azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Cascades CA bypass phased rollout + pilot user + phone re-enroll

Browse Source 
Cascades caregiver shared-phone bypass pilot — 2026-04-29 evening into
2026-04-30 early morning continuation.

Major work:
- Adopted phased per-group CA rollout (corrects original tenant-wide §5
  design that would have blocked off-site office users)
- Step A: backfilled admin@ into excludeUsers on all 8 existing Cascades
  CA policies (mirrors sysadmin@ exclusion posture; Option 1 break-glass)
- Outlook + Helpany + LinkRx assigned to Cascades - Shared Phones group
  and added to MHS kiosk app list (final dashboard: 5 caregiver apps)
- Created cloud-only pilot user pilot.test@cascadestucson.com,
  SG-Caregivers-Pilot group, Business Premium license, vault entry
  pushed to Gitea vault repo
- Built 4 CA changes: PATCH legacy all-users-MFA to exclude pilot group,
  CREATE 3 new Report-only policies (block off-network, block
  non-compliant, 8h sign-in frequency) with both admins excluded
- Pilot phone wipe + re-enroll after first attempt stuck; PIN set,
  awaiting MHS to take over launcher and SDM sign-in prompt

6 new project/feedback memories. Resume point at top of new session log.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-30 10:57:16 -07:00
parent 7128b9e57d
commit 18e5a467d2
8 changed files with 395 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
.claude/memory/feedback_complete_vault_operations_end_to_end.md Normal file
View File

@@ -0,0 +1,20 @@
---
name: Complete vault operations end-to-end (don't hand off the commit/push)
description: When writing a new entry to D:/vault, do the full sequence (write plaintext → sops -e -i → git add/commit/push) yourself. Don't stop at "encrypted on disk, you push it."
type: feedback
---
When the user asks to vault a credential or any new vault entry, complete the entire operation in one flow:
1. Write the plaintext yaml to `D:/vault/<path>.sops.yaml`
2. `sops -e -i <path>` to encrypt in place
3. Verify round-trip (`vault.sh get` shows correct decrypted output)
4. `git add` + `git commit` + `git push` from `D:/vault` via the Bash tool
**Why:** Howard explicitly flagged on 2026-04-29 that he doesn't understand why I'd hand off the trivial last-mile step. He has bash via Git for Windows but invokes from PowerShell, so a "run this bash one-liner" handoff costs him a context switch — and there's no privilege/risk reason to stop at "encrypted on disk." Pushing a clean SOPS-encrypted vault entry is routine, not destructive.
**How to apply:**
- Just push. Trust the encrypted blob, the round-trip verify, and the standard git workflow.
- If `git push` fails (auth, conflict, etc.), surface the error and ask — that's a real handoff. But "I created the file, you push it" is unnecessary friction.
- The LF→CRLF warning on Windows is benign for SOPS yaml — line endings on the yaml file don't affect SOPS integrity (the MAC covers values inside `ENC[...]` blobs and structural data). Don't surface it as a problem.
- Same principle applies to commits in the claudetools repo when I'm done with a discrete unit of work — don't park "you should /scc this" as a task; just do it (unless the user has explicitly said wait).

17
.claude/memory/feedback_graph_ca_policy_eventual_consistency.md Normal file
View File

@@ -0,0 +1,17 @@
---
name: Microsoft Graph CA policy reads are eventually consistent (~5s)
description: After PATCHing a CA policy (204 No Content), an immediate GET may return stale state. Wait ~5 seconds before verifying.
type: feedback
---
When PATCHing `/identity/conditionalAccess/policies/{id}` and immediately re-reading via GET, the read may return pre-PATCH state for a few seconds even though the PATCH was accepted (204).
Observed 2026-04-29 during the Cascades admin@ exclusion backfill: 7 of 8 PATCHes returned 204, but immediate verify GETs showed the old `excludeUsers` list. Re-query after `sleep 5` showed all 8 had landed correctly. No retries were needed — the PATCH had succeeded; only the read lagged.
**Why:** Microsoft Graph fronts CA policy reads through a regional cache that doesn't immediately reflect writes. Writes hit the authoritative store and return 204 right away. Reads converge after a short propagation window.
**How to apply:**
- After a CA policy PATCH that returns 204, do not treat an immediate "verify mismatch" as failure.
- Insert `sleep 3-5` (or a poll loop with a few seconds of backoff) before the verify GET.
- If verifying many policies in a batch, the simplest pattern is: do all PATCHes, sleep 5, then re-query everything once at the end.
- This applies to CA policies specifically. Other Graph endpoints (e.g., users, groups) have their own consistency characteristics — don't generalize.

17
.claude/memory/feedback_graph_password_reset_requires_role.md Normal file
View File

