Files

Howard Enos d2e375df8a sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42

Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-18 10:17:42

2026-04-18 10:17:45 -07:00

19 KiB

Raw Blame History

Cascades Tucson — M365 Tenant Inventory Report

Pulled: 2026-04-18 (Howard + Claude remediation tool) Tenant: cascadestucson.com (207fa277-e9d8-4eb7-ada1-1064d2221498) Access method: Microsoft Graph + Exchange REST via ComputerGuru - AI Remediation app (App ID fabb3421-8b34-484b-bc17-e46de9703418) Scope: Read-only. No changes made.

TL;DR — three findings that need action

1. Business Premium is already purchased but nobody has it

SKU	Friendly name	Enabled (prepaid)	Consumed	Status
`SPB`	M365 Business Premium	34	0	Enabled (unused)
`O365_BUSINESS_PREMIUM`	M365 Business Standard (note: misleading SKU name)	0	33	Warning state — 34 units, 3 suspended
`EXCHANGE_S_ESSENTIALS`	Exchange Online Essentials	0	6	Suspended — 24 units
`AAD_PREMIUM_P2`	Entra ID P2	1	0	Enabled (unused — this is Sandra Fish's old license)
`FLOW_FREE`	Power Automate Free	10000	3	Enabled
`STREAM`	Microsoft Stream trial	1000000	0	Enabled (trial)

What this means:

Cascades is already paying for 34 Business Premium licenses — nobody has been assigned. That is ~$34 × $22 = ~$748/mo of purchased product sitting idle.
Business Standard has expired and is in the Microsoft grace/warning window. 34 prepaid units show warning (grace before deprovision). 3 units are already suspended. If users aren't migrated to the Premium SKU before the grace window closes, they lose mailboxes and Office apps.
Exchange Online Essentials is fully suspended — 6 users depend on it (see below). Those mailboxes may already be in reduced-function mode.
The Business Premium proposal I'd been drafting (docs/proposals/m365-premium-upgrade.md) is moot — the purchase is done, just not deployed.

2. Megan Hiatt is under active credential-stuffing attack

In the last 7 days of sign-ins (167 total, sampled):

54 failed sign-ins against megan.hiatt@cascadestucson.com from IP 80.94.92.102 in GB (United Kingdom)
All failures with error code 50053 (account locked from repeated wrong-password attempts)
Also seen: error 50053 with reason "Sign-in was blocked because it came from an IP address with malicious activity" — Microsoft IP-reputation is catching some of these
No successful foreign sign-ins in the 7-day window (everyone's US-only for successes)

What this confirms: the phishing email Megan received on 2026-04-17 was not an isolated probe. Attackers have her address and are actively attempting to brute-force it. Her account is repeatedly locking out, which is why lockout policy is working. But the attack is ongoing.

Action items (separate from the license work):

Force a password rotation on Megan's account
Verify her MFA method is Authenticator app, not SMS (SMS can be sim-swapped)
Add Megan to a targeted Conditional Access policy that blocks all non-US sign-ins (already partially covered by existing CA, but explicit block is cleaner)
Consider temporarily blocking IP 80.94.92.102 at the tenant level (Entra sign-in blocks, or via Conditional Access Named Location "Deny")

3. Intune entitlement is fully unused

Item	Count
Intune managed devices	0
Intune compliance policies	0
Intune device configuration profiles	0
Entra-registered devices (pre-Intune)	89 (87 Windows, 1 Android, 1 Windows non-compliant)

Business Premium includes Intune. The 25 phones + 9 kitchen iPads + domain PCs could all be enrolled today. The 89 already-registered Entra devices could be converted to Intune-managed with policy push. Right now the MDM story is still "ManageEngine planned" (see docs/security/mdm.md) — but ManageEngine is now redundant spend once Business Premium is actually assigned.

Full tenant state

Identity / directory

Created: 2018-08-08
Country: US
Default domain: cascadestucson.com (has Email + Teams + Intune capabilities)
Initial domain: NETORGFT4257522.onmicrosoft.com (Email + Teams only)
No additional custom domains
On-premises sync: not enabled (Entra Connect planned — cloud/m365.md)
Directory size: 637 objects / 300,000 quota

Global / Privileged admins

Role	Member
Global Administrator	sysadmin@cascadestucson.com (our MSP account)

No other admin-role assignments visible. Sandra Fish's removal (2026-04-14) is confirmed — she's not in any privileged role.

