--- type: client name: bg-builders display_name: BG Builders LLC last_compiled: 2026-05-24 compiled_by: DESKTOP-0O8A1RL/claude-main sources: - clients/bg-builders/session-logs/2026-03-09-session.md --- # BG Builders LLC ## Overview - **Business type:** Construction / building contractor [unverified beyond name] - **M365 tenant:** bgbuildersllc.com - **Billing model:** Unknown — no billing data in session log - **Contract status:** Unknown - **CIPP Name:** sonorangreenllc.com (alternate tenant name in CIPP) ## Contacts | Name | UPN | Access | Notes | |---|---|---|---| | Barry | barry@bgbuildersllc.com | FullAccess + SendAs on Lesley's mailbox | Set from original termination | | Shelly | Shelly@bgbuildersllc.com | FullAccess + SendAs on Lesley's mailbox | Set from re-enable script 2026-02-27 | | Lesley Roth | lesley@bgbuildersllc.com | Disabled | Terminated employee; account preserved per client request | ## Infrastructure *(not documented — session was M365 account disable/wipe focused; no on-premises infrastructure captured)* ## Network *(not documented)* ## Cloud / M365 | Property | Value | |---|---| | Tenant domain | bgbuildersllc.com | | Tenant ID | ededa4fb-f6eb-4398-851d-5eb3e11fab27 | | CIPP Name | sonorangreenllc.com | | Admin UPN | sysadmin@bgbuildersllc.com | | Admin credentials | Vault only — do NOT hardcode | | Intune / Business Premium | No — no Intune-managed devices | | Lesley account state | Disabled (AccountEnabled: False), Litigation Hold: True, licenses still assigned | > [WARNING] Session log contained plaintext M365 admin credentials (sysadmin@bgbuildersllc.com). Use vault only: `vault.sh get-field clients/bg-builders/m365`. ### Lesley Roth — account state as of 2026-03-09 | Property | Value | |---|---| | AccountEnabled | False (was already False from 2026-02-27 prior termination) | | Mailbox type | UserMailbox | | Litigation Hold | True | | Licenses | Still assigned (per client request — not removed) | | Barry access | FullAccess + SendAs | | Shelly access | FullAccess + SendAs | | iPhone 16 Pro (iOS 26.3.1) | AccountOnlyDeviceWipePending (active device, last sync 2026-03-09) | | iPhone 14 Pro (iOS 18.5) | AccountOnlyDeviceWipePending (stale — last sync 2025-06-27, may never acknowledge) | | OneDrive | Not addressed | ### 72-hour mail activity report (Lesley, 2026-03-06 to 2026-03-09) - No suspicious activity found — no suspicious sent/deleted mail, no inbox rules, no forwarding configured. - Report saved to: `D:\ClaudeTools\scripts\bgb-lesley-mail-report-20260309.txt` ### M365 PowerShell technical notes - `Get-MessageTrace` deprecated Sep 2025 — use `Get-MessageTraceV2` (no `-PageSize` parameter). - `Search-MailboxAuditLog` deprecated Jan 2026 — use `Search-UnifiedAuditLog`. - Exchange Online `-Device` auth switch requires PowerShell 7 (`pwsh`), NOT Windows PowerShell 5.1. - WAM broker auth requires a visible PowerShell window — cannot run from bash or non-interactive shell. ### Scripts created (2026-03-09) | Script | Purpose | |---|---| | `scripts/bgb-lesley-disable-wipe.ps1` | Disable account + device email wipe | | `scripts/bgb-lesley-mail-report.ps1` | 72-hour mail activity report | | `scripts/bgb-lesley-verify-wipe.ps1` | Verify device wipe status | ## GuruRMM *(not documented)* ## Active Projects / Open Items | Priority | Item | Owner | |---|---|---| | P1 | iPhone 16 Pro (active) — wipe should have completed; verify status | Howard / Mike | | P1 | iPhone 14 Pro (stale since 2025-06-27) — wipe likely never acknowledged; verify or close | Howard / Mike | | P2 | Lesley's OneDrive access not addressed in this session | Mike | | P3 | sysadmin password reset — admin lacked privilege to reset Lesley's password via script (403); was done manually via M365 Admin Center. Verify sysadmin role assignments are sufficient for future terminations | Mike | ## Key Events / History ### 2026-02-27 — First termination (prior session, minimal detail) - Lesley's account was previously disabled and sessions revoked. - Litigation hold was enabled. - Barry given FullAccess + SendAs. ### 2026-03-09 — Employee disable and device wipe Lesley Roth (lesley@bgbuildersllc.com) terminated employee offboarding: - Account already disabled (AccountEnabled was already False from 2026-02-27). - Sessions re-revoked (belt-and-suspenders). - Password manually reset via M365 Admin Center to `bgb-pass-reset-2026!!` (script failed 403 — sysadmin lacked privilege). Store in vault; rotate if account still exists. - AccountOnly device wipe initiated on both iPhones (removes M365 email only; personal data preserved). - Shelly given FullAccess + SendAs (added this session via re-enable script logic). - 72-hour mail activity report: nothing suspicious. - Account NOT converted to shared mailbox; licenses NOT removed — per client request. ## Anti-Patterns / Warnings - [WARNING] Plaintext M365 admin credentials in session log — use vault only. - [WARNING] sysadmin account has insufficient privileges to programmatically reset user passwords (403 on password reset). Plan for Global Admin or verify role assignments before future offboardings. - BG Builders has NO Intune / Business Premium — device management is via EAS ActiveSync only. AccountOnly wipes (not full Intune wipes) are the only available device action. - iPhone 14 Pro last synced 2025-06-27 — wipe will never complete if device stays offline. Do not wait on it. - Do NOT delete Lesley's account or remove licenses without explicit client instruction — client requested account preservation. - CIPP name for this tenant is `sonorangreenllc.com` — use this when looking up the tenant in CIPP. ## Backlinks - *(no related wiki articles yet)*