@@ -0,0 +1,17 @@
---
name: Tenant Admin SP cannot PATCH-reset existing user passwords (app perms ≠ enough)
description: With User.ReadWrite.All app perm + no privileged directory role, Tenant Admin can CREATE a user with a password but PATCH passwordProfile on an existing user returns 403 Authorization_RequestDenied.
type: feedback
---
The ComputerGuru Tenant Admin SP (`709e6eed-0711-4875-9c44-2d3518c47063`) can create users with `passwordProfile.password` set, but cannot **reset** the password on an existing user via PATCH `/users/{id}` — returns 403 `Authorization_RequestDenied: Insufficient privileges`.
Observed 2026-04-29 in Cascades when trying to reset `pilot.test@cascadestucson.com` after the password was lost in script flow control.
**Why:** Microsoft Graph's password reset endpoint requires the caller to hold a privileged directory role (Authentication Administrator, User Administrator, or stronger), in addition to `User.ReadWrite.All` app permission. App permission alone is insufficient. Tenant Admin SP currently has Application Administrator + Cloud Application Administrator + Conditional Access Administrator — none of which grant password-reset rights. The CREATE flow is permitted under `User.ReadWrite.All` because the password is part of the create payload, not a reset.
**How to apply:**
- For new pilot/test users: print the password BEFORE doing any subsequent API call, so a flow-control failure later doesn't lose it.
- If a password rotation is needed for an existing pilot/test user: delete + recreate (cleanest), OR have a human use admin@/sysadmin@ via the portal, OR use the ComputerGuru User Manager app (separate tier with dedicated `User-PasswordProfile.ReadWrite.All` scope, designed for this).
- **Don't** add Authentication Administrator or User Administrator to Tenant Admin SP just to fix this — that broadens its blast radius unnecessarily. The User Manager app is the right tool for password operations; Tenant Admin should stay focused on directory + CA work.
- Hard-delete a freshly-created user via DELETE `/users/{id}` — the recycle bin endpoint `/directory/deletedItems/{id}` may 404 if the user wasn't soft-deleted (depends on tenant settings + age).

16
.claude/memory/project_cascades_admin_accounts.md Normal file
View File

@@ -0,0 +1,16 @@
---
name: Cascades admin account ownership
description: Howard uses sysadmin@cascadestucson.com, Mike uses admin@cascadestucson.com — used for daily admin work, not break-glass.
type: project
---
At Cascades Tucson tenant (`207fa277-e9d8-4eb7-ada1-1064d2221498`):
- **`sysadmin@cascadestucson.com`** — Howard's working admin account (used the PIM portal click on 2026-04-28 for the CA Admin role assignment).
- **`admin@cascadestucson.com`** — Mike's working admin account.
As of 2026-04-29, neither is confirmed as cloud-only / FIDO2 / CA-excluded — Howard "doesn't think they are cloud-only." A break-glass admin still needs to be designed before the CA bypass policies go live.
**Why:** Avoid asking who owns which admin login again, and keep clear that these are *daily-driver* admin accounts, not the eventual break-glass.
**How to apply:** When discussing Cascades admin work or break-glass design, attribute correctly. Don't assume sysadmin@ or admin@ already meet break-glass criteria — verify against Graph (onPremisesSyncEnabled, authentication methods, CA exclusions) before relying on either.

26
.claude/memory/project_cascades_ca_phased_rollout.md Normal file
View File

@@ -0,0 +1,26 @@
---
name: Cascades CA bypass — phased per-group rollout, NOT tenant-wide
description: Caregiver bypass CA policies are scoped to SG-Caregivers-Pilot only at start, then expanded one department at a time. Legacy all-users-MFA stays in place; we PATCH excludeGroups, never delete it during rollout.
type: project
---
The Cascades caregiver bypass CA work is a **phased rollout**, not a tenant-wide policy swap. This corrects the original §5 design in `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md` and the resume-point in `2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md`, which both implied a tenant-wide cutover.
**What this means concretely:**
- New CA policies target `SG-Caregivers-Pilot` only (then `SG-Caregivers` after Entra Connect exits staging). They do NOT use `includeUsers: All`.
- The legacy `Require multifactor authentication for all users` policy **stays in place**. We PATCH its `excludeGroups` to add the pilot group, so existing office-staff behavior is unchanged.
- Expansion to additional populations (front desk, clinical, admin staff) happens one group at a time post-pilot — each with its own scoped policy set, each by editing `excludeGroups` on the legacy policy and adding `includeGroups` to the relevant new policies.
- The legacy all-users-MFA policy is ONLY deleted at the very end, when every population is governed by a phased policy.
**Why:** Howard pulled the brakes on 2026-04-29 after spotting that policies #1, #2, #3 in the original design hit all users — would have blocked any office user signing in off-site who wasn't in `SG-External-Signin-Allowed`. The btw replay he pasted contained the correct rescoping: "Re-scope the new policies so they only target the pilot group initially, and roll out to other groups one at a time later." Phased preserves today's behavior for everyone except the pilot group while we validate the bypass mechanics.
**How to apply:** When building or modifying Cascades CA policies, default to group-scoped (`includeGroups`), never `includeUsers: All`. When expanding to a new department, the steps are: (1) create the department's group, (2) PATCH legacy all-users-MFA to add it to `excludeGroups`, (3) add it to `includeGroups` on the relevant new policies. Treat any "let's just push it tenant-wide now that the pilot worked" suggestion as a regression of this decision and flag it.
**Caregiver set (the only set in scope today):**
- PATCH `Require multifactor authentication for all users`: add `SG-Caregivers-Pilot` to excludeGroups.
- CREATE `CSC - Block caregivers off Cascades network` (includeGroups: pilot, locations: not Cascades, grant: BLOCK).
- CREATE `CSC - Block caregivers on non-compliant device` (includeGroups: pilot, device filter isCompliant -eq False, grant: BLOCK).
- CREATE `CSC - Caregiver sign-in frequency 8h` (includeGroups: pilot, session control: 8h re-auth).
Note: for caregivers we use **Block** directly on non-compliant + off-network, not "Require MFA" — caregivers can't satisfy MFA (no personal device), so block is the cleaner UX. For non-caregiver populations later, MFA grants will likely be appropriate since office staff have MFA capability.

