azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3354de1fb1e57b6f56fbc163b0e52c2132181545
claudetools/clients/cascades-tucson/session-logs/2026-04-25-howard-entra-connect-install-and-pilot-prep.md
Howard Enos 3354de1fb1 session log: cascades — Entra Connect install + pilot account prep (2026-04-24/25) 
Comprehensive log of the Entra setup work spanning 4/24 evening through 4/25.
Includes a Resume Point at the top so the next session can pick up cleanly.

Highlights:
- Entra Connect Sync installed in staging mode on CS-SERVER, scope OU=Caregivers
- Pilot AD account howard.enos@cascadestucson.com created
- Master plan v2 with explicit drift log (FIDO2/YubiKey injection caught)
- HIPAA retention remediation: 7 mailboxes restored from soft-delete (4/22 deletes
  violated 164.316(b)(2)); termination procedures policy + IR-2026-04-24-001 documented
- admin@cascadestucson.com re-promoted to Global Admin (Sandra Fish cleanup had
  stripped role); residual profile data cleaned
- Existing Cascades CA architecture discovered (Named Location 72.211.21.217 + all-users
  MFA policy from 2026-02-11) — adjusts plan, no duplicate policies needed
- Syncro ticket #32214 'Entra setup' with hidden private rollup (~40-45 billable hrs)

Released session lock; resume point flagged in PROJECT_STATE.md.
2026-04-25 15:38:08 -07:00

23 KiB
Raw Blame History

2026-04-25 — Cascades Entra Connect install + pilot account prep

User

  • User: Howard Enos (howard)
  • Machine: Howard-Home
  • Role: tech
  • Session span: 2026-04-24 (afternoon/evening) through 2026-04-25 (afternoon, save point)

Resume point (READ THIS FIRST when picking back up)

We paused mid-Track-A-Gate-2 / Gate-A3 prep after discovering an existing Cascades CA architecture that changes the plan.

What's already in place (don't recreate):

  • Named Location Cascades (id needs lookup) with 72.211.21.217/32 marked trusted
  • CA policy Require multifactor authentication for all users (Microsoft template-based, created 2026-02-11), targets All users with exclusions, Network = "Any network or location and all trusted locations excluded", Grant = Require MFA. State (Report-only / On / Off) NOT YET CONFIRMED — Howard to verify in portal.

Immediate next actions when resuming:

  1. Add 184.191.143.62/32 to the existing Cascades named location (don't create a new one — both WAN egresses go in the same trusted location)
  2. Confirm the existing all-users MFA policy's enable state (Report-only vs On)
  3. Decide whether to add a single caregiver-specific compliant-device policy targeting howard.enos@cascadestucson.com by UPN (Report-only), or skip — the existing all-users MFA policy may be enough for the pilot test
  4. Howard does AD-side prep on CS-SERVER PowerShell: Set-ADAccountPassword -Identity howard.enos -Reset -NewPassword (Read-Host -AsSecureString "New password") and Set-ADUser howard.enos -Add @{proxyAddresses="SMTP:howard.enos@cascadestucson.com"}
  5. Tomorrow: exit Entra Connect staging mode, run sync, verify howard.enos lands in M365, assign Entra ID P2 license, enroll phone, run end-to-end SSO test
  6. ALIS App Store is currently being updated — Howard will install the "Entra SSO" app there when access is back

Critical context for resumption:

  • Pilot phone target = Monday 2026-04-27
  • 7-mailbox HIPAA retention conversion is BLOCKED on Exchange RBAC propagation (>5h of HTTP 401 yesterday). Three fallback paths documented in clients/cascades-tucson/reports/2026-04-24-jeff-restore-ashley-access.md. Not on the phone-SSO critical path.
  • Track A Gate 1 (Entra Connect install) is COMPLETE in staging mode. Pilot account howard.enos@cascadestucson.com exists in OU=Caregivers,OU=Departments,DC=cascades,DC=local, member of SG-Caregivers. Will sync to M365 once staging is exited.

