Mike Swanson
fa15b03180
Synced files: - Quote wizard frontend (all components, hooks, types, config) - API updates (config, models, routers, schemas, services) - Client work (bg-builders, gurushow) - Scripts (BGB Lesley termination, CIPP, Datto, migration) - Temp files (Bardach contacts, VWP investigation, misc) - Credentials and session logs - Email service, PHP API, session logs Machine: ACG-M-L5090 Timestamp: 2026-03-10 19:11:00 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3.5 KiB
3.5 KiB
BG Builders - Session Log 2026-03-09
Session Summary
Lesley Roth (lesley@bgbuildersllc.com) employee disable and device wipe. Account disabled (sign-in blocked, sessions revoked), email data wipe initiated on both mobile devices, and 72-hour mail activity report generated. Account preserved (not deleted/converted to shared) per client request.
Actions Completed
1. Account Disable
- Sign-in blocked - AccountEnabled set to False (was already False from previous termination on 2026-02-27)
- All sessions revoked - Confirmed via Revoke-MgUserSignInSession
- Password reset - Script failed with 403 (sysadmin lacks privilege), manually reset via M365 Admin Center to:
bgb-pass-reset-2026!!
2. Device Email Wipe
- iPhone 16 Pro (iOS 26.3.1) - AccountOnlyDeviceWipePending. Active device, last synced 2026-03-09 16:23:30. Should complete on next sync.
- iPhone 14 Pro (iOS 18.5) - AccountOnlyDeviceWipePending. Stale device, last synced 2025-06-27. May never acknowledge.
- No Intune-managed devices found (BGB has no Intune/Business Premium)
- Wipe type: AccountOnly (removes M365 email account only, preserves personal data)
3. 72-Hour Mail Activity Report
- Report generated covering 2026-03-06 09:25 to 2026-03-09 09:25
- Nothing of consequence found - no suspicious sent/deleted mail activity
- Report saved to:
D:\ClaudeTools\scripts\bgb-lesley-mail-report-20260309.txt - Checked: sent messages, received messages, deleted items, inbox rules, forwarding config
4. Pre-existing Security Measures
- Litigation hold already enabled (from previous re-enable script on 2026-02-27)
- Barry (barry@bgbuildersllc.com) has FullAccess + SendAs on mailbox (from original termination)
- Shelly (Shelly@bgbuildersllc.com) has FullAccess + SendAs (from re-enable script)
Credentials Used
Microsoft 365 Tenant - BG Builders LLC
- Tenant: bgbuildersllc.com
- Tenant ID: ededa4fb-f6eb-4398-851d-5eb3e11fab27
- CIPP Name: sonorangreenllc.com
- Admin User: sysadmin@bgbuildersllc.com
- Password: Window123!@#-bgb
Target User
- User: Lesley Roth
- UPN: lesley@bgbuildersllc.com
Scripts Created/Modified
New Scripts
scripts/bgb-lesley-disable-wipe.ps1- Disable account + device email wipescripts/bgb-lesley-mail-report.ps1- 72-hour mail activity report (sent/received/deleted)scripts/bgb-lesley-verify-wipe.ps1- Verify device wipe status
Technical Notes
Get-MessageTracedeprecated Sep 2025 - useGet-MessageTraceV2(no-PageSizeparameter)Search-MailboxAuditLogdeprecated Jan 2026 - useSearch-UnifiedAuditLog- Exchange Online
-Deviceauth switch only works in PowerShell 7 (pwsh), not Windows PowerShell 5.1 - WAM broker auth requires a visible PowerShell window (can't run from bash/non-interactive shell)
Current Account State
| Property | Value |
|---|---|
| AccountEnabled | False |
| Mailbox Type | UserMailbox |
| Litigation Hold | True |
| Licenses | Still assigned |
| Barry Access | FullAccess + SendAs |
| Shelly Access | FullAccess + SendAs |
| iPhone 16 Pro | AccountOnlyDeviceWipePending |
| iPhone 14 Pro | AccountOnlyDeviceWipePending |
Pending/Follow-up
- Password reset needs Global Admin or check sysadmin role assignments
- iPhone 16 Pro wipe should complete soon (active device)
- iPhone 14 Pro wipe may never complete (stale since June 2025)
- Account NOT converted to shared, licenses NOT removed (per request to keep account)
- OneDrive access not addressed this session