15
.claude/memory/project_cascades_pilot_cleanup.md Normal file
View File

@@ -0,0 +1,15 @@
---
name: Cascades caregiver pilot — cleanup obligations
description: Pilot accounts (pilot.test@, howard.enos@ once synced) at Cascades must be removed at end of caregiver bypass pilot.
type: project
---
The Cascades caregiver shared-phone bypass pilot (Path B, cloud-only) is using a temporary pilot identity. Howard explicitly flagged on 2026-04-29 that **all pilot artifacts must be cleaned up** when the pilot wraps:
- **`pilot.test@cascadestucson.com`** — cloud-only test user created for the pilot. Delete (or disable + remove license) post-pilot.
- **`howard.enos@cascadestucson.com`** — Howard's eventual synced identity (won't exist as a cloud user until Entra Connect exits staging). If used during pilot validation, also clean up after.
- `SG-Caregivers-Pilot` cloud Entra group — superseded by synced `SG-Caregivers` group post-staging-exit. Remove pilot group from CA policy targets at that point; group itself can be deleted after.
**Why:** Howard explicitly flagged on 2026-04-29 that pilot accounts must not stick around — clean tenant hygiene + license recovery (Business Premium seat returned to the 34-spare pool).
**How to apply:** When the pilot validates and we transition to production rollout (synced `SG-Caregivers`), the cleanup of pilot.test, howard.enos pilot usage, and SG-Caregivers-Pilot is part of the cutover, not a separate task to forget. Surface this checklist when we get to the "flip pilot CA policies to production" step.

58
clients/cascades-tucson/session-logs/2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md
View File

@@ -8,34 +8,46 @@
## Resume point (READ THIS FIRST when picking back up)
We are on the **Cascades caregiver shared-phone bypass pilot**, Path B (cloud-only test user). Phase B Intune is fully built. Cascades named location has both WANs trusted. Phase A "Track" plan reshaped — original §5 design did not match Howard's actual goal of MFA bypass on trusted-network + compliant-device.
We are on the **Cascades caregiver shared-phone bypass pilot**, Path B (cloud-only test user). Phase B Intune is fully built. Cascades named location has both WANs trusted.
**Where we paused:** awaiting Howard's next decision after Phase B is fully populated and one phone successfully completes a real user sign-in flow to flip compliant. Outlook is being added by Howard via Managed Play.
> **UPDATE 2026-04-29 (after Howard btw — supersedes the original CA design below):**
>
> Rollout is **phased per-group, NOT tenant-wide**. The original §5 / item-5 design (delete legacy all-users-MFA, create 4 tenant-wide policies) would have blocked any office user signing in off-site who wasn't in `SG-External-Signin-Allowed`. Corrected design:
> - **PATCH** existing `Require multifactor authentication for all users` → add `SG-Caregivers-Pilot` to `excludeGroups` (legacy policy stays in place; office staff posture unchanged).
> - **CREATE** `CSC - Block caregivers off Cascades network` — includeGroups: pilot; location not Cascades → **Block**.
> - **CREATE** `CSC - Block caregivers on non-compliant device` — includeGroups: pilot; `device.isCompliant -eq False` → **Block**.
> - **CREATE** `CSC - Caregiver sign-in frequency 8h` — session control on pilot group.
> - Both `admin@` and `sysadmin@` go in `excludeUsers` on all three new policies.
> - Use **Block** directly (not "Require MFA") on non-compliant/off-network for caregivers — they have no MFA device, block is the cleaner UX.
> - **Do not delete the legacy all-users-MFA policy until every population is covered by a phased policy.**
> - Memory: `.claude/memory/project_cascades_ca_phased_rollout.md` (treat any "let's push tenant-wide" suggestion as a regression of this decision).
>
> **Break-glass posture (Option 1):** No dedicated `breakglass@` for now. `admin@` and `sysadmin@` both excluded from all 8 existing CA policies + all 3 new ones. Both stay cloud-only Global Admins. FIDO2 enrollment deferred. A real break-glass account can be added later. Memory: `.claude/memory/project_cascades_admin_accounts.md`.
>
> **Step A executed 2026-04-29:** admin@ added to `excludeUsers` on all 8 existing CA policies (matches sysadmin@'s posture). See "Step A — admin@ exclusion backfill" section below.