Session Summary

The session focused on preparing Cascades of Tucson for a pilot Microsoft Entra Connect Sync deployment, with the goal of enabling a seamless transition to full production on 2026-04-27. First, the master plan was revised to address scope drift and restructured with Track A/B/C, ensuring alignment with HIPAA and operational goals. A phone-SSO pilot runbook was created, and HIPAA Risk Analysis documentation was drafted using NIST SP 800-66 Rev 2 standards. Workforce Termination Procedures were updated, and a critical HIPAA retention violation was remediated by restoring seven mailboxes from soft-delete within the required window. The pilot AD account for the caregiver was created, and Microsoft Entra Connect Sync was installed in staging mode, restricted to the OU=Caregivers. Initial sync was successful, and the OU structure was cleaned up to align with existing naming conventions. Syncro ticket #32214 was created to document all work and provide a billable estimate. Finally, existing Conditional Access policies were reviewed and confirmed to align with the planned architecture, reducing redundant configuration efforts.

Key Decisions

  • Selected PHS (Password Hash Sync) over directory-sync-only: Aligns with the user-stated goal of tying M365 to the domain account. Reverses the previous plan's "PHS deferred indefinitely" stance.
  • Created OU=Caregivers under OU=Departments: Matches existing Cascades naming convention (Care-Assisted Living / Care-Memorycare). Removed the orphan domain-root OU=Sync-Phase1-Caregivers that I created before realizing the convention.
  • Phased Entra Connect sync: Phase 1 scope is OU=Caregivers only (just the pilot caregiver, zero migration risk). Phase 2 will expand to other OUs and requires a coordinated AD-password reset for cloud-only users before PHS overwrites their M365 password.
  • Mailbox access model "Option C" for the 7 restored mailboxes: Jeff = keep Ashley's existing access (FullAccess + SendAs intact). Nela = grant Lois Lane FullAccess (inherits Nela's old forwarding chain). Other 5 (Ann Dery, Anna Pitzlin, Kristiana Dowse, Nick Pavloff, Jodi Ramstack) = dormant preservation, no delegates, audit access on-demand from tenant admin.
  • Pilot CA policies target howard.enos@cascadestucson.com by UPN, not the SG-Caregivers group: Keeps blast radius to a single user during testing. Switch to group-targeting when we go production-wide.
  • Plan written with explicit drift-log section (Part 7): Future-proofing — drift items must trace back to a session log or user message, not be drafted unilaterally during doc generation.
  • Re-promoted admin@cascadestucson.com to Global Administrator + cleaned Sandra Fish profile residue: Account was stripped of all directory roles during the prior Sandra Fish cleanup. Made it a working second GA so we have two named admins (admin@ and sysadmin@).

Problems Encountered

  • pfSense web UI 401-locked. TLS handshake failures from CS-SERVER (likely TLS 1.2-only enforcement on CS-SERVER vs pfSense's TLS profile) tripped the WebConfigurator throttle. Howard noted lockout, deferred — verified via Entra logs that 184.191.143.62 IS the primary WAN egress; 72.211.21.217 confirmed legitimate by the existence of a pre-existing trusted Named Location.
  • GuruRMM command queue clogged. A slow Get-CimInstance Win32_Product enumeration earlier in the session jammed the agent's command runner; subsequent commands stuck "pending" indefinitely. Workaround: Howard ran scripts directly on CS-SERVER PowerShell. Agent restart on CS-SERVER would clear it.
  • PowerShell paste fidelity in Howard's RDP session. Multi-line backtick continuations and hashtable newlines were being mangled on copy-paste — likely a Windows clipboard / terminal interaction. Switched to one-line semicolon-separated commands and the script ran cleanly.
  • Exchange Online RBAC propagation lag. After ~5 hours of HTTP 401 on Exchange REST despite confirmed Exchange Administrator role on Security Investigator SP, gave up auto-retry. Three fallback paths documented for the 7-mailbox shared-conversion: EXO PowerShell from Howard's laptop, Exchange Admin Center portal, or wait until next day.
  • Drift in 2026-04-23 master plan caught and corrected. FIDO2/YubiKey hardware recommendation appeared across three documents (user-account-rollout-plan.md → hipaa-review-2026-04-22.md H2 → PLAN-AND-QUESTIONS-2026-04-23.md Q23/Q24) without ever being a user-discussed requirement. Origin traced to a doc-generation drift cascade, removed in v2 plan with explicit drift log in Part 7.

