azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d63dcde679d7f3b51b04dc9c2f8274cac0321622
claudetools/clients/cascades-tucson/session-logs/2026-05-06-howard-lauren-teams-john-email-diagnostic.md
Howard Enos d63dcde679 sync: auto-sync from HOWARD-HOME at 2026-05-06 15:10:59 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-06 15:10:59
2026-05-06 15:11:04 -07:00

7.6 KiB
Raw Blame History

Cascades Session Log -- 2026-05-06

User

  • User: Howard Enos (howard)
  • Machine: Howard-Home
  • Role: tech

Summary

Three Cascades threads handled today:

  1. Lauren Hasselman could not create a Teams group -- diagnosed as intentional Teams Admin policy block, documented rollout + test plan
  2. HIPAA rollout status digest pulled together (no new fieldwork; gap reconciliation against session logs since 2026-04-22)
  3. John Trozzi reported "click email -> duplicate appears in inbox" -- investigated read-only via Graph + EXO, ruled out server-side cause, drafted client-action email which Howard sent

1. Lauren Hasselman Teams group creation block

User: lauren.hasselman@cascadestucson.com (Business Office Director, Business Standard licensed, account enabled, Teams service plan enabled).

What I checked (read-only Graph via Security Investigator app):

  • Lauren's assignedPlans -- Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929) capabilityStatus = Enabled
  • Lauren's memberOf -- no directory roles, no group memberships (normal user)
  • Tenant groupSettings (Group.Unified) -- empty [] (Microsoft defaults apply)
  • Group.Unified template defaults -- EnableGroupCreation=true, GroupCreationAllowedGroupId=""
  • Tenant beta /settings -- no sensitivity-label gating

Conclusion: Block is NOT at the Entra/M365-Group layer. It is at the Teams Admin policy layer (CsTeamsChannelsPolicy / org-wide team creation), which is a deliberate gate consistent with m365.md issue #14 and hipaa.md finding #27 -- Teams stays off until HIPAA prerequisites clear (BAA, MFA, retention/DLP/external-sharing policies).

Output: Created docs/cloud/teams-rollout.md with prerequisites, HIPAA config checklist, canary test plan (Lauren as primary canary), and exit criteria. Linked from m365.md issue #14. Committed in 95ad40b.

2. HIPAA rollout status digest (no new fieldwork)

Reconciled hipaa.md, hipaa-review-2026-04-22.md, and session logs 04-25 through 05-05.

Top 3 active blockers (carry forward):

  1. Breakglass admin accounts -- design approved 04-29 (mike), 2 accounts + 2 YubiKeys + split storage; not built. Gates the CA Report-only -> On flip.
  2. Audit retention infrastructure -- LAW + Storage Account hybrid design approved 04-29; runbook exists; build deferred until after CA pilot. Required for breakglass sign-in alerts.
  3. Britney Thompson litigation hold -- C2 finding from 04-22 review never confirmed in any session log. Either it ran but was not documented, or her mailbox conversion ran without the §164.308(a)(3)(ii)(C) hold step. 5-minute Graph check pending. Howard to verify next session.

Other status: Risk Analysis DONE (04-25), Entra Connect installed in staging (04-25), MFA legacy policy live since 02-11, CA caregiver policies live in Report-only (04-30), homes share SMB encryption flipped on (04-29), implementation register and breakglass account NOT STARTED, Teams rollout NOT STARTED (just doc'd today).

3. John Trozzi duplicate-email issue

Symptom (per Howard onsite): John clicks an email and a duplicate appears in his inbox. Reproduces on three messages from Monday 2026-05-04: Vortex Doors (9:36 AM), Lauren / DirecTV (10:17 AM), UnWired Engineering / Proxess install (1:35 PM).