### What's still to do, in order
**Where we paused:** awaiting Howard's next decision after Phase B is fully populated and one phone successfully completes a real user sign-in flow to flip compliant. Outlook has been added in the portal — pending sync, then assignment + MHS update.
1. Howard finishes Outlook add (Managed Play), then sync and tell me. I'll assign it + add to MHS visible apps (currently ALIS + Teams; will become ALIS + Teams + Outlook).
2. Howard adds LinkRx + Helpany web apps in Intune portal when he has the URLs.
3. Pilot user + cloud group (Path B):
- Create cloud-only Entra group `SG-Caregivers-Pilot`
- Create cloud-only test user (or use an existing cloud user; Howard's `howard.enos` cloud account doesn't exist yet because Entra Connect is in staging)
- License test user with Business Premium (one of 34 spare seats)
- Add user to `SG-Caregivers-Pilot`
4. **Break-glass admin** — design + create. Need: cloud-only Global Admin, FIDO2 (Howard has 1 YubiKey), excluded from all CA, vaulted password, sign-in alerts. Pre-flight before CA changes.
5. New CA bypass policies (corrected design — see §"CA design correction" below):
- DELETE `Require multifactor authentication for all users` (existing)
- CREATE `CSC - Require MFA off Cascades network` (all users, location not Cascades → require MFA)
- CREATE `CSC - Require MFA on non-compliant device` (all users, device.isCompliant -eq False → require MFA)
- CREATE `CSC - Block off-network unless allow-listed` (all except `SG-External-Signin-Allowed` and break-glass, location not Cascades → block)
- CREATE `CSC - Sign-in frequency 8h` session control on `SG-Caregivers-Pilot` (and later SG-Caregivers)
6. Stage all new CA in **Report-only** for 24-48h, review logs, fix gaps, then flip to On.
7. Phone enrollment dry-run with the pilot user → expect no MFA on Cascades Wi-Fi + compliant device, expect block off-network.
### What's still to do, in order (revised 2026-04-29)
1. **Outlook** — already added in portal by Howard. Once it shows up via Graph beta, assign to `Cascades - Shared Phones` and PATCH `kioskModeApps` to add Outlook alongside ALIS + Teams.
2. Howard adds LinkRx + Helpany web apps in Intune portal when Cascades sends URLs.
3. **Pilot user + cloud group (Path B — confirmed):**
- Create cloud-only test user `pilot.test@cascadestucson.com` (Howard's `howard.enos` cloud account doesn't exist yet — Entra Connect is in staging).
- Create cloud-only Entra group `SG-Caregivers-Pilot`.
- License `pilot.test@` with Business Premium (one of 34 spare seats).
- Add user to `SG-Caregivers-Pilot`.
- **Cleanup commitment:** `pilot.test@` and `SG-Caregivers-Pilot` are removed at end of pilot. Memory: `.claude/memory/project_cascades_pilot_cleanup.md`.
4. **Break-glass:** deferred. `admin@` + `sysadmin@` exclusion (Step A) is the interim posture.
5. **New CA policies** — see UPDATE block above for the correct design. Stage in **Report-only** initially, assigned only to `SG-Caregivers-Pilot`, both admins excluded.
6. After 24-48h Report-only and pilot phone test sign-in, flip to On.
7. Phone enrollment dry-run with pilot user → expect no MFA on Cascades Wi-Fi + compliant device, expect block off-network.
### Decisions still pending
- Pilot user identity (create new `pilot.test@` vs use existing cloud user)
- Audit retention: deferred — Azure pay-as-you-go subscription still needs Howard or Mike billing call
- Whether to backfill `onboard-tenant.sh` against other already-onboarded tenants for the new CA Admin + Policy.Read.All (script now handles this idempotently when re-run; just needs a re-run per tenant)
- Audit retention: deferred — Azure pay-as-you-go subscription still needs Howard or Mike billing call.
- Whether to backfill `onboard-tenant.sh` against other already-onboarded tenants for the new CA Admin + Policy.Read.All (script now handles this idempotently when re-run; just needs a re-run per tenant).
- FIDO2 enrollment timing for `admin@`, `sysadmin@`, and any future dedicated break-glass.
---
@@ -213,6 +225,8 @@ Get-SmbShare -Name homes | Select Name,EncryptData
## CA design correction (revised from `user-account-rollout-plan.md` §5)
> **[SUPERSEDED — see UPDATE block at top of file. The table below was a tenant-wide design that would have blocked off-site office users. Phased per-group rollout is the corrected approach. Memory: `project_cascades_ca_phased_rollout.md`. Kept here for historical record only.]**
Existing all-users MFA policy is `enabled` not Report-only. Original §5 design said "block off-site, require MFA on-site" — that conflicts with Howard's actual goal of bypass on-site + compliant. Corrected design (deferred for build until break-glass exists):
| # | Name | Users | Conditions | Grant |

