Mike Swanson
8807b1f168
HTTP 401 'invalid_token' still persisting despite correct role assignments. All Graph API verifications pass - this is Exchange cache propagation delay. Verified working: - Exchange Administrator role assigned to Security Investigator SP - Office 365 Exchange Online app role: dc890d15-9560-4a4c-9b7f-a736ec74ec40 - Token acquisition for investigator-exo tier Timeline: - 09:05 AM: Role assigned - 09:33 AM: Still propagating (28 min elapsed) - 10:00 AM: Recommended retry (55 min) - 10:30 AM: Escalation point (85 min) Blocking: Britney Thompson litigation hold verification for HIPAA compliance. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
5.4 KiB
Exchange REST API Propagation Status - Cascades Tucson
Date: 2026-05-07 Time: 09:33 AM MST Tenant: Cascades of Tucson (207fa277-e9d8-4eb7-ada1-1064d2221498)
Current Status: PROPAGATION IN PROGRESS
Exchange REST API is still returning HTTP 401 with "invalid_token" error, despite all required permissions and roles being correctly assigned. This is a known Exchange Online propagation delay.
Verification Completed
[OK] Graph API confirms all assignments are correct:
-
Security Investigator SP (c64ee5c1-a607-46cb-81b8-42de3de98d48)
- Exchange Administrator directory role: ASSIGNED ✓
- Office 365 Exchange Online app role: ASSIGNED ✓
- App role ID: dc890d15-9560-4a4c-9b7f-a736ec74ec40 (full_access_as_app) ✓
-
Token acquisition: WORKING ✓
- investigator-exo tier token: ACQUIRED ✓
- Scope: https://outlook.office365.com/.default ✓
-
Exchange REST API access: HTTP 401 (propagation delay) ⏳
Error Details
HTTP Response:
HTTP/2 401
WWW-Authenticate: Bearer client_id="ec156f81-f23a-47bd-b16f-9fb2c66420f9",
token_types="app_asserted_user_v1 service_asserted_app_v1",
authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize",
error="invalid_token"
Analysis:
- Error "invalid_token" indicates Exchange Online hasn't recognized the new permissions yet
- This is NOT a configuration error (all Graph API checks pass)
- Typical propagation time: 15-60 minutes from role assignment
- Role was assigned: ~09:05 AM MST
- Current time: 09:33 AM MST (28 minutes elapsed)
What's Happening
Exchange Online maintains its own permission cache separate from Entra ID (Graph API). When a new service principal is assigned the Exchange Administrator role:
- Immediate: Graph API recognizes the assignment (verified ✓)
- Delayed (15-60 min): Exchange REST API propagates the permission
- Common: First attempts return HTTP 401 until cache refreshes
This is normal behavior for first-time app onboarding to a tenant.
Next Steps
Option 1: Wait and Retry (Recommended)
Retry after: 10:00 AM MST (27 minutes from now)
# Clear token cache
rm -f /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/investigator-exo.jwt
# Get fresh token
TOKEN=$(REMEDIATION_AUTH=secret bash scripts/get-token.sh 207fa277-e9d8-4eb7-ada1-1064d2221498 investigator-exo 2>/dev/null)
# Test Exchange REST API
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
"https://outlook.office365.com/adminapi/beta/207fa277-e9d8-4eb7-ada1-1064d2221498/InvokeCommand" \
-d '{"CmdletInput":{"CmdletName":"Get-Mailbox","Parameters":{"Identity":"Britney.Thompson@cascadestucson.com"}}}'
If still 401 after 10:00 AM, wait until 10:30 AM and try again.
Option 2: Manual Portal Verification (If still failing after 1 hour)
If Exchange REST API still returns 401 after 10:30 AM MST:
-
Check Entra portal:
- https://entra.microsoft.com → Roles and administrators → Exchange Administrator
- Verify "ComputerGuru - Security Investigator" is listed as a member
-
Check Conditional Access:
- Entra → Protection → Conditional Access
- Look for policies that might block service principal sign-ins
- Review "Service provider users" exclusions
-
Check Exchange Online license:
- Verify tenant has active Exchange Online licenses
- Admin center → Billing → Licenses
Blocking Issue
Britney Thompson litigation hold verification cannot proceed until Exchange REST API access works.
HIPAA Compliance Risk: Per Howard's 2026-05-06 note, this check must complete before Wave 1 caregiver rollout (§164.308(a)(3)(ii)(C) + §164.316(b)(2) requirement).
Impact:
- Cannot verify if litigation hold is enabled
- Cannot check mailbox forwarding rules
- Cannot audit inbox rules or delegate permissions
- All Exchange-based compliance checks blocked
Timeline
| Time | Event |
|---|---|
| 09:05 AM MST | App onboarding completed, Exchange Administrator role assigned |
| 09:07 AM MST | First test: HTTP 401 (expected) |
| 09:15 AM MST | Second test: HTTP 401 (still propagating) |
| 09:33 AM MST | Third test: HTTP 401 (28 min elapsed, still within normal window) |
| 10:00 AM MST | Recommended retry time (55 min elapsed) |
| 10:30 AM MST | Escalation point if still failing (85 min elapsed) |
Workaround Options (If Urgent)
If litigation hold verification is urgent and cannot wait for propagation:
-
Manual Exchange Online PowerShell:
Connect-ExchangeOnline -UserPrincipalName admin@cascadestucson.com Get-Mailbox -Identity Britney.Thompson@cascadestucson.com | Select DisplayName, LitigationHoldEnabled, LitigationHoldDate, InPlaceHolds -
Exchange Admin Center:
- https://admin.exchange.microsoft.com
- Recipients → Mailboxes
- Search: Britney Thompson
- Properties → Mailbox features → Litigation hold
-
Purview Compliance Center:
- https://compliance.microsoft.com
- Data lifecycle management → Retention
- Check if Britney's mailbox has retention policies applied
Status: Waiting for Exchange REST API propagation (normal delay). Next action: Retry after 10:00 AM MST. Escalation: If still failing after 10:30 AM MST, investigate manually via portal.