User accounts (53 total)

Category	Count	Notes
Licensed member accounts	38	See breakdown below
Unlicensed member (Kitchen iPad device account)	1	`Kitchenipad@cascadestucson.com` — intentional
Disabled members	7	former employees (Anna Pitzlin, Jeff Bristol, Nela Durut-Azizi, Kristiana Dowse, Nick Pavloff, Stephanie Devin) + old tenant admin `admin@NETORGFT4257522...`
Guest users (external)	7	a.r.jensen018@gmail, Debora Morris (teepasnow.com), dunedolly21@gmail, duprasc2002@yahoo, eugenie.nicoud (helpany.com), howard@azcomputerguru.com, karenrossini7@gmail

dunedolly21_gmail.com and eugenie.nicoud_helpany.com were NOT in the prior documentation. Worth reviewing — is eugenie.nicoud a legit business partner, or a stale invite? Same for dunedolly21. Both are enabled guests.

Licensed users — per SKU breakdown

M365 Business Standard (f245ecc8 — the expiring SKU): 33 consumed

Allison.Reibschied, Training@, accounting@, accountingassistant@, alyssa.brooks, ann.dery, ashley.jensen, boadmin@, christina.dupras, christine.nyanzunda, crystal.rodriguez, dax.howard, frontdesk@, hr@, jd.martin, jodi.ramstack, john.trozzi, karen.rossini, lauren.hasselman, lois.lane, lupe.sanchez, matthew.brooks, megan.hiatt, memcarereceptionist@, meredith.kuhn, ramon.castaneda, security@, sharon.edwards, susan.hicks, tamra.matthews, veronica.feller
Plus accounting@ which is actually a Shared Mailbox now (doesn't need a license — reclaim)
Plus jodi.ramstack which was supposed to be deleted per 2026-04-13 cleanup — account still enabled + licensed

Exchange Online Essentials (suspended): 6 consumed

fax@, medtech@, nurse@, transportation@, Britney.Thompson, Shelby.Trozzi
SKU is in Suspended state — these mailboxes may already be at reduced function. Migrate to SPB before they break.

Power Automate Free (no mailbox value): 3 consumed — ashley.jensen, lauren.hasselman, sysadmin

M365 Business Premium (SPB): 0 consumed out of 34 — this is the finding

Entra ID P2: 0 consumed out of 1

Shared mailboxes (6)

Mailbox	Alias	Notes
accounting@cascadestucson.com	(GUID alias)	Still has Business Standard license — remove
anna.pitzlin@cascadestucson.com	anna.pitzlin	Former employee
fax@cascadestucson.com	fax	Fax-to-email
jeff.bristol@cascadestucson.com	jeff.bristol	Former employee
kristiana.dowse@cascadestucson.com	(GUID alias)	Former employee (HR-confirmed delete candidate)
nela.durut-azizi@cascadestucson.com	nela.durut-azizi	Former employee, forwards to lois.lane (see below)

Mailbox inventory

Type	Count
UserMailbox	35
SharedMailbox	6
DiscoveryMailbox	1 (built-in, for eDiscovery)

Mailbox auditing: Enabled on all with 90-day retention. Good.

Mailbox forwarding (external or to terminated accounts)

Only two forwards configured, both internal:

medtech@ → nurses@cascadestucson.com (keep copy: true) — legitimate, routes med tech notifications to clinical team
nela.durut-azizi@ → lois.lane@cascadestucson.com (keep copy: true) — legitimate handoff after Nela left

No external forwarding. Good — this is a common attacker persistence mechanism (forward mail to gmail.com) and it's not present.

Conditional Access policies (8, all enabled)

Microsoft-managed: Block legacy authentication — All users / All apps / grant: Block
Microsoft-managed: Require phishing-resistant MFA for admins — Admin roles / All apps
Require MFA for admins — Admin roles / All apps / grant: MFA
Require MFA for external and guest users — Guests/External / All apps / grant: MFA
Block all legacy sign-ins that don't support MFA — All users / grant: Block
Require MFA and a password change when high-risk users are detected — All users / grant: MFA + passwordChange (requires P2 to actually detect risk — currently 0 P2 assigned)
Require MFA when risky sign-ins are detected — All users / grant: MFA (same — P2 required)
Require MFA for all users — All users / All apps / grant: MFA

Observations:

Policies 6 + 7 are "Identity Protection" templates. They're enabled but toothless without P2 assignment to users.
No location-based policy (trusted locations / named locations) exists yet. This is the gap for the caregiver rollout story.
No device-compliance requirement. Adding a policy like "Grant access if compliant device" is the main reason to actually deploy Intune.

Security Defaults: Off (correct — you can't have both Security Defaults and CA policies).

Authentication methods policy

Enabled: FIDO2 keys, Microsoft Authenticator, SMS, Software OATH, Temporary Access Pass Disabled: Voice, Email, X509 Certificate, QR Code PIN

Reasonable baseline. Consider disabling SMS in favor of Authenticator-only as a future hardening step.