248
clients/cascades-tucson/session-logs/2026-04-30-howard-cascades-ca-rollout-and-phone-reenroll.md Normal file
View File

@@ -0,0 +1,248 @@
# 2026-04-30 — Cascades caregiver bypass: phased CA design + admin exclusion + pilot user + 3 Report-only policies + phone wipe & re-enroll
## User
- **User:** Howard Enos (howard)
- **Machine:** HOWARD-HOME
- **Role:** tech
- **Session span:** 2026-04-29 evening into 2026-04-30 early morning (continuation of 2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout)
## Resume point (READ THIS FIRST when picking back up)
The pilot phone is mid-enrollment after a wipe-and-re-enroll cycle. Howard has set the device PIN; the phone is showing "Syncing policies" while CloudDPC pulls the app payload from Managed Play. **Next session resumes there.**
### What's still to do, in order
1. **Wait for MHS to take over launcher** on the pilot phone. Once apps install (5-15 min from PIN-set), MHS becomes the kiosk launcher and shows the 5 caregiver apps (ALIS, Teams, Outlook, Helpany, LinkRx). One UI / Samsung default launcher should disappear.
2. **SDM sign-in prompt appears.** Sign in as `pilot.test@cascadestucson.com` with the password from `clients/cascades-tucson/pilot-test-user.sops.yaml`. Expected: password-only sign-in, NO MFA prompt (bypass working — pilot group is excluded from legacy all-users-MFA).
3. **Compliance flips to compliant** within ~5 min of sign-in (PIN check satisfied + Authenticator SDM registers pilot.test as the active shared-device user).
4. **Watch sign-in logs for 24-48h** to validate Report-only policies (`CSC - Block caregivers off Cascades network`, `CSC - Block caregivers on non-compliant device`, `CSC - Caregiver sign-in frequency 8h`) are firing as expected on the pilot user.
5. **Flip Report-only → On** when satisfied — three PATCHes in one batch.
6. **WiFiman cleanup** — Howard removing manually from tenant.
### Decisions still pending
- FIDO2 enrollment timing for `admin@`, `sysadmin@`, and any future dedicated break-glass account.
- When/whether to add a dedicated `breakglass@` (currently sysadmin@ + admin@ are the de-facto break-glass under Option 1).
- Audit retention 6yr — still deferred pending Azure pay-as-you-go subscription decision.
---
## Session Summary
This session continued the 2026-04-29 caregiver shared-phone CA bypass pilot work after Howard interrupted with a btw replay correcting the original CA design. The original §5 design from `user-account-rollout-plan.md` was tenant-wide (`includeUsers: All` on policies 1-3) and would have blocked any office user signing in off-site who was not in `SG-External-Signin-Allowed` — a regression. Adopted the corrected design: phased per-group rollout scoped to `SG-Caregivers-Pilot` only. Legacy "Require multifactor authentication for all users" stays in place; its `excludeGroups` is PATCHed to remove the pilot group from scope. Office-staff posture unchanged. Saved to memory as `project_cascades_ca_phased_rollout` to prevent the design drifting back tenant-wide in future sessions.
After audit, both `admin@` (Mike's) and `sysadmin@` (Howard's) were already cloud-only Global Admins. `sysadmin@` was excluded from all 8 existing CA policies; `admin@` was in scope on 7 of 8. Howard chose Option 1 — mirror `sysadmin@`'s exclusion posture onto `admin@` now, defer FIDO2 and dedicated break-glass for later. Step A executed: PATCHed `admin@` into `excludeUsers` on all 8 existing CA policies, preserving the `GuestsOrExternalUsers` sentinel on policies that had it. Microsoft Graph CA policy reads have a ~5-second eventual-consistency window — initial verify-after-PATCH GETs returned stale state but the PATCHes had landed. Saved as feedback memory.
Outlook (added by Howard via Managed Play earlier in the day) was assigned to `Cascades - Shared Phones` group with intent `required` and added to the MHS kiosk app list alongside ALIS and Teams. Helpany (`https://app.helpany.com/login`) and LinkRx (`https://pharmcare.linkrxnow.com/`) were created as web apps, assigned to the same group, and added to the MHS kiosk. Final caregiver dashboard: ALIS, Microsoft Teams, Microsoft Outlook, Helpany, LinkRx. The pilot user `pilot.test@cascadestucson.com` was created cloud-only via the Tenant Admin SP, licensed with Business Premium (33 of 34 SPB seats free pre-pilot), and added to the new cloud-only group `SG-Caregivers-Pilot`. The first user creation lost the password to a script flow-control failure; an attempted PATCH-reset returned 403 because the Tenant Admin SP lacks a privileged directory role for password resets. Resolved by deleting and recreating the user with the password echoed up front. Vault entry written, encrypted, committed, and pushed end-to-end.
Built the four CA changes: PATCHed legacy all-users-MFA to exclude `SG-Caregivers-Pilot`, then created three new policies in Report-only — block caregivers off Cascades network, block caregivers on non-compliant device, and 8-hour sign-in frequency. Both admin accounts excluded from all three. Side discovery during the legacy PATCH: that policy already had `excludeLocations: ['AllTrusted']` as a pre-existing tenant condition, meaning office staff already bypass MFA on Cascades trusted networks today. The pilot phone enrollment then went sideways twice — first on a saved QR (phone enrolled into a stuck partial dedicated mode, all custom policies state=unknown after hours and a reboot), and recovery required an Intune wipe + re-enroll with a fresh QR. Howard had to do normal Android setup first to update to Android 15 (Samsung FRP requirement), then factory reset, then scan from the welcome screen. Re-enrollment succeeded cleanly: new device record, all custom policies applied (compliance evaluated to nonCompliant pending PIN, restrictions and Wi-Fi compliant), device confirmed in the dynamic group. Howard set the PIN and the session ended with the phone showing "Syncing policies."
