From 1534a2f9a08462a4e01d17cb08d68131c22801fd Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Wed, 22 Apr 2026 19:47:24 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-04-22 19:47:23 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-04-22 19:47:23 --- .../docs/cloud/user-account-rollout-plan.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md b/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md index 0fd5c03..357f3dd 100644 --- a/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md +++ b/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md @@ -153,7 +153,24 @@ Per `docs/security/hipaa-review-2026-04-22.md`. These are compliance blockers, n ### Wave 0.5 — Entra Connect / AD-M365 identity tie-in (before any account creation in Wave 1) -Without Entra Connect, new accounts are cloud-only and create the same AD-vs-M365 drift the tenant already suffers from. Install order: +Without Entra Connect, new accounts are cloud-only and create the same AD-vs-M365 drift the tenant already suffers from. + +**Staged enablement — each gate must pass before advancing to the next:** + +| Gate | What happens | User-visible impact | Pass criteria before advancing | +|---|---|---|---| +| **G1. AD prereq hygiene** | Renames, UPN suffix add, `proxyAddresses` populate, null-password account cleanup, former-employee deletes | None | `Get-ADUser` report shows 0 UPN mismatches vs. the M365 mailbox list; 0 enabled accounts with null `PasswordLastSet` | +| **G2. Role-account → shared mailbox conversions in M365** | Convert `accounting@`, `frontdesk@`, `hr@`, `transportation@`, etc. to shared mailboxes per `docs/cloud/m365.md` | Licensed-user count drops, frees ~11 seats | Every role-based UPN shows as shared mailbox in Exchange Admin; members are assigned | +| **G3. Connect install in STAGING MODE** | Sync engine runs, reads AD, produces preview report. **No writes to Entra.** | None | Preview shows ≥95% clean soft-matches against existing M365 users; zero unintended duplicate-creates | +| **G4. Take out of staging, directory sync ONLY (no Password Hash Sync)** | Hybrid identity appears in Entra. Passwords remain separate between AD and M365. | None — users sign in exactly as today | 48 hours stable with no new support tickets about sign-in | +| **G5. Announce + enable Password Hash Sync** | AD password hash pushes to Entra. Next Outlook / Teams / Edge launch, prompts once for password. Users enter AD password. | **ONE password prompt, once.** After that: one password for everything. | Zero unresolved helpdesk tickets; test user confirms PC + Outlook + OWA work on same password | +| **G6. Conditional Access policies go live in REPORT-ONLY mode** | CA evaluates every sign-in and records what WOULD have been blocked, but doesn't actually block. | None | 7–14 days of logs reviewed — zero "would have been blocked" events for legitimate users. Fix trusted-location / compliance gaps as needed. | +| **G7. CA enforcement flip** | Policy blocks out-of-scope sign-ins for real. | Off-site users unexpectedly on the allow-list see no change; users NOT on allow-list get blocked from outside the building as intended. | Break-glass account confirmed working. Meredith notified. | +| **G8 (separate project). ALIS SSO Enterprise App registration** | "Sign in with Microsoft" option appears on ALIS login. Existing ALIS username/password keeps working during transition. | Optional new sign-in button. | N/A — rollout when ALIS support has provided federation metadata. | + +**Rollback points:** G3 through G5 all have clean reverse paths (remove from staging, disable PHS, reset individual passwords). G6/G7 CA policies can be disabled with one click. Only hard-to-reverse step is G1's AD renames — mitigated by the pre-change reg-exports/backups already in the `D:\Backups\pre-entra-connect-*` folder from the 2026-04-22 preflight remediation. + +**Original install-order prerequisites (covered by G1):** 1. **AD prereq cleanup** (no user impact — all reversible): - Rename `Tamra.Johnson` → `Tamra.Matthews`