sync: auto-sync from HOWARD-HOME at 2026-04-22 19:47:23
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-04-22 19:47:23
This commit is contained in:
@@ -153,7 +153,24 @@ Per `docs/security/hipaa-review-2026-04-22.md`. These are compliance blockers, n
|
||||
|
||||
### Wave 0.5 — Entra Connect / AD-M365 identity tie-in (before any account creation in Wave 1)
|
||||
|
||||
Without Entra Connect, new accounts are cloud-only and create the same AD-vs-M365 drift the tenant already suffers from. Install order:
|
||||
Without Entra Connect, new accounts are cloud-only and create the same AD-vs-M365 drift the tenant already suffers from.
|
||||
|
||||
**Staged enablement — each gate must pass before advancing to the next:**
|
||||
|
||||
| Gate | What happens | User-visible impact | Pass criteria before advancing |
|
||||
|---|---|---|---|
|
||||
| **G1. AD prereq hygiene** | Renames, UPN suffix add, `proxyAddresses` populate, null-password account cleanup, former-employee deletes | None | `Get-ADUser` report shows 0 UPN mismatches vs. the M365 mailbox list; 0 enabled accounts with null `PasswordLastSet` |
|
||||
| **G2. Role-account → shared mailbox conversions in M365** | Convert `accounting@`, `frontdesk@`, `hr@`, `transportation@`, etc. to shared mailboxes per `docs/cloud/m365.md` | Licensed-user count drops, frees ~11 seats | Every role-based UPN shows as shared mailbox in Exchange Admin; members are assigned |
|
||||
| **G3. Connect install in STAGING MODE** | Sync engine runs, reads AD, produces preview report. **No writes to Entra.** | None | Preview shows ≥95% clean soft-matches against existing M365 users; zero unintended duplicate-creates |
|
||||
| **G4. Take out of staging, directory sync ONLY (no Password Hash Sync)** | Hybrid identity appears in Entra. Passwords remain separate between AD and M365. | None — users sign in exactly as today | 48 hours stable with no new support tickets about sign-in |
|
||||
| **G5. Announce + enable Password Hash Sync** | AD password hash pushes to Entra. Next Outlook / Teams / Edge launch, prompts once for password. Users enter AD password. | **ONE password prompt, once.** After that: one password for everything. | Zero unresolved helpdesk tickets; test user confirms PC + Outlook + OWA work on same password |
|
||||
| **G6. Conditional Access policies go live in REPORT-ONLY mode** | CA evaluates every sign-in and records what WOULD have been blocked, but doesn't actually block. | None | 7–14 days of logs reviewed — zero "would have been blocked" events for legitimate users. Fix trusted-location / compliance gaps as needed. |
|
||||
| **G7. CA enforcement flip** | Policy blocks out-of-scope sign-ins for real. | Off-site users unexpectedly on the allow-list see no change; users NOT on allow-list get blocked from outside the building as intended. | Break-glass account confirmed working. Meredith notified. |
|
||||
| **G8 (separate project). ALIS SSO Enterprise App registration** | "Sign in with Microsoft" option appears on ALIS login. Existing ALIS username/password keeps working during transition. | Optional new sign-in button. | N/A — rollout when ALIS support has provided federation metadata. |
|
||||
|
||||
**Rollback points:** G3 through G5 all have clean reverse paths (remove from staging, disable PHS, reset individual passwords). G6/G7 CA policies can be disabled with one click. Only hard-to-reverse step is G1's AD renames — mitigated by the pre-change reg-exports/backups already in the `D:\Backups\pre-entra-connect-*` folder from the 2026-04-22 preflight remediation.
|
||||
|
||||
**Original install-order prerequisites (covered by G1):**
|
||||
|
||||
1. **AD prereq cleanup** (no user impact — all reversible):
|
||||
- Rename `Tamra.Johnson` → `Tamra.Matthews`
|
||||
|
||||
Reference in New Issue
Block a user