## Key Decisions
- **Phased per-group rollout, NOT tenant-wide cutover.** Original §5 design would have collateral-damaged off-site office users. Corrected to `includeGroups: SG-Caregivers-Pilot` everywhere; legacy all-users-MFA stays in place via `excludeGroups` PATCH. Each future population gets the same per-group treatment when we expand. Memorialized in `project_cascades_ca_phased_rollout` to prevent regression.
- **Option 1 break-glass posture: no dedicated breakglass yet.** Mirror `sysadmin@`'s exclusion posture onto `admin@` so both daily-driver Global Admins are excluded from all 8 existing CA policies and all 3 new ones. FIDO2 deferred — Howard or Mike can enroll the YubiKey later. A real dedicated `breakglass@` can be added later if needed. Constraint: `admin@` and `sysadmin@` must always be able to sign in off-site without interference, which exclusion-everywhere guarantees.
- **Block grant directly for caregivers, not Require MFA.** Caregivers have no personal device for MFA, so an MFA prompt they cannot satisfy is a worse UX than a clean block message. Future expansion to office staff will likely use MFA grants since office staff have MFA capability.
- **All three new caregiver policies in Report-only at creation.** Logs what would have happened during the validation window without enforcing. `CSC - Caregiver sign-in frequency 8h` (session control) is also Report-only — flips to On together with the other two.
- **Do NOT delete legacy all-users-MFA until full phased rollout completes.** Each new population gets added to its `excludeGroups` as it's onboarded. Only at the end of phased rollout (every population covered by a phased policy) does the legacy policy get deleted. This is the explicit anti-regression rule from the corrected design.
- **Delete-and-recreate the pilot user instead of granting Tenant Admin SP password-reset role.** Tenant Admin SP can create users with passwords but cannot PATCH-reset existing user passwords (returns 403 — needs Authentication Administrator or User Administrator role). Granting that role broadens the SP's blast radius unnecessarily. The User Manager app (separate tier with the right scopes) is the right tool for password operations going forward.
- **Wipe + re-enroll the stuck pilot phone instead of waiting longer.** First enrollment attempt was stuck (all custom policies `state=unknown` after hours and a reboot) despite Intune metadata showing dedicated device mode. Cleanest path forward is destruction + clean enrollment, not deep diagnosis. Wipe via Graph then fresh QR scan resolved it cleanly.
- **Complete vault operations end-to-end (Howard feedback).** When writing a new vault entry, do the full sequence (write → encrypt → commit → push) yourself; do not stop at "encrypted on disk, you push it." LF→CRLF Git warning on Windows is benign for SOPS yaml. Saved as feedback memory.
## Problems Encountered
- **Original CA design was tenant-wide and would have broken off-site office sign-ins.** Howard caught this with a btw replay before any tenant-wide policies were built. Switched to phased per-group rollout. No production impact.
- **Microsoft Graph CA policy reads are eventually consistent.** Verify-after-PATCH GETs returned stale state for all 7 of 8 policies despite 204 PATCHes succeeding. A 5-second sleep before re-reading made the verify pass cleanly. Saved as feedback memory `feedback_graph_ca_policy_eventual_consistency` so future agents don't chase the same false-positive.
- **Tenant Admin SP cannot PATCH-reset existing user passwords (403 Authorization_RequestDenied).** Lost a generated pilot password to script flow-control before it was echoed. Resolved by deleting + recreating the user, this time echoing the password up front. Saved as feedback memory `feedback_graph_password_reset_requires_role`.
- **First pilot phone stuck after enrollment.** All custom policies state=unknown for hours, zero apps detected, MHS not taking over launcher despite Intune showing `androidEnterpriseDedicatedDevice`. Likely partial dedicated mode from a stale saved QR + residual setup state. Resolved by remote wipe (`POST /managedDevices/{id}/wipe`) + factory reset + fresh QR from the portal.
- **Samsung FRP / OS update gating dedicated re-enrollment.** Phone needed Android 15 before dedicated mode would re-take cleanly. Howard had to do normal setup first to pull the OS update, then factory reset and re-scan from the literal welcome screen.
- **Bash-in-PowerShell friction.** Howard cannot directly run `bash` from PowerShell. The trivial last-mile commit step on the vault repo had been handed off to him unnecessarily. Saved feedback memory `feedback_complete_vault_operations_end_to_end` — write + encrypt + commit + push the vault repo end-to-end going forward.
- **Ollama qwen3:14b hallucinated a different Cascades session during the /save narrative draft.** Returned content about Entra Connect Sync setup, mailbox restoration, and Syncro ticket creation — none of which were in the prompt. Falled back to Claude-direct narrative writing per the skill's documented fallback. Tier 0 routing remains usable for shorter prose tasks but the qwen3 model demonstrably mixes context across prior Cascades work when the prompt is long. Worth a future test of qwen3-coder:30b or stricter prompting if /save Tier 0 routing is to be relied on.
---
