Files
claudetools/clients/bardach/reports/2026-07-02-barbara-account-check.md
Mike Swanson 75f60df6a6 sync: auto-sync from GURU-5070 at 2026-07-02 17:30:07
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-07-02 17:30:07
2026-07-02 17:30:57 -07:00

3.0 KiB

Account Health Check — barbara@bardach.net

  • Date (UTC): 2026-07-03 00:25
  • Trigger: MS Authenticator "behaving crazy," trouble logging in to services
  • Tenant: bardach.net (dd4a82e8-85a3-44ac-8800-07945ab4d95f)
  • Tooling: remediation-tool 10-point user breach check (investigator + investigator-exo tiers, read-only)

Verdict

No compromise indicators found. Account hygiene is clean. The Authenticator trouble correlates with an MFA re-registration + Windows Hello enrollment performed TODAY at ~2:20 PM local on her own office PC — verify that activity was legitimate (her or a tech).

Findings

Check Result
Account enabled true; created 2020-05-24
Password last changed 2026-01-18
Mail forwarding (internal/SMTP) none
Inbox rules 1 visible: "Move Graymail to folder" (INKY graymail, disabled) — benign
Hidden inbox rules none
Mailbox delegates (non-SELF) none
Send-As grants none
OAuth consents 1: zipForm Plus (Mail.Send, principal consent) — legitimate realtor software
App role assignments 6 (standard)
Risk detections 0 (risky-user API forbidden — no Identity Protection license)
Sign-in logs unavailable — tenant has no Entra ID P1 (Graph returns NonPremiumTenant)
Directory audits (30d) 3 entries, all today — see timeline

Auth methods (6) — all consistent with Barbara

Method Detail
Password rotated 2026-01-18
SMS phone +1 520-275-3867 (mobile)
Microsoft Authenticator iPhone (iOS)
Windows Hello BCB-OFFICE26 — created 2026-07-02 21:24 UTC (2:24 PM local, TODAY)
Windows Hello LAPTOP-E5EKEJT8 — 2025-11-08
Windows Hello (blank name) — 2023-09-23, stale leftover from an old PC; candidate for cleanup

Registered devices all known/hers: Surface-Pro (2020), BCB-Office (2023), BCB-OFFICE2023, iPhone 15 Pro Max, LAPTOP-E5EKEJT8, BCB-OFFICE26 (registered 2026-02-13).

Today's timeline (UTC)

Time Event Actor
21:19:49 Update user (MFA method change) Azure MFA StrongAuthenticationService
21:24:17 Update user (device registration) Device Registration Service
21:24:17 Add Windows Hello for Business credential (BCB-OFFICE26) barbara@bardach.net

Recommendations

  1. Confirm the 2:19-2:24 PM changes were legitimate (Barbara or a tech at BCB-OFFICE26). If nobody did this deliberately: rotate password + revoke sessions immediately.
  2. If unprompted Authenticator pushes continue: remove + re-add the account in the Authenticator app on her iPhone (fixes broken registrations), confirm phone date/time is set automatically.
  3. Optional hygiene: delete the blank 2023 Windows Hello method.
  4. Visibility caveat: without Entra P1 there are no sign-in logs, so MFA-fatigue attempts cannot be ruled out from logs alone. Cheap insurance if in doubt: password rotation + session revocation.

Raw artifacts

/tmp/remediation-tool/dd4a82e8-85a3-44ac-8800-07945ab4d95f/user-breach/barbara_bardach_net/