claudetools/clients/bg-builders/session-logs/2026-03-09-session.md

# BG Builders - Session Log 2026-03-09

## Session Summary

Lesley Roth (lesley@bgbuildersllc.com) employee disable and device wipe. Account disabled (sign-in blocked, sessions revoked), email data wipe initiated on both mobile devices, and 72-hour mail activity report generated. Account preserved (not deleted/converted to shared) per client request.

## Actions Completed

### 1. Account Disable
- **Sign-in blocked** - AccountEnabled set to False (was already False from previous termination on 2026-02-27)
- **All sessions revoked** - Confirmed via Revoke-MgUserSignInSession
- **Password reset** - Script failed with 403 (sysadmin lacks privilege), manually reset via M365 Admin Center to: `bgb-pass-reset-2026!!`

### 2. Device Email Wipe
- **iPhone 16 Pro** (iOS 26.3.1) - AccountOnlyDeviceWipePending. Active device, last synced 2026-03-09 16:23:30. Should complete on next sync.
- **iPhone 14 Pro** (iOS 18.5) - AccountOnlyDeviceWipePending. Stale device, last synced 2025-06-27. May never acknowledge.
- No Intune-managed devices found (BGB has no Intune/Business Premium)
- Wipe type: AccountOnly (removes M365 email account only, preserves personal data)

### 3. 72-Hour Mail Activity Report
- Report generated covering 2026-03-06 09:25 to 2026-03-09 09:25
- **Nothing of consequence found** - no suspicious sent/deleted mail activity
- Report saved to: `D:\ClaudeTools\scripts\bgb-lesley-mail-report-20260309.txt`
- Checked: sent messages, received messages, deleted items, inbox rules, forwarding config

### 4. Pre-existing Security Measures
- **Litigation hold** already enabled (from previous re-enable script on 2026-02-27)
- **Barry** (barry@bgbuildersllc.com) has FullAccess + SendAs on mailbox (from original termination)
- **Shelly** (Shelly@bgbuildersllc.com) has FullAccess + SendAs (from re-enable script)

## Credentials Used

### Microsoft 365 Tenant - BG Builders LLC
- **Tenant:** bgbuildersllc.com
- **Tenant ID:** ededa4fb-f6eb-4398-851d-5eb3e11fab27
- **CIPP Name:** sonorangreenllc.com
- **Admin User:** sysadmin@bgbuildersllc.com
- **Password:** Window123!@#-bgb

### Target User
- **User:** Lesley Roth
- **UPN:** lesley@bgbuildersllc.com

## Scripts Created/Modified

### New Scripts
- `scripts/bgb-lesley-disable-wipe.ps1` - Disable account + device email wipe
- `scripts/bgb-lesley-mail-report.ps1` - 72-hour mail activity report (sent/received/deleted)
- `scripts/bgb-lesley-verify-wipe.ps1` - Verify device wipe status

### Technical Notes
- `Get-MessageTrace` deprecated Sep 2025 - use `Get-MessageTraceV2` (no `-PageSize` parameter)
- `Search-MailboxAuditLog` deprecated Jan 2026 - use `Search-UnifiedAuditLog`
- Exchange Online `-Device` auth switch only works in PowerShell 7 (pwsh), not Windows PowerShell 5.1
- WAM broker auth requires a visible PowerShell window (can't run from bash/non-interactive shell)

## Current Account State
| Property | Value |
|----------|-------|
| AccountEnabled | False |
| Mailbox Type | UserMailbox |
| Litigation Hold | True |
| Licenses | Still assigned |
| Barry Access | FullAccess + SendAs |
| Shelly Access | FullAccess + SendAs |
| iPhone 16 Pro | AccountOnlyDeviceWipePending |
| iPhone 14 Pro | AccountOnlyDeviceWipePending |

## Pending/Follow-up
- Password reset needs Global Admin or check sysadmin role assignments
- iPhone 16 Pro wipe should complete soon (active device)
- iPhone 14 Pro wipe may never complete (stale since June 2025)
- Account NOT converted to shared, licenses NOT removed (per request to keep account)
- OneDrive access not addressed this session