# Dataforth — Account Status Check **Date:** 2026-05-03 (UTC) **Tenant:** Dataforth Corporation (`dataforth.com`, `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`) **Tool:** ComputerGuru Security Investigator (App ID `bfbc12a4-f0dd-4e12-b06d-997e7271e10c`) — Graph read-only **Scope:** Status lookup only (enabled / licensed / last sign-in / object type). No remediation. **Operator:** Howard Enos ## Summary - 1 of 4 addresses is an **active licensed user** (`jantar@`). - 1 of 4 is an **active distribution list** (`sales@`) routing to 3 employees. - 2 of 4 (`dchapman@`, `dhenderson@`) **do not exist** anywhere in the directory — no user, no group, no contact, no alias, not in the 30-day soft-delete recycle bin. ## Results | Address | Object type | Enabled | Licensed | Last sign-in (interactive) | Notes | |---|---|---|---|---|---| | `sales@dataforth.com` | Mail-enabled distribution list ("Sales") | Active | n/a | n/a | Members: ltobey@, ghaubner@, tdean@ | | `jantar@dataforth.com` | User — Jacque Antar | Yes | 1 license | 2026-04-20 17:44 UTC (~13d ago) | Primary SMTP confirmed | | `dchapman@dataforth.com` | **Does not exist** | — | — | — | Not a user, group, contact, or alias; not in soft-delete | | `dhenderson@dataforth.com` | **Does not exist** | — | — | — | Not a user, group, contact, or alias; not in soft-delete | ## What "does not exist" means here For `dchapman@` and `dhenderson@` we checked, against the live tenant: 1. `/users` filtered on `mail` and `proxyAddresses/any(p: p eq 'smtp:')` — 0 results. Rules out the address being a primary SMTP, a UPN, or a secondary alias on any mailbox. 2. `/groups` same filter — 0 results. Rules out distribution lists and M365 groups. 3. `/directory/deletedItems/microsoft.graph.user` — 0 results. The user object was not soft-deleted in the past 30 days (so not recoverable via the standard restore path). 4. `/contacts` (beta, org-level mail contacts) — 0 results. If mail to these addresses is bouncing now, that is consistent — the tenant has no recipient with that smtp address. If mail to these addresses was being delivered historically and we need to know when they were removed, that requires a unified audit log search (`auditLogs/directoryAudits` with `activityDisplayName eq 'Delete user'`) over a longer window — say so and I can run it. ## Per-address detail ### sales@dataforth.com — Distribution List - Group ID: `6dd5ec2b-c220-49bf-bd00-8d4d123914e7` - mail-enabled, security-disabled, classic DL (no `groupTypes`) - Proxy addresses: `SMTP:sales@dataforth.com`, `smtp:sales1@dataforthcom.onmicrosoft.com` - Members (3): Logan Tobey (`ltobey@`), Georg Haubner (`ghaubner@`), Theresa Dean (`tdean@`) ### jantar@dataforth.com — Jacque Antar - `accountEnabled`: true - 1 assigned license - Last interactive sign-in: 2026-04-20 17:44:45 UTC - Proxy addresses: `SMTP:jantar@dataforth.com`, `smtp:jantar@dataforthcom.onmicrosoft.com` ### dchapman@dataforth.com — not found - All four directory queries returned 0. ### dhenderson@dataforth.com — not found - All four directory queries returned 0. ## Data artifacts Raw JSON in `/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/account-active/`: - `sales@dataforth.com-users.json`, `sales@dataforth.com-groups.json` - `jantar@dataforth.com-users.json`, `jantar@dataforth.com-groups.json` - `dchapman@dataforth.com-users.json`, `dchapman@dataforth.com-groups.json`, `dchapman@dataforth.com-deleted.json`, `dchapman@dataforth.com-orgcontact.json` - `dhenderson@dataforth.com-users.json`, `dhenderson@dataforth.com-groups.json`, `dhenderson@dataforth.com-deleted.json`, `dhenderson@dataforth.com-orgcontact.json` ## Operational note PyJWT + cryptography are not installed on HOWARD-HOME, so `get-token.sh` cert-auth (the new default) failed silently and the secret-auth fallback was used (`REMEDIATION_AUTH=secret`). Token issuance still works either way; cert-auth is preferred per the recent migration. Fix on this machine: ```bash py -m pip install PyJWT cryptography ```