Credentials & Secrets

All credentials handled this session are vaulted in SOPS at D:/vault/clients/cascades-tucson/. Reference paths only — values retrieved via bash $CLAUDETOOLS_ROOT/.claude/scripts/vault.sh get-field <path> <field>.

Resource Vault path Notes
admin@cascadestucson.com Global Admin clients/cascades-tucson/m365-admin.sops.yaml Re-promoted to GA 2026-04-24 after Sandra Fish cleanup had stripped role. Display name now "Cascades Tenant Admin".
sysadmin@cascadestucson.com Global Admin clients/cascades-tucson/m365-sysadmin.sops.yaml Newly vaulted 2026-04-24. Password was shared in chat — flagged for rotation post-pilot.
howard.enos@cascadestucson.com pilot account clients/cascades-tucson/howard-enos-pilot.sops.yaml Temp password (random, will be reset by Howard).
pfSense (Cascades) clients/cascades-tucson/pfsense-firewall.sops.yaml Used for WAN config inspection (web UI got 401-locked, deferred).
GuruRMM API admin infrastructure/gururmm-server.sops.yaml Used to dispatch PowerShell to CS-SERVER.

Syncro per-user API key for Howard: baked into .claude/skills/syncro/SKILL.md (Tde5174a6e9e312d14-...). Per-user attribution maintained.

1Password service account: at infrastructure/1password-service-account.sops.yaml. op CLI is NOT installed on Howard-Home — install via winget install AgileBits.1Password.CLI if needed for scripted lookups.

ALIS admin password (howard.enos): Shared in chat 2026-04-24, not vaulted by request — Howard will rotate after pilot test. Howard manages all ALIS-side configuration personally.

Infrastructure & Servers

Cascades tenant

  • Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
  • Verified domain: cascadestucson.com
  • Onboarded SPs (consented + role-assigned):
    • Security Investigator (bfbc12a4-f0dd-4e12-b06d-997e7271e10c) — Exchange Administrator role
    • Exchange Operator (b43e7342-5b4b-492f-890f-bb5a4f7f40e9) — needs Exchange Admin role assignment (gap in onboard-tenant.sh, see "Pending"); used for breach-check reads via Security Investigator's full_access_as_app
    • User Manager (64fac46b-...) — User Administrator + Authentication Administrator
    • Tenant Admin (709e6eed-...) — directory writes
    • Defender Add-on — installed but tenant has no MDE license

Active Directory

  • Domain: cascades.local, single-DC forest, all FSMO on CS-SERVER
  • CS-SERVER: 192.168.2.254, Windows Server 2019 (build 17763), .NET 4.8+, PS 5.1.17763.8641
  • New OU created this session: OU=Caregivers,OU=Departments,DC=cascades,DC=local (ProtectedFromAccidentalDeletion=True). Removed orphan OU=Sync-Phase1-Caregivers,DC=cascades,DC=local.
  • Pilot account: CN=Howard Enos,OU=Caregivers,OU=Departments,DC=cascades,DC=local (UPN howard.enos@cascadestucson.com, member of SG-Caregivers). SID S-1-5-21-388235164-2207693853-3666415804-1207.

Entra Connect Sync

  • Installed on CS-SERVER 2026-04-24 in staging mode
  • PHS enabled + Seamless SSO enabled
  • Sync scope: OU=Caregivers only
  • Service account: CASCADES\ADSyncMSA3dd93$ (auto-created MSOL_)
  • Initial sync result: Success (0 objects pre-pilot creation; pilot account exists in AD now and will sync on next cycle once staging is exited)

Cascades WAN

  • Primary egress: 184.191.143.62/32 — confirmed against historical sign-in logs
  • Secondary egress: 72.211.21.217/32 — confirmed by existence of pre-existing trusted Named Location Cascades
  • Dual-WAN setup on pfSense (verification deferred due to web UI lockout)

Existing Conditional Access architecture (discovered 2026-04-25)

  • Named Location Cascades: trusted, currently 72.211.21.217/32 only — needs 184.191.143.62/32 added
  • CA policy Require multifactor authentication for all users: Microsoft template-based (template a3d0a415-b068-4326-9251-f9cdf9feeb64), policy ID 7e87a1c7-4836-49df-8769-c4cccadd9d.... Created 2026-02-11. Targets All users with specific exclusions. Network = "Any network or location and all trusted locations excluded". Grant = 1 control (likely Require MFA). State currently unverified.