Anti-phishing / Defender for Office config

Default Office 365 AntiPhish policy: enabled, but NO impersonation targets set — relies only on mailbox intelligence.

Standard Preset Security Policy (active):

Protected users: Megan Hiatt, John Trozzi, Meredith Kuhn, Crystal Rodriguez, Tamra Matthews (5)
Protected domains: cascadestucson.com, azcomputerguru.com (2)
Similar-user safety tips: on
Similar-domain safety tips: on
Unusual-character safety tips: on
User impersonation action: Quarantine
Domain impersonation action: Quarantine
Mailbox intelligence impersonation action: MoveToJmf (Junk — soft, consider upgrading to Quarantine)
Phish threshold: 3 (Aggressive) — fine

Confirmation: this matches Howard's 2026-04-17 email exactly. The protected list ready to expand with Megan's partner list and John's pending list.

Defender for Office 365 add-ons

Feature	State
Safe Links (Standard Preset)	Enabled — ScanUrls on, ClickThrough blocked, email tracking on
Safe Links (Built-in)	Enabled — ClickThrough allowed (built-in is less strict)
Safe Attachments (Standard Preset)	Enabled — Action: Block
Safe Attachments (Built-in)	Enabled
Safe Docs	Enabled (Office client-side scanning)
ATP for SharePoint/Teams/OneDrive	Enabled
Malware Filter (Standard Preset)	Enabled — file-type filter on
Malware Filter (Default)	Enabled — file-type filter off

Note: these preset policies rely on Defender for Office P1 per-user licensing to fully enforce. Defender for O365 P1 comes bundled in Business Premium (SPB). So technically the policies are in place but the user-level enforcement requires SPB assignment. Once SPB is assigned to a user, these policies start protecting them.

Transport rules

Only one rule:

Fax Forward and Retain Copy — priority 0, Enforce mode, Enabled

Clean. No suspicious rules.

Intune / device state

Metric	Value
Intune managed devices	0
Intune compliance policies	0
Intune device configuration profiles	0
Entra-registered devices (not Intune-managed)	89
Windows devices registered	88
Android devices registered	1

The 89 Entra-registered devices are mostly Workplace trust type (user joined via "Add work or school account" from personal PC) — they're visible in Entra but not managed. Moving them to Intune requires enrollment.

100 service principals total. Non-Microsoft ones with user-granted OAuth:

Alignable (business networking)
BlueMail (mobile email client)
SaaS Alerts (looks like an MSP monitoring tool — verify whether Cascades or ACG set this up)
SurveyMonkey
Azure Static Web Apps (probably Microsoft-owned actually)
Microsoft Photos Services

SaaS Alerts warrants a double-check — is this us (ACG) using it for Cascades monitoring, or an old consent from a prior MSP? Search docs/ for prior mentions.

Services activated vs unused (Business Premium SKU plans)

Business Premium (SPB) includes 50+ service plans. Noteworthy:

In active use (evidence found):

Exchange Online Standard (mail)
SharePoint Standard (implied by Teams/OneDrive)
Teams
Office apps (Business Standard currently — Business Premium would replace)
Defender for Office 365 (ATP_ENTERPRISE) — configured but not licensed per-user yet

Provisioned / licensed but not used (becomes available once SPB is assigned):

Microsoft Intune (INTUNE_A, INTUNE_SMBIZ) — 0 devices enrolled
Microsoft Defender for Business (MDE_SMB) — endpoint EDR, 0 devices onboarded
Azure Information Protection Premium (RMS_S_PREMIUM) — no labels configured
Universal Print (UNIVERSAL_PRINT_01) — not set up
Microsoft Bookings (MICROSOFTBOOKINGS) — not used
Viva Learning, Viva Engage, Viva Insights — not set up
Clipchamp, Loop, Whiteboard, Bookings, Bing Chat Enterprise, Mesh Avatars — not used
Power BI embedded (POWER_VIRTUAL_AGENTS_O365_P2) — not used
MFA Premium + Entra ID P1 (AAD_PREMIUM, MFA_PREMIUM) — CA already configured, will be properly backed once SPB assigned
Microsoft Defender for Cloud Apps Discovery (ADALLOM_S_DISCOVERY) — not set up
Exchange Archive (EXCHANGE_S_ARCHIVE_ADDON) — not configured
Office Shared Computer Activation (OFFICE_SHARED_COMPUTER_ACTIVATION) — relevant for Cascades' shared front-desk machines, not set up
Windows 11 Business entitlement (WINBIZ) — users aren't activating via their M365 account yet
Kaizala (KAIZALA_O365_P2) — deprecated by Microsoft, skip
DYN365 Business Central Invoicing (DYN365BC_MS_INVOICING) — unused

Features that are stuck "PendingActivation":

INTUNE_O365 — Intune for O365 (overlaps with INTUNE_A), seen in both Business Standard and Business Premium SKUs. This is a known Microsoft state — it activates when you actually use Intune.