## Configuration Changes
### Cascades tenant (`207fa277-e9d8-4eb7-ada1-1064d2221498`)
- **All 8 existing CA policies** — `excludeUsers` now contains both `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8` (sysadmin@) and `e20f7f21-757a-48cd-bb24-7bdeeb1497d0` (admin@). `GuestsOrExternalUsers` sentinel preserved on the 3 policies that had it. Affected policies:
1. Microsoft-managed: Block legacy authentication (`ed1fe97a-9d99-408c-ae18-139d42f41803`)
2. Microsoft-managed: Require phishing-resistant multifactor authentication for admins (`1be9295c-b23b-42ac-80a3-888eeb2003de`)
3. Require MFA for admins (`3154dc8f-7321-42c9-adf4-a2517944a92c`)
4. Require MFA for external and guest users (`49acf60d-3159-4ac9-8d48-35aa249e3209`)
5. Block all legacy sign-ins that don't support MFA (`0a16bb5c-c7d2-4942-aa2a-b0551b872933`)
6. Require MFA and a password change when high-risk users are detected (`9f123001-a95f-4e50-9860-4dd2254cccad`)
7. Require MFA when risky sign-ins are detected (`76f1dd72-4003-4984-bb4a-6fcead072c2c`)
8. Require multifactor authentication for all users (`7e87a1c7-4836-49df-8769-c4cccadd9dbe`)
- **Legacy `Require multifactor authentication for all users`** (id `7e87a1c7-4836-49df-8769-c4cccadd9dbe`) — `excludeGroups` now contains `SG-Caregivers-Pilot` (`0674f0bc-6ff4-49c7-802d-2abf591ba371`). State remains `enabled`. Pre-existing `excludeLocations: ['AllTrusted']` preserved.
- **NEW CA policy `CSC - Block caregivers off Cascades network`** (id `e35614e1-e896-4a13-9407-076963af488f`) — Report-only, includeGroups=SG-Caregivers-Pilot, excludeUsers=[admin@, sysadmin@], locations: include All exclude Cascades named loc (`061c6b06-b980-40de-bff9-6a50a4071f6f`), grant=BLOCK.
- **NEW CA policy `CSC - Block caregivers on non-compliant device`** (id `ede985e2-ee7e-4521-88b2-34c847c3db20`) — Report-only, includeGroups=SG-Caregivers-Pilot, excludeUsers=[admin@, sysadmin@], deviceFilter `device.isCompliant -eq False`, grant=BLOCK.
- **NEW CA policy `CSC - Caregiver sign-in frequency 8h`** (id `7d491c7a-ad90-4420-9990-40a1e676a76c`) — Report-only, includeGroups=SG-Caregivers-Pilot, excludeUsers=[admin@, sysadmin@], sessionControls.signInFrequency `{value: 8, type: hours, authenticationType: primaryAndSecondaryAuthentication, isEnabled: true}`.
- **NEW Entra group `SG-Caregivers-Pilot`** (id `0674f0bc-6ff4-49c7-802d-2abf591ba371`) — cloud-only, security-enabled, mail-disabled, mailNickname=`SG-Caregivers-Pilot`. One member: `pilot.test@cascadestucson.com`.
- **NEW user `pilot.test@cascadestucson.com`** (id `43919c7b-638c-4d38-9f94-89c1d07ce724`) — cloud-only (`onPremisesSyncEnabled: None`), displayName "Pilot Test (Caregiver Bypass)", usageLocation US, accountEnabled true, forceChangePasswordNextSignIn false, licensed with Business Premium SPB SKU (`cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`). Member of `SG-Caregivers-Pilot`. Cloud-only test identity for the caregiver bypass pilot. **Cleanup obligation: remove at end of pilot per `project_cascades_pilot_cleanup` memory.** Password vaulted at `clients/cascades-tucson/pilot-test-user.sops.yaml`.
- **NEW mobileApp `Microsoft Outlook`** (Managed Play, id `6920b747-9b07-49d2-b420-67116d38f0b8`) — assigned to `Cascades - Shared Phones` group (id `ea96f4b7-3000-45da-ab1f-ddb28f509526`) with intent=required. Added to MHS `kioskModeApps` array.
- **NEW mobileApp `Helpany`** (webApp, id `97c294de-03ec-4053-b272-a4c956e408e9`, appUrl `https://app.helpany.com/login`) — assigned required to shared-phones group, added to MHS kiosk.
- **NEW mobileApp `LinkRx`** (webApp, id `e4157faf-c47d-443d-96b3-59d7c4ba9ac2`, appUrl `https://pharmcare.linkrxnow.com/`) — assigned required to shared-phones group, added to MHS kiosk.
- **`CSC - Android Shared Phones Restrictions`** (id `070a76c2-a8c3-4f7f-9ba7-1f4ac5084184`) — version bumped to 6. `kioskModeApps` array now contains 5 entries: ALIS, Microsoft Teams, Microsoft Outlook, Helpany, LinkRx. All other settings preserved from earlier session.
### Pilot phone (SM-A146U serial `R9TTC0JSDPJ`)
- **Wipe issued** via `POST /managedDevices/c94e8086-81b8-4a2c-a86a-6bbf677cb72a/wipe` with `keepEnrollmentData: false, keepUserData: false`. Old Intune device record removed.
- **Re-enrolled** as new Intune device record (id `1207c415-5a82-41a9-9bfd-eb37c0d680eb`). Now Android 15 (auto-updated during the Howard-driven OS update step), `deviceEnrollmentType: androidEnterpriseDedicatedDevice`, `ownerType: company`, `enrollmentProfileName: CSC - Android Shared Phones`, `managementAgent: googleCloudDevicePolicyController`, `complianceState: noncompliant` (PIN now set, will re-evaluate on next sync). Confirmed in `Cascades - Shared Phones` dynamic group (3 of 3 members).
### Vault (D:/vault, repo `azcomputerguru/vault`)
- **NEW `clients/cascades-tucson/pilot-test-user.sops.yaml`** — pilot.test credential entry. Encrypted with both age recipients per `.sops.yaml`. Committed and pushed (commit `b987410`, range `73de020..b987410`).
### claudetools repo (memory + session log additions)
Memory files added (will land in this session's commit):
- `.claude/memory/project_cascades_admin_accounts.md`
- `.claude/memory/project_cascades_pilot_cleanup.md`
- `.claude/memory/project_cascades_ca_phased_rollout.md`
- `.claude/memory/feedback_graph_ca_policy_eventual_consistency.md`
- `.claude/memory/feedback_graph_password_reset_requires_role.md`
- `.claude/memory/feedback_complete_vault_operations_end_to_end.md`
Session log updates:
- `clients/cascades-tucson/session-logs/2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md` — UPDATE block at top of resume-point + `[SUPERSEDED]` marker on the original CA design correction table.
- `clients/cascades-tucson/session-logs/2026-04-30-howard-cascades-ca-rollout-and-phone-reenroll.md` — this file.
---
## Commands & Outputs
### admin@ exclusion backfill on 8 CA policies
```python