Syncro

  • Customer: Cascades of Tucson, ID 20149445, prepay_hours 33.5
  • New ticket: #32214 "Entra setup", In Progress, Service Request, contact Meredith Kuhn (3140619), Howard assigned. URL: https://computerguru.syncromsp.com/tickets/109412123
  • Comments on ticket: one visible "Initial Issue" (id 407403164), one hidden private rollup with billable hours (id 407403165, ~6.9k chars including hours estimate ~40-45 hrs)

Commands & Outputs (key ones)

AD restructure (executed via GuruRMM)

# Removed orphan + created Caregivers under Departments
Set-ADOrganizationalUnit -Identity (Get-ADOrganizationalUnit -Filter "Name -eq 'Sync-Phase1-Caregivers'") -ProtectedFromAccidentalDeletion $false
Remove-ADOrganizationalUnit -Identity (Get-ADOrganizationalUnit -Filter "Name -eq 'Sync-Phase1-Caregivers'") -Confirm:$false
New-ADOrganizationalUnit -Name "Caregivers" -Path "OU=Departments,DC=cascades,DC=local" -Description "..." -ProtectedFromAccidentalDeletion $true

admin@ Global Admin restore + Sandra residue cleanup (Graph)

USER_ID="e20f7f21-757a-48cd-bb24-7bdeeb1497d0"
GA_ROLE_ID="4e981141-a06d-472a-8c77-fabb6539afd8"
# PATCH: displayName="Cascades Tenant Admin", givenName="Cascades", surname="Admin", jobTitle="Tenant Administrator"
# POST /directoryRoles/$GA_ROLE_ID/members/$ref with @odata.id of user

Pilot AD account creation (Howard ran on CS-SERVER)

$tp = -join ((65..90)+(97..122)+(48..57) | Get-Random -Count 16 | %{[char]$_}) + "!9"
$p = @{Name="Howard Enos";GivenName="Howard";Surname="Enos";SamAccountName="howard.enos";UserPrincipalName="howard.enos@cascadestucson.com";EmailAddress="howard.enos@cascadestucson.com";Path="OU=Caregivers,OU=Departments,DC=cascades,DC=local";AccountPassword=(ConvertTo-SecureString $tp -AsPlainText -Force);Enabled=$true;ChangePasswordAtLogon=$false;Description="Phone SSO pilot test account"}
New-ADUser @p
Add-ADGroupMember SG-Caregivers -Members howard.enos

Output: CN=Howard Enos,OU=Caregivers,OU=Departments,DC=cascades,DC=local, member of SG-Caregivers, temp password vaulted.

7-mailbox restoration (Graph, all HTTP 200)

# POST /directory/deletedItems/{id}/restore for each:
# jeff.bristol = 8ec8248a-46e8-4771-9220-047887928777
# anna.pitzlin = 06aa2955-f124-447d-8a16-cc7779aaf28f
# nela.durut-azizi = 84cef8a2-6988-44ea-bf20-a72fe622750d
# ann.dery = 103b3ac4-2302-4334-8c8e-e66d383c883d
# nick.pavloff = 4b46f47a-6c57-477d-bd6d-53f99324aee4
# kristiana.dowse = 0c501281-3e80-48e0-8a3f-e460a15df470
# jodi.ramstack = b7cddbeb-6026-436b-a3aa-67c4be43e3fb (came back enabled with 1 Business Standard license — needs license removal post-shared-conversion)

Entra Connect post-install verification

Get-ADSyncScheduler | Select StagingModeEnabled, SyncCycleEnabled, MaintenanceEnabled
# All three returned True — staging mode confirmed, safety net in place
Start-ADSyncSyncCycle -PolicyType Initial
# Result: Success

WAN IP discovery (via GuruRMM on CS-SERVER)

@("https://ifconfig.me/ip","https://api.ipify.org","https://icanhazip.com") | %{
  try { "{0,-30} {1}" -f $_, ((Invoke-RestMethod -Uri $_ -TimeoutSec 5).Trim()) }
  catch { "{0,-30} FAIL" -f $_ }
}
# ifconfig.me => 184.191.143.62
# api.ipify.org => 72.211.21.217  (different! suggested dual-WAN)
# icanhazip.com => 184.191.143.62