Identity Protection / risky users

Query returned scopes missing — our ComputerGuru - AI Remediation app doesn't have IdentityRiskyUser.Read.All consented in Cascades' tenant. If Howard wants me to read risk data programmatically, the app needs that scope added and consented (admin consent URL can be generated from the skill). Or the data can be read directly from the Entra portal by Howard — it's there, just not via our app right now.

DLP policies

Query returned segment not found — the DLP endpoint moved to Purview, and our app scope doesn't include Purview read. Check manually via the compliance portal. Business Premium includes DLP (BPOS_S_DlpAddOn) so the feature is available; whether any policies are defined is unknown from this inventory pass.

What Premium unlocks that Cascades hasn't touched

Short version of the "what are we paying for" question:

Feature	Status today	What assigning SPB + configuring unlocks
Intune MDM / MAM	0 devices	Enroll 25 phones + 9 iPads + all Windows PCs; push policies, compliance, app management. Replaces ManageEngine.
Conditional Access (P1 backing)	Policies exist but P1 not per-user-assigned	Full CA enforcement — location-based, device-compliance grants
Defender for Business (EDR on endpoints)	Not onboarded	Endpoint detection & response on every Windows PC
Defender for Office (anti-phish etc.)	Policies configured	Per-user enforcement kicks in
Azure Information Protection	No labels	Sensitivity labels for PHI-tagged docs/emails
DLP policies	Not visible via Graph	PHI email blocking, external-send restrictions
Office Shared Computer Activation	Not set up	Proper Office licensing on front-desk shared PC
Universal Print	Not set up	Cloud-managed printing; could replace CS-SERVER print server
Bookings	Not set up	Tour/appointment scheduling (Sales team — Megan)
Viva Learning	Not set up	HIPAA training content delivery

Recommended next actions (sequence matters)

Leaving these as recommendations — no changes made, all documentation only:

Immediately (this week)

Rotate Megan Hiatt's password and verify her MFA method is Authenticator app (active attack)
Migrate licenses from expiring Business Standard to Business Premium for the 33 consumed users. Start with leadership + clinical. Standard is in warning grace — timer is running.
Move 6 Exchange Online Essentials users to Business Premium too. That SKU is already Suspended.
Reclaim accounting@ license — it's a shared mailbox now, doesn't need a seat.
Verify jodi.ramstack status — still enabled + licensed despite 2026-04-13 cleanup plan.

Near-term (next two weeks)

Assign the 1 available P2 license — probably to Meredith (highest-risk protected user), and request a volume add as part of the caregiver/P2 rollout
Enroll pilot devices in Intune (1 phone + 1 iPad + 1 PC) — prove the path before batch
Build the trusted-sender + protected-user expansion per docs/cloud/m365-impersonation-protection.md (already documented, waiting on John Trozzi's additions)
Review two unexpected guests: dunedolly21@gmail.com, eugenie.nicoud@helpany.com. Keep or remove.
Verify SaaS Alerts service principal is ours, not a stale consent.

Medium-term (phase 2)

Caregiver account creation per docs/cloud/caregiver-m365-p2-rollout.md — 39 new licenses added (probably to 61 total Premium). But since the tenant already sits on 34 Premium, we only need to purchase the difference.
Implement Entra Connect per cloud/m365.md Entra Connect plan
Build location-based CA policy after pfSense WAN IPs are confirmed static
Retire the GP-Preferences folder redirection workaround once GPO pattern is proven on Susan Hicks

Proposal / doc updates this inventory forces

docs/proposals/m365-premium-upgrade.md — this document's core assumption ("upgrade and save $56.50/mo") is no longer accurate. The upgrade was already purchased. The real ask is about license assignment + configuration work + possibly additional Premium licenses for caregivers. Reframe the proposal as an operational services engagement to actually deploy what's already paid for.
docs/cloud/m365.md — update license table. Current state shows Business Standard 34/34 but that's reading cached data; reality is Business Standard in warning, Business Premium 34/0 purchased-but-unused.
docs/cloud/p2-staff-candidates.md — note that Entra P2 quantity is currently 1, need volume purchase for the staff P2 rollout.
docs/security/mdm.md — the "Intune Shared Device Mode (requires Business Premium upgrade)" future-note is now applicable now, not future.

19 KiB Raw Blame History Unescape Escape