Summary

-zQ-u5hgREKPfoymjHEF9r4mm_1bkLYZsshdiGPMsgQWn0lFwTJtLX-jz2waGukXd3bQyxdiHYH1swrTzr0RM6Rsfb2A5pE=
Edit Back

  1. Properties - Meeting Date: 2024-02-27 - Meeting Type: 1x1 - Note Type: Summary - Attendees: Scott Warner; Shawn Remick

  2. Meeting Summary We aligned on a containment strategy for the corporate IT pressure around our small Azure/M365 tenant, the Festool Academy email infrastructure, and the recent phishing allegation. The core message: our tenant is intentionally minimal in scope and cost, fit for 6 total accounts with 3 interactive users on Business Basic. Granting broad access or buying E5 licenses for outside parties is not reasonable. We will respond with facts, screenshots, and message-trace data instead of granting direct access, and we will call out the broader customer service issues and the global policy constraints that are blocking the US business.

We also mapped strategic options if this escalates: push for a parent-child tenant construct, or, if forced, scope a US carve-out while maintaining shared auth and access to SAP/CRM and SSO apps like Sitecore and Salesforce. We would prefer to avoid a full separation, but we will prepare the analysis.

On internal execution, we set a near-term plan: Shawn will validate the licensing model, capture the tenant configuration, and provide message-trace evidence around the Feb 7 phishing claim and the Feb 25 window. I will convert the facts into a firm but diplomatic response, with Vera's help on tone. We will brief Amity this week.

Separately, we aligned on IT's OKR session by Friday. We agreed to keep it practical and measurable, centered on process automation and establishing baseline IT service metrics (e.g., IT CSAT). I asked Shawn to start a lightweight data pipeline with Ryan to build cradle-to-grave logistics tracking from SAP exports so we can objectively measure delays and decision points across the order lifecycle.

  1. Attendee List - Scott Warner - Shawn Remick

  2. Action Items - Shawn - Validate Azure/M365 access/licensing constraints: - Can we provision read-only or admin access without assigning paid licenses? - Confirm MFA and email code dependencies and the practical risk tradeoffs. - Shawn - Prepare factual packet and screenshots for our response: - User and mailbox counts, distribution groups, and current license SKUs and costs. - Message trace exports covering Feb 6-7 and extending to Feb 25 (30-day retention). - Summary of Festool Academy outbound email setup and use of modern auth. - Current secure score status, what was enabled, and why unlicensed features depress the score. - Scott - Draft the response email to corporate IT: - Include scale and purpose of our tenant, the licensing rationale, and proposed alternative of screenshots/logs instead of direct access. - Incorporate evidence on the phishing allegation and note prior visibility that we manage Festool Academy. - Call out broader customer service and global policy constraints professionally. Coordinate with Vera for tone. - Scott and Shawn - Walk Amity through the packet and draft to align on approach before sending. - Shawn - Outline options memo on identity/tenant strategy: - Parent-child tenant model vs a US carve-out. - Impacts on SAP, CRM, Sitecore/Salesforce SSO, shared contacts/auth, and domain control/migration risks. - Shawn - Send screenshots of mailboxes and distribution groups and note tax-system dependencies created by external send restrictions. - Shawn - Monitor secure score refresh and capture the timing delta so we can explain any visible change dates. - Vera and Scott - Frame the IT OKR workshop for this week; ensure our OKRs roll up to departmental goals and are measurable. - Shawn - Propose initial measurable IT OKRs and a simple IT CSAT approach; surface prior baseline results for comparison. - Shawn and Ryan - Start the SAP data extraction and SQL staging for logistics cradle-to-grave tracking: - Identify required SAP tables/CS16N extracts and timestamps for order, pick, ship, deliver, etc. - Confirm exact metrics and handoffs with me. - Scott - Align with Amity on transitioning oversight of Robert, set expectations/guardrails, and clarify decision rights.

  3. Relevant Timelines - Today/tomorrow morning - Shawn to deliver the fact packet and screenshots. - Within 24 hours - Secure score should reflect last night's control changes; document the update timing. - Thursday or Friday - Walkthrough with Amity on the response approach and packet. - Friday - Target to send the response email; IT OKR session due by end of week. - Logging window - Message trace retention is 30 days; focus on events around Feb 6-7 and through Feb 25. - This Friday - Shawn limited availability due to paramedic renewal; plan around it. - This week - Matt Howard is out; note for communications timing.

  4. Additional Notes - Strategic posture with corporate IT: - We will not expand licensing or grant broad access for a 6-account Business Basic tenant with 3 interactive users; screenshots and logs suffice. - Secure score optics are misleading for tenants without E5; we will proactively explain that unlicensed controls depress the score. - If pressed, consider a parent-child identity model for visibility while keeping US autonomy. A full US carve-out is feasible but costly and high-effort, and would require clear rules for shared auth, contacts, and SSO to SAP/CRM/Sitecore/Salesforce. - Phishing allegation: - Their complaint lacked specifics; our internal sending behavior appears clean. - We will share message-trace evidence and restate that they have long known we manage Festool Academy email. - Offer to help educate their team on phishing investigation basics if useful. - Global policy friction: - Teams recording retention and Copilot transcription are global settings; we cannot change them regionally. Matt is now experiencing the same pain. - Data and measurement: - We will spin up a pragmatic pipeline using SAP exports and SQL to quantify order lifecycle timing and remove subjectivity from logistics performance debates. - Reintroduce IT CSAT and build toward more quantitative IT metrics where feasible, acknowledging current limits of our ticketing platform. - Org/relationship risks: - The US teams are encountering unilateral constraints and poor customer service. We will document these respectfully in the response to create executive visibility without starting a firefight. - If escalation is forced to the board, we will be prepared with facts, options, and cost/impact analyses. Our preference remains a collaborative path that unblocks US needs without a full separation.