Syncro ticket creation

curl -X POST "https://computerguru.syncromsp.com/api/v1/tickets?api_key=..." -d @ticket-payload.json
# .ticket.id = 109412123, .ticket.number = 32214
# +2 comment POSTs: visible Initial Issue + hidden private rollup

Configuration Changes (files created or modified)

New files (claudetools repo)

  • clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md — master plan v2 with Track A/B/C structure + drift log
  • clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-23-archived.md — old plan with archive banner
  • clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md — gate-by-gate runbook
  • clients/cascades-tucson/docs/security/risk-analysis-2026-04.md — HIPAA Risk Analysis (NIST 800-66r2 §3, ~7.5k words)
  • clients/cascades-tucson/docs/security/termination-procedures.md — workforce termination policy + IR-2026-04-24-001
  • clients/cascades-tucson/docs/servers/fax-whitelabel.md — PacketDial WhiteLabel architecture
  • clients/cascades-tucson/docs/servers/fax-packetdial-whitelabel/Screenshot 2026-04-24 *.png — 5 screenshots from Howard
  • clients/cascades-tucson/reports/2026-04-24-jeff-restore-ashley-access.md — restore + retention remediation report

New files (vault repo)

  • clients/cascades-tucson/m365-sysadmin.sops.yaml — sysadmin@ GA credentials (encrypted)
  • clients/cascades-tucson/howard-enos-pilot.sops.yaml — pilot account temp password (encrypted)

Modified

  • clients/cascades-tucson/PROJECT_STATE.md — session lock claimed, will need release

Pending / Incomplete Tasks

Blocked on external/lag

  • #14: 7-mailbox shared conversion + retention — Exchange RBAC sync lag (>5 hrs of 401). Three fallback paths documented in reports/2026-04-24-jeff-restore-ashley-access.md. Includes Jodi Ramstack license removal ($12.50/mo savings).

Track A blockers for Monday phone test

  • Gate A2 (revised): add 184.191.143.62/32 to existing Cascades Named Location. Confirm existing all-users MFA policy state (Report-only / On). Optionally add ONE caregiver-specific compliant-device policy targeting howard.enos by UPN.
  • Gate A3: Entra App Registration for ALIS SSO — Howard creates in Entra portal, captures Directory ID + App ID + Client Secret Value. Vault these. ALIS App Store install deferred until ALIS finishes their update.
  • Gate A5: Exit Entra Connect staging mode → run sync → verify howard.enos appears in M365 as hybrid user. Assign Entra ID P2 license (unassigned seat available from Sandra Fish cleanup).
  • Gate A6: Phone enrollment via QR from CSC - Android Shared Phones profile. Sign in with howard.enos, verify no MFA prompt on Cascades Wi-Fi, verify Authenticator/Teams/ALIS sign-in flow.
  • Gate A7: Flip CA policies (existing all-users + any new caregiver policies) from Report-only to On.

AD-side prep Howard wanted to do before staging exit

  • Set-ADAccountPassword -Identity howard.enos -Reset to a memorable password
  • Set-ADUser howard.enos -Add @{proxyAddresses="SMTP:howard.enos@cascadestucson.com"} (matches G1 convention)

ALIS-side (when their App Store comes back online)

  • Howard installs "Entra SSO" app in ALIS App Store
  • Pastes Directory ID + App ID + Secret Value into Outbound Connections
  • Howard updates his ALIS staff profile email to match Entra UPN
  • Tests SSO link triggering for his own account only

Track B (parallel, non-blocking)

  • B1: Howard asks Meredith to sign Microsoft HIPAA BAA in M365 admin center (5-min portal click)
  • B2: Howard requests ALIS BAA from support@medtelligent.com
  • B5: Audit retention decision (Purview Premium vs 7yr retention policy vs monthly Azure Blob export)
  • B6: Synology shared-login risk acceptance form for Meredith's signature
  • B7: Break-glass admin DECISION entry (current posture: two named admins, defer)
  • B8: Security Rule Implementation Register draft

Vault hygiene

  • Rotate sysadmin@cascadestucson.com password (was shared in chat)
  • Rotate Howard's ALIS admin password (was shared in chat)

Known gap in onboard-tenant.sh

  • Script does NOT assign Exchange Administrator directory role to Exchange Operator SP — it only does it for Security Investigator. Should be added so write-tier writes work without relying on Sec Inv's full_access_as_app.

