8.8 KiB
Mailbox restore + retention remediation — 2026-04-24
Scope expanded 2026-04-24 (same session): after Jeff's restore succeeded, Howard correctly flagged that NO terminated employee mailbox should have been deleted — HIPAA §164.316(b)(2) requires 7-year retention. All 7 mailboxes from the 2026-04-22 orphan cleanup were restored from the 30-day soft-delete bin. See §"Full 7-mailbox retention remediation" below. Policy document:
docs/security/termination-procedures.md.
Original scope: Jeff Bristol mailbox restore — 2026-04-24
Context
Ashley Jensen reported to Howard: "I seem to have lost access to Jeff's email and the fax email (efax thing). In your spare time, can you help me get them back??"
Root cause: on 2026-04-22 we deleted 7 orphan M365 accounts including jeff.bristol@cascadestucson.com per HR-confirmed orphan cleanup (reports/2026-04-22-m365-orphan-deletes.md). Ashley had delegate access to Jeff's mailbox — her access vanished with the delete.
Decision
Howard authorized 2026-04-24: restore Jeff, convert to shared mailbox, grant Ashley Full Access + Send As. Net outcome = Ashley regains access with no license cost.
Howard's directive: the fax mailbox (fax@cascadestucson.com) is separate and is NOT to be touched by me (Claude) in this session — Howard will audit its permissions and (planned) refactor the transport rule to a shared-mailbox model later.
Actions executed
Step 1 — Graph restore (User Manager tier)
POST https://graph.microsoft.com/v1.0/directory/deletedItems/8ec8248a-46e8-4771-9220-047887928777/restore- HTTP 200 — restore succeeded
- Post-restore verification via
GET /users/{id}:displayName: "Jeff Bristol"userPrincipalName:jeff.bristol@cascadestucson.com(UPN correctly restored)accountEnabled:false(matches pre-delete disabled state)mail:jeff.bristol@cascadestucson.comassignedLicenses:[](no licenses — expected; will convert to shared mailbox which needs none)
Step 2+ — Exchange Online writes — DEFERRED
Exchange REST POST /adminapi/beta/{tenant}/InvokeCommand returned HTTP 401 invalid_token for both Get-Mailbox jeff.bristol@... and Get-Mailbox ashley.jensen@... (sanity check).
Token inspection showed valid token state:
aud:https://outlook.office365.com(correct)roles:full_access_as_appwids: includes29232cdf-9323-42fd-ade2-1d097af3e4de(Exchange Administrator)
Diagnosis: the Exchange Administrator directory role was just assigned to the Security Investigator SP (c64ee5c1-a607-46cb-81b8-42de3de98d48) by onboard-tenant.sh minutes prior. Exchange Online RBAC propagation typically takes 30–60 minutes (sometimes hours) after a fresh role assignment before the SP's token is honored for cmdlet execution.
Tenant-wide issue (not Jeff-specific): the sanity check against an unrelated mailbox (ashley.jensen@) returned the same 401.
Step 2+ — Handed off to Howard (manual in Exchange Admin Center)
Because Ashley needs access now and Exchange RBAC was still propagating, Howard took the portal path directly. Revised scope per Howard 2026-04-24: FullAccess only, no Send As (Ashley only needs read).
Howard's portal work (confirmed 2026-04-24):
- Recipients → Mailboxes → Jeff Bristol → Convert to Shared — pending automated step at 15:13 PDT cron retry (if RBAC propagated) or Howard later
- Delegation confirmed by Howard: Ashley already had both Read and manage (Full Access) AND Send As on Jeff's mailbox — left as-is per Howard's direction 2026-04-24 ("she is already set to read and send as jeff, that is fine. we will leave it as is"). The earlier "FullAccess only, no Send As" instruction is superseded.
- Ashley adds shared mailbox in Outlook: File → Account Settings → More Settings → Advanced → Add →
jeff.bristol@cascadestucson.com(or OWA atoutlook.office.com/mail/jeff.bristol@cascadestucson.com)
Fax@ mailbox state (captured by Howard's screenshot 2026-04-24 14:12)
Pulled by Howard in Exchange Admin Center:
| Property | Value |
|---|---|
| Type | Shared Mailbox (display name "Fax Cascades") |
| Send as delegates | 0 |
| Read and manage (Full Access) delegates | 0 |
Zero pre-existing delegations. Ashley's "lost access to fax email" was not loss of a delegate grant — her access was chained through Jeff's mailbox or some other indirect path that broke when Jeff was deleted.
Screenshot: docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 141248.png (copied into repo separately if needed for future reference).
