3.0 KiB
3.0 KiB
Account Health Check — barbara@bardach.net
- Date (UTC): 2026-07-03 00:25
- Trigger: MS Authenticator "behaving crazy," trouble logging in to services
- Tenant: bardach.net (
dd4a82e8-85a3-44ac-8800-07945ab4d95f) - Tooling: remediation-tool 10-point user breach check (investigator + investigator-exo tiers, read-only)
Verdict
No compromise indicators found. Account hygiene is clean. The Authenticator trouble correlates with an MFA re-registration + Windows Hello enrollment performed TODAY at ~2:20 PM local on her own office PC — verify that activity was legitimate (her or a tech).
Findings
| Check | Result |
|---|---|
| Account enabled | true; created 2020-05-24 |
| Password last changed | 2026-01-18 |
| Mail forwarding (internal/SMTP) | none |
| Inbox rules | 1 visible: "Move Graymail to folder" (INKY graymail, disabled) — benign |
| Hidden inbox rules | none |
| Mailbox delegates (non-SELF) | none |
| Send-As grants | none |
| OAuth consents | 1: zipForm Plus (Mail.Send, principal consent) — legitimate realtor software |
| App role assignments | 6 (standard) |
| Risk detections | 0 (risky-user API forbidden — no Identity Protection license) |
| Sign-in logs | unavailable — tenant has no Entra ID P1 (Graph returns NonPremiumTenant) |
| Directory audits (30d) | 3 entries, all today — see timeline |
Auth methods (6) — all consistent with Barbara
| Method | Detail |
|---|---|
| Password | rotated 2026-01-18 |
| SMS phone | +1 520-275-3867 (mobile) |
| Microsoft Authenticator | iPhone (iOS) |
| Windows Hello | BCB-OFFICE26 — created 2026-07-02 21:24 UTC (2:24 PM local, TODAY) |
| Windows Hello | LAPTOP-E5EKEJT8 — 2025-11-08 |
| Windows Hello | (blank name) — 2023-09-23, stale leftover from an old PC; candidate for cleanup |
Registered devices all known/hers: Surface-Pro (2020), BCB-Office (2023), BCB-OFFICE2023, iPhone 15 Pro Max, LAPTOP-E5EKEJT8, BCB-OFFICE26 (registered 2026-02-13).
Today's timeline (UTC)
| Time | Event | Actor |
|---|---|---|
| 21:19:49 | Update user (MFA method change) | Azure MFA StrongAuthenticationService |
| 21:24:17 | Update user (device registration) | Device Registration Service |
| 21:24:17 | Add Windows Hello for Business credential (BCB-OFFICE26) | barbara@bardach.net |
Recommendations
- Confirm the 2:19-2:24 PM changes were legitimate (Barbara or a tech at BCB-OFFICE26). If nobody did this deliberately: rotate password + revoke sessions immediately.
- If unprompted Authenticator pushes continue: remove + re-add the account in the Authenticator app on her iPhone (fixes broken registrations), confirm phone date/time is set automatically.
- Optional hygiene: delete the blank 2023 Windows Hello method.
- Visibility caveat: without Entra P1 there are no sign-in logs, so MFA-fatigue attempts cannot be ruled out from logs alone. Cheap insurance if in doubt: password rotation + session revocation.
Raw artifacts
/tmp/remediation-tool/dd4a82e8-85a3-44ac-8800-07945ab4d95f/user-breach/barbara_bardach_net/