename displayName was exactly that string. Lesson: check the prior
  session's recorded before-state, don't infer from sibling-object conventions.
- **Security Investigator EXO token 401'd** on the InvokeCommand read even though the token had
  `aud=outlook.office365.com` and `full_access_as_app`. Switched to the Exchange Operator SP
  token (proven on this tenant last session), which returned HTTP 200.
- **py wrote itemid file to the wrong /tmp.** `open('/tmp/emma-itemid.txt')` in Windows Python
  resolves to `C:\tmp`, not the msys `/tmp` that bash reads — so the delete step initially got an
  empty ItemId. Fixed by piping the ItemId/ChangeKey through stdout (`read IID CK < <(py -c ...)`)
  and copying EWS responses to a repo-relative file both interpreters agree on before parsing.
- **EWS "Id is malformed"** when a folder's GUID-style DisplayName was passed as a FolderId.
  Several MOC contact folders have no friendly name (DisplayName is a GUID); used the real
  base64 EWS FolderId from FindFolder instead.

## Configuration Changes

**ClaudeTools repo (committed this session):**
- `clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md` — new follow-up
  report documenting diagnosis, fix, and the all-mailbox sweep.
- `clients/rednour/session-logs/2026-06-02-session.md` — this log.
- `wiki/clients/rednour.md` + `wiki/index.md` — seeded/updated in Phase 3 (if synthesis ran).

**rednourlaw.com tenant (mailbox data):**
- Deleted the "Emma - Rednour Law" -> emma@rednourlaw.com contact from Carrie Rednour's
  (crednour@) Quick Contacts folder (`IPF.Contact.MOC.QuickContacts`) via EWS DeleteItem
  (MoveToDeletedItems — recoverable from her Deleted Items).

**Syncro:**
- Internal/hidden comment `416427937` on ticket #32343 (id 111409967). No line item, no invoice.

## Credentials & Secrets

No new credentials created or discovered this session. Tokens used were app-only client-credentials
flows for the existing ComputerGuru MSP SPs (cached under `/tmp/remediation-tool/<tenant>/`):
- Exchange Operator SP `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` (`full_access_as_app`, aud
  `https://outlook.office365.com`) — used for EWS reads + the contact delete.
- Security Investigator SP `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` — Graph read (displayName);
  its EXO token 401'd for InvokeCommand.

## Infrastructure & Servers

- **Tenant:** rednourlaw.com = `4a4ca18a-f516-478b-99da-2e0722c5dc18`
- **EWS endpoint:** `https://outlook.office365.com/EWS/Exchange.asmx` (SOAP; `ExchangeImpersonation`
  via `<t:ConnectingSID><t:SmtpAddress>` header)
- **Exchange REST InvokeCommand:** `https://outlook.office365.com/adminapi/beta/<tenant>/InvokeCommand`
- **Mailboxes (5 recipients):** carla@ (Carla Skinner, was Emma; obj `93074d1a-6db2-4794-8f7d-c84a619e4494`),
  crednour@ (Carrie Rednour, Global Admin, obj `a0fc8517-1c2a-4d72-b774-c0d5c929167a`),
  npafford@ (Nick Pafford, alias nick@), receptionist@, + system DiscoverySearchMailbox.
- **Carla proxyAddresses:** SMTP:carla@, smtp:emma@, smtp:dgarcia@, smtp:alee@,
  smtp:dgarcia@rednourlaw.onmicrosoft.com.

## Commands & Outputs

```bash
# Tokens
bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant> investigator      # Graph read
bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant> exchange-op       # EXO/EWS (worked)

# Graph: Carla displayName -> "Carla Skinner"
curl -H "Authorization: Bearer $GTOK" \
  "https://graph.microsoft.com/v1.0/users/93074d1a-...?$select=displayName,proxyAddresses"

# Exchange: Get-Mailbox carla -> DisplayName "Carla Skinner" (HTTP 200 with exchange-op token;
#           investigator-exo token 401'd)
POST .../adminapi/beta/<tenant>/InvokeCommand  {"CmdletInput":{"CmdletName":"Get-Mailbox",...}}

# EWS: enumerate contact folders (FindFolder Deep, msgfolderroot) then FindItem per folder.
# Hit: folder IPF.Contact.MOC.QuickContacts -> contact "Emma - Rednour Law" / emma@rednourlaw.com
# EWS DeleteItem DeleteType="MoveToDeletedItems" -> ResponseClass="Success" / NoError
# Verify: folder TotalItemsInView 2 -> 1; "Emma - Rednour Law" no longer present

# Sweep other boxes (npafford@, receptionist@, carla@): contact folders enumerated, 0 matches
# Counts: Carrie 237 contacts / Nick 0 / receptionist 34 / Carla 40

# Syncro internal comment
POST /tickets/111409967/comment  (hidden:true, do_not_email:true) -> comment.id 416427937
bash .claude/scripts/post-bot-alert.sh "[SYNCRO] Mike commented #32343 ..."  # message_id 1511375413711212665
```

## Pending / Incomplete Tasks

- **Billing on #32343:** no time logged for this follow-up. Add minutes + labor type if Mike wants
  it billed. The earlier 0.5h remote line from 2026-05-31 still sits on the (Resolved) ticket
  pending final close-out.
- **Shared-drive access for Nick Pafford** (#32343) — still deferred from the 2026-05-31 session.
- **emma@ alias** remains on Carla's mailbox by design; revisit only if the firm wants emma@
  decommissioned.
- If Carrie still sees the old name after sync, a one-time Outlook restart (cached mode) forces
  the contact change down.

## Reference Information

- **Syncro:** Customer Rednour Law id `1224246`; Ticket #32343 id `111409967` (Resolved);
  comment `416427937`. URL: https://computerguru.syncromsp.com/tickets/111409967
- **Report:** `clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md`
- **Prior session:** `session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md` and
  `clients/rednour/reports/2026-05-31-onboard-and-rename-emma-to-carla.md`
- **Stale-pin folder class:** `IPF.Contact.MOC.QuickContacts` (Outlook/Skype pinned favorites) —
  resolves sender display names ahead of the GAL.