Transport rule — fixed by Howard
Howard removed the broken recipients from Fax Forward and Retain Copy transport rule (2026-04-24). Anna Pitzlin no longer in the BCC list; silent NDR-on-every-fax problem eliminated.
Related / follow-ups
- Britney Thompson is still in the rule's BCC list and is scheduled for disable post-Litigation Hold — remove before her disable to avoid the same NDR issue.
- Proposed refactor (per master plan Track C): replace the transport rule entirely with direct FullAccess permissions on the
fax@shared mailbox for the 9 legitimate recipients. Each user opensfax@as a secondary mailbox in Outlook. Cleaner audit trail, no rule maintenance on staff changes. Because fax@ currently has zero delegates, this refactor starts from a clean slate. - Exchange RBAC propagation: was still incomplete at time of this session. Next remediation-tool invocation (>1h later or next day) should be able to use
investigator-exotier for Exchange REST writes against Cascades.
Files
- Graph restore response:
/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/jeff-restore/restore-resp.json - Post-restore user check:
/tmp/remediation-tool/.../jeff-restore/user-check.json - Fax architecture doc:
docs/servers/fax-whitelabel.md(written same session) - Original deletion record:
reports/2026-04-22-m365-orphan-deletes.md
Full 7-mailbox retention remediation (same session, expanded scope)
Trigger
Howard 2026-04-24: "in fact we shouldnt delete any email accounts, they should all be set for some kind of retention for the 7 years (hippa+1 year) requirement."
Applied retroactively to the 6 other mailboxes deleted in the same 2026-04-22 sweep that were still recoverable within the 30-day soft-delete window.
Soft-delete bin enumeration
GET /directory/deletedItems/microsoft.graph.user
8 items returned. 2 were excluded from restoration:
mdm@cascadestucson.com(failed service account replaced bymdms@2026-04-20 — no PHI)howard_azcomputerguru.com#EXT#@NETORGFT4257522.onmicrosoft.com(Howard's own external guest — no Cascades PHI, intentional delete)
Restorations (Graph User Manager tier)
All 6 returned HTTP 200:
| User | Object ID | Pre-delete state | Post-restore state |
|---|---|---|---|
| ann.dery | 103b3ac4-2302-4334-8c8e-e66d383c883d |
Disabled, 0 lic | Disabled, 0 lic |
| anna.pitzlin | 06aa2955-f124-447d-8a16-cc7779aaf28f |
Disabled, 0 lic | Disabled, 0 lic |
| kristiana.dowse | 0c501281-3e80-48e0-8a3f-e460a15df470 |
Disabled, 0 lic | Disabled, 0 lic |
| nela.durut-azizi | 84cef8a2-6988-44ea-bf20-a72fe622750d |
Disabled, 0 lic | Disabled, 0 lic |
| nick.pavloff | 4b46f47a-6c57-477d-bd6d-53f99324aee4 |
Disabled, 0 lic | Disabled, 0 lic |
| jodi.ramstack | b7cddbeb-6026-436b-a3aa-67c4be43e3fb |
Enabled, 1 Business Standard lic (zombie) | Enabled, 1 lic |
Follow-on actions — blocked pending Exchange RBAC propagation
Exchange REST Set-Mailbox -Type Shared et al. returned HTTP 401 (RBAC not yet propagated after onboard-tenant.sh assigned Exchange Administrator role this session). Retries pending.
Retry log:
- 14:25 PDT — initial attempt, HTTP 401
- 15:13 PDT — first scheduled retry (cron fe0046b1), HTTP 401, still not propagated
- 16:19 PDT — second scheduled retry, HTTP 401, still not propagated (~2h after role assignment)
- 18:23 PDT — third (final auto) retry scheduled. If this also fails, RBAC is clearly not propagating normally and manual portal path is needed.
For each of the 7 restored mailboxes (6 above + Jeff):
Set-Mailbox -Identity <upn> -Type SharedSet-Mailbox -Identity <upn> -HiddenFromAddressListsEnabled $true- For Jodi specifically: remove the Business Standard license after conversion — recurring $12.50/mo savings
- Apply Litigation Hold with 2557-day duration only after Business Premium purchase (Cascades currently on Business Standard; Litigation Hold is a Plan-2 feature)
- Add to 7-year retention tracker: source-date = 2026-04-22 (original deletion date), eligible-for-review = 2033-04-22
Policy document
Written same session: docs/security/termination-procedures.md — mandates preservation-first procedure for all future workforce departures and documents this incident (IR-2026-04-24-001) with remediation steps.