Result

Completed live Microsoft Entra remediation for unwanted/stale vendor access.

Actions completed

• Exported before-state, after-state, final verification, and remediation logs under C:\Users\SAguiar\Documents\Codex\entra_vendor_app_cleanup_20260427_164503.
• Disabled Huntress SAT SSO and removed its All Users assignment.
• Disabled all three Augmentt enterprise apps and removed Zazz assignments, delegated grants, and remaining app role assignments.
• Revoked the remaining Druva Azure Native Backup OAuth grants and app role assignments, including Application.ReadWrite.OwnedBy and AppRoleAssignment.ReadWrite.All.
• Removed the Admin assignment from Druva Azure Native Backup.
• Disabled Admin1@kylawoffice.onmicrosoft.com and revoked sign-in sessions.
• Confirmed zazzit@demandsam.com was already disabled and revoked sign-in sessions.

Final verification

• Augmentt-20251110125414: disabled, zero inbound assignments, zero OAuth grants, zero outbound app role assignments.
• Augmentt-20251110125851: disabled, zero inbound assignments, zero OAuth grants, zero outbound app role assignments.
• Augmentt-20251110135652: disabled, zero inbound assignments, zero OAuth grants, zero outbound app role assignments.
• Huntress SAT SSO: disabled, zero inbound assignments, zero OAuth grants, zero outbound app role assignments.
• Druva Azure Native Backup: enabled, zero inbound assignments, zero OAuth grants, zero outbound app role assignments.
• dcp-druva-bkp-app-17689: enabled, zero inbound assignments, zero OAuth grants, zero outbound app role assignments.
• Admin1@kylawoffice.onmicrosoft.com: disabled, sessions revoked, still listed in Global Administrator and Application Administrator because the current app-only Graph credential received 403 Forbidden when removing directory-role membership.
• zazzit@demandsam.com: disabled; no current directory role shown; sessions revoked.

Pending follow-up