What I checked (read-only Graph via Security Investigator app):

Check Result
Inbox rules on John's mailbox 0 -- no rules at all
User-object SMTP forwarding (otherMails, proxyAddresses) None beyond primary
Mailbox-level forwarding / auto-replies Disabled, no forwardingSmtpAddress
Search whole mailbox by internetMessageId for each of the 3 messages Exactly 1 match each, all in Inbox folder
Conversation thread enumeration (in case dupes hid under a sibling conversationId) All extra entries in those conversations resolved to John's own legitimate replies in Sent Items -- not duplicates

Side observations (not the cause, but worth noting):

  • Inbox: 30,624 items / 12,817 unread (well past Outlook cached-mode comfort zone, ~50k is Microsoft's hard guidance)
  • Drafts: 109 items
  • Mailbox timezone: US Mountain Standard Time

Conclusion: The duplication is client-side. Server has exactly one copy of each message; nothing on John's account or in tenant config could be producing duplicates. The most likely causes, in order:

  1. Outlook desktop OST cache corruption (most common -- rebuild fixes it)
  2. Outlook "Show as Conversations" rendering glitch with broken threading
  3. A misbehaving Outlook add-in -- Cascades is mid-migration off Datto; a half-uninstalled Datto Workplace / EDR Outlook plugin can intercept read events and produce phantom duplicates
  4. Outlook client out of date

Action taken: Drafted plain-text email for Howard to send John laying out the findings + a 3-step troubleshooting flow:

  • Step 1: Quit Outlook fully (verify in Task Manager) and restart
  • Step 2: If persists, run outlook /safe -- if dupes stop, it is an add-in; identify and remove
  • Step 3: If still dupes in safe mode, remote in to rebuild the local OST cache (~20 min)

Howard sent the email 2026-05-06.

Status: Awaiting John's results. If steps 1-2 don't clear it, queue a remote session to rebuild the OST. Side-note flagged in the email about the 30k-inbox needing a future archive cleanup conversation.

Note for Mike

Two FYIs from today:

  1. Britney Thompson C2 (litigation hold) is unresolved in session-log evidence. We need to verify before Wave 1 caregiver rollout that her mailbox was either (a) placed on Litigation Hold prior to conversion or (b) is still convertible (i.e. not yet harvested) so we can still apply the hold. If neither, we have a §164.308(a)(3)(ii)(C) + §164.316(b)(2) gap to document. 5-minute Graph check, not done yet.

  2. John Trozzi inbox cleanup is a real future ask -- 30k items / 12.8k unread. Not urgent and not the cause of today's duplicate issue, but a reasonable follow-up next time we have him on-site for something else. Worth a 30-min "let's set up an auto-archive rule" session.

Files touched today

  • clients/cascades-tucson/docs/cloud/teams-rollout.md -- NEW (committed 95ad40b)
  • clients/cascades-tucson/docs/cloud/m365.md -- modified, issue #14 link to teams-rollout.md (committed 95ad40b)
  • clients/cascades-tucson/session-logs/2026-05-06-howard-lauren-teams-john-email-diagnostic.md -- this file

Tools used

  • Remediation tool: Security Investigator app (bfbc12a4-...), Graph + EXO read scopes only. Token cached at /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/.
  • No write actions taken on any tenant.

4. Cascades 4-UPS install billing -- ticket #32101 (later same day)

Closed out the long-running "Estimate - UPS/battery back ups" ticket #32101. Hardware (4x CyberPower 500v/300w UPS @ $399.99 + 1x APC UPS 1500 @ $889.99) had already been invoiced on 2026-04-03 (invoice #67341). Howard had performed the four mechanical-room installs (1st through 4th floor, each protecting that floor's UniFi switch; 1st floor also protects the phone switches); installed the larger Memory Care unit several days earlier separately.

Billed onsite labor only -- 4 installs x 0.5 hr = 2.0 hrs at product 26118 Labor - Onsite Business ($175/hr) -- against Cascades' prepay block. No emergency multiplier (regular onsite work).

  • Comment posted (customer-visible)
  • Timer 39053175, charged -> line item 42328604 (1.0 line, 2.0 qty, $350 total)
  • Invoice #67569 created at $0 (fully covered by prepay)
  • Cascades prepay: 48.5 -> 46.5 hrs (2.0 debited)
  • Ticket status: Waiting for Parts -> Invoiced

Memory Care install was excluded from this billing per Howard's direction (confirmed: 4 installs, not 5).

Reference in New Issue View Git Blame Copy Permalink