Reference Information

URLs

Critical paths in repo

  • Master plan: clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md
  • Pilot runbook: clients/cascades-tucson/docs/migration/phone-sso-pilot-runbook-2026-04-24.md
  • Risk Analysis: clients/cascades-tucson/docs/security/risk-analysis-2026-04.md
  • Termination procedures: clients/cascades-tucson/docs/security/termination-procedures.md
  • Fax architecture: clients/cascades-tucson/docs/servers/fax-whitelabel.md
  • Restore + retention report: clients/cascades-tucson/reports/2026-04-24-jeff-restore-ashley-access.md
  • Project state: clients/cascades-tucson/PROJECT_STATE.md

Cron jobs (session-only, expired)

The 3 retention-retry crons (fe0046b1, 85957aab, 10cbe371) all fired during the session and stopped per their cron stop-condition after RBAC didn't propagate. No active crons at save time.

CS-SERVER agent ID in GuruRMM

6766e973-e703-47c1-be56-76950290f87c

Cascades tenant verified domains

  • cascadestucson.com (primary)
  • cascadestucson.onmicrosoft.com
  • NETORGFT4257522.onmicrosoft.com (legacy from Sandra Fish era)

Note for Mike

Massive session on Cascades 4/24-4/25. Key things you should know:

  1. Drift caught + corrected. The 4/23 master plan I wrote contained scope drift Howard called out — most notable was an injected FIDO2/YubiKey hardware recommendation across three docs that he never asked for. Rewrote as v2 with explicit drift log in Part 7. New plan is PLAN-AND-QUESTIONS-2026-04-24.md. Old plan is archived with a banner.

  2. HIPAA retention violation found and remediated. The 4/22 orphan cleanup that deleted 7 mailboxes (jeff.bristol, ann.dery, anna.pitzlin, jodi.ramstack, kristiana.dowse, nela.durut-azizi, nick.pavloff) violated §164.316(b)(2) 7-year retention. All 7 restored from soft-delete bin within day 2 of 30-day window. Termination Procedures policy now formally documents preservation-first workflow at docs/security/termination-procedures.md including incident IR-2026-04-24-001. Going forward: no terminated employee mailboxes get deleted — convert to shared, hide from GAL, retain 7 years.

  3. admin@cascadestucson.com had no role assignments. Discovered when Howard tried to use it for Entra Connect install — Azure said "not an admin." Re-promoted to Global Administrator via Graph. Cleaned residual Sandra Fish profile data (givenName, surname). Display name set to "Cascades Tenant Admin". The account was probably stripped during your earlier Sandra Fish cleanup — restoration of the GA role is intentional for redundancy with sysadmin@.

  4. Entra Connect Sync installed in staging mode on CS-SERVER 2026-04-24. PHS enabled, scope = OU=Caregivers only. Pilot account howard.enos@cascadestucson.com exists in AD ready to sync. Phone-SSO pilot target = Monday 2026-04-27.

  5. Existing CA architecture discovered. There's already a "Cascades" trusted Named Location (72.211.21.217/32) and a "Require MFA for all users" policy from 2026-02-11. The 72.211.21.217 was the mystery secondary IP from yesterday's WAN discovery — turns out Cascades has dual-WAN (primary 184.191.143.62, secondary 72.211.21.217).

  6. Syncro ticket #32214 has the full week's billable rollup as a hidden private note (~40-45 hrs estimated).

  7. Ongoing remediation backlog: 7 restored mailboxes still need shared-mailbox conversion + Jodi license removal — blocked on Exchange RBAC propagation lag (>5 hrs of HTTP 401 yesterday). Three fallback paths documented; not on the phone-pilot critical path.

Howard is keeping the lead on Cascades. Pinging you on anything that needs your call (e.g., MS BAA signing prompt to Meredith, ALIS BAA outreach, Business Premium tenant-wide PO decision).

Reference in New Issue View Git Blame Copy Permalink