# Exchange REST API Propagation Status - Cascades Tucson **Date:** 2026-05-07 **Time:** 09:33 AM MST **Tenant:** Cascades of Tucson (207fa277-e9d8-4eb7-ada1-1064d2221498) --- ## Current Status: PROPAGATION IN PROGRESS Exchange REST API is still returning HTTP 401 with "invalid_token" error, despite all required permissions and roles being correctly assigned. This is a known Exchange Online propagation delay. --- ## Verification Completed **[OK] Graph API confirms all assignments are correct:** 1. **Security Investigator SP** (c64ee5c1-a607-46cb-81b8-42de3de98d48) - Exchange Administrator directory role: ASSIGNED ✓ - Office 365 Exchange Online app role: ASSIGNED ✓ - App role ID: dc890d15-9560-4a4c-9b7f-a736ec74ec40 (full_access_as_app) ✓ 2. **Token acquisition:** WORKING ✓ - investigator-exo tier token: ACQUIRED ✓ - Scope: https://outlook.office365.com/.default ✓ 3. **Exchange REST API access:** HTTP 401 (propagation delay) ⏳ --- ## Error Details **HTTP Response:** ``` HTTP/2 401 WWW-Authenticate: Bearer client_id="ec156f81-f23a-47bd-b16f-9fb2c66420f9", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="invalid_token" ``` **Analysis:** - Error "invalid_token" indicates Exchange Online hasn't recognized the new permissions yet - This is NOT a configuration error (all Graph API checks pass) - Typical propagation time: 15-60 minutes from role assignment - Role was assigned: ~09:05 AM MST - Current time: 09:33 AM MST (28 minutes elapsed) --- ## What's Happening Exchange Online maintains its own permission cache separate from Entra ID (Graph API). When a new service principal is assigned the Exchange Administrator role: 1. **Immediate:** Graph API recognizes the assignment (verified ✓) 2. **Delayed (15-60 min):** Exchange REST API propagates the permission 3. **Common:** First attempts return HTTP 401 until cache refreshes This is normal behavior for first-time app onboarding to a tenant. --- ## Next Steps ### Option 1: Wait and Retry (Recommended) **Retry after:** 10:00 AM MST (27 minutes from now) ```bash # Clear token cache rm -f /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/investigator-exo.jwt # Get fresh token TOKEN=$(REMEDIATION_AUTH=secret bash scripts/get-token.sh 207fa277-e9d8-4eb7-ada1-1064d2221498 investigator-exo 2>/dev/null) # Test Exchange REST API curl -X POST \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ "https://outlook.office365.com/adminapi/beta/207fa277-e9d8-4eb7-ada1-1064d2221498/InvokeCommand" \ -d '{"CmdletInput":{"CmdletName":"Get-Mailbox","Parameters":{"Identity":"Britney.Thompson@cascadestucson.com"}}}' ``` If still 401 after 10:00 AM, wait until 10:30 AM and try again. ### Option 2: Manual Portal Verification (If still failing after 1 hour) If Exchange REST API still returns 401 after 10:30 AM MST: 1. **Check Entra portal:** - https://entra.microsoft.com → Roles and administrators → Exchange Administrator - Verify "ComputerGuru - Security Investigator" is listed as a member 2. **Check Conditional Access:** - Entra → Protection → Conditional Access - Look for policies that might block service principal sign-ins - Review "Service provider users" exclusions 3. **Check Exchange Online license:** - Verify tenant has active Exchange Online licenses - Admin center → Billing → Licenses --- ## Blocking Issue **Britney Thompson litigation hold verification** cannot proceed until Exchange REST API access works. **HIPAA Compliance Risk:** Per Howard's 2026-05-06 note, this check must complete before Wave 1 caregiver rollout (§164.308(a)(3)(ii)(C) + §164.316(b)(2) requirement). **Impact:** - Cannot verify if litigation hold is enabled - Cannot check mailbox forwarding rules - Cannot audit inbox rules or delegate permissions - All Exchange-based compliance checks blocked --- ## Timeline | Time | Event | |------|-------| | 09:05 AM MST | App onboarding completed, Exchange Administrator role assigned | | 09:07 AM MST | First test: HTTP 401 (expected) | | 09:15 AM MST | Second test: HTTP 401 (still propagating) | | 09:33 AM MST | Third test: HTTP 401 (28 min elapsed, still within normal window) | | **10:00 AM MST** | **Recommended retry time (55 min elapsed)** | | **10:30 AM MST** | **Escalation point if still failing (85 min elapsed)** | --- ## Workaround Options (If Urgent) If litigation hold verification is urgent and cannot wait for propagation: 1. **Manual Exchange Online PowerShell:** ```powershell Connect-ExchangeOnline -UserPrincipalName admin@cascadestucson.com Get-Mailbox -Identity Britney.Thompson@cascadestucson.com | Select DisplayName, LitigationHoldEnabled, LitigationHoldDate, InPlaceHolds ``` 2. **Exchange Admin Center:** - https://admin.exchange.microsoft.com - Recipients → Mailboxes - Search: Britney Thompson - Properties → Mailbox features → Litigation hold 3. **Purview Compliance Center:** - https://compliance.microsoft.com - Data lifecycle management → Retention - Check if Britney's mailbox has retention policies applied --- **Status:** Waiting for Exchange REST API propagation (normal delay). **Next action:** Retry after 10:00 AM MST. **Escalation:** If still failing after 10:30 AM MST, investigate manually via portal.