# Pseudocode of the loop (full script ran via py heredoc)
for policy in graph_get('/v1.0/identity/conditionalAccess/policies').value:
users = policy.conditions.users
if ADMIN_ID not in users.excludeUsers:
users.excludeUsers.append(ADMIN_ID)
graph_patch(f'/v1.0/identity/conditionalAccess/policies/{policy.id}',
{'conditions': {'users': users}})
# Then sleep 5 and verify each — initial verify race-condition is expected.
```
Result: all 8 policies returned 204 on PATCH, all 8 verified post-sleep.
### Outlook + Helpany + LinkRx kiosk update (PATCH on device restrictions)
```bash
curl -X PATCH ... \
https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/070a76c2-a8c3-4f7f-9ba7-1f4ac5084184 \
-d '{
"@odata.type": "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration",
"kioskModeApps": [
{"@odata.type":"#microsoft.graph.appListItem","name":"ALIS","appId":"fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3"},
{"@odata.type":"#microsoft.graph.appListItem","name":"Microsoft Teams","appId":"0eb81676-299b-4eb2-bfd9-8be914a82f91"},
{"@odata.type":"#microsoft.graph.appListItem","name":"Microsoft Outlook","appId":"6920b747-9b07-49d2-b420-67116d38f0b8"},
{"@odata.type":"#microsoft.graph.appListItem","name":"Helpany","appId":"97c294de-03ec-4053-b272-a4c956e408e9"},
{"@odata.type":"#microsoft.graph.appListItem","name":"LinkRx","appId":"e4157faf-c47d-443d-96b3-59d7c4ba9ac2"}
]
}'
# HTTP 204
```
### Pilot user create + license + group add
```bash
# Create group
POST /v1.0/groups { displayName: SG-Caregivers-Pilot, mailEnabled: false, securityEnabled: true, mailNickname: SG-Caregivers-Pilot }
# Create user
POST /v1.0/users {
accountEnabled: true,
displayName: "Pilot Test (Caregiver Bypass)",
mailNickname: pilot.test,
userPrincipalName: pilot.test@cascadestucson.com,
usageLocation: US,
passwordProfile: { password: <vaulted>, forceChangePasswordNextSignIn: false }
}
# License
POST /v1.0/users/{id}/assignLicense { addLicenses: [{ skuId: cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46, disabledPlans: [] }], removeLicenses: [] }
# Add to group
POST /v1.0/groups/{group_id}/members/$ref { @odata.id: https://graph.microsoft.com/v1.0/directoryObjects/{user_id} }
# Note: needed sleep ~10s after group create before add-member would succeed (eventual consistency)
```
### Phone wipe + re-enroll
```bash
# Wipe
POST /beta/deviceManagement/managedDevices/c94e8086-81b8-4a2c-a86a-6bbf677cb72a/wipe \
-d '{"keepEnrollmentData": false, "keepUserData": false, "useProtectedWipe": false, "persistEsimDataPlan": false}'
# HTTP 204; managementState immediately became "wipeIssued"
# After Howard's factory reset + OS update + fresh QR scan, new device record:
# id 1207c415-5a82-41a9-9bfd-eb37c0d680eb, serial R9TTC0JSDPJ, Android 15
```
---
## Reference Information
### Cascades tenant
- Tenant ID: `207fa277-e9d8-4eb7-ada1-1064d2221498`
- Tenant Admin SP appId: `709e6eed-0711-4875-9c44-2d3518c47063`
- Cascades named location: `061c6b06-b980-40de-bff9-6a50a4071f6f` (both WANs trusted)
- Default domain: `cascadestucson.com`
### Pilot resources
- User: `pilot.test@cascadestucson.com` id `43919c7b-638c-4d38-9f94-89c1d07ce724`
- Group: `SG-Caregivers-Pilot` id `0674f0bc-6ff4-49c7-802d-2abf591ba371`
- Vault: `clients/cascades-tucson/pilot-test-user.sops.yaml`
- License: Microsoft 365 Business Premium SPB SKU `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`
### Admin accounts (Cascades)
- `admin@cascadestucson.com` (Mike) — id `e20f7f21-757a-48cd-bb24-7bdeeb1497d0` — cloud-only Global Admin, excluded from all 8 existing CA policies + all 3 new ones, no FIDO2 yet
- `sysadmin@cascadestucson.com` (Howard) — id `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8` — cloud-only Global Admin, excluded from all 8 existing CA policies + all 3 new ones, no FIDO2 yet
### CA policy IDs (new)
- `CSC - Block caregivers off Cascades network``e35614e1-e896-4a13-9407-076963af488f` — Report-only
- `CSC - Block caregivers on non-compliant device``ede985e2-ee7e-4521-88b2-34c847c3db20` — Report-only
- `CSC - Caregiver sign-in frequency 8h``7d491c7a-ad90-4420-9990-40a1e676a76c` — Report-only
### Mobile app IDs (Cascades, beta endpoint — v1.0 hides Managed Play)
- ALIS (webApp) — `fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3`
- Microsoft Teams — `0eb81676-299b-4eb2-bfd9-8be914a82f91`
- Microsoft Outlook (NEW) — `6920b747-9b07-49d2-b420-67116d38f0b8`
- Helpany (NEW, webApp) — `97c294de-03ec-4053-b272-a4c956e408e9`
- LinkRx (NEW, webApp) — `e4157faf-c47d-443d-96b3-59d7c4ba9ac2`
### Pilot phone state at session end
- Intune device id: `1207c415-5a82-41a9-9bfd-eb37c0d680eb`
- Old (wiped) device id: `c94e8086-81b8-4a2c-a86a-6bbf677cb72a` — removed
- Serial: `R9TTC0JSDPJ`
- Model: SM-A146U Samsung Galaxy A14 5G
- OS: Android 15
- Last sync: 2026-04-30T04:25:14Z
- Compliance: nonCompliant (re-evaluation pending after PIN set; will flip)
- Phone status when session ended: showing "Syncing policies"
---
## Note for Mike
Two things to flag:
1. **CA design change.** The original §5 design in `user-account-rollout-plan.md` (and the corresponding Track A item from earlier) was tenant-wide and would have blocked off-site office users — including yours — by policy 3 (the "block off-network unless allow-listed" one). I caught that with a btw replay before any of those tenant-wide policies were built. We're now on a phased per-group rollout: only `SG-Caregivers-Pilot` is in scope today, legacy all-users-MFA still applies to everyone else exactly as before. When we expand to a new department, we add it to legacy's `excludeGroups` and add it to the new policies' `includeGroups` one population at a time. The corrected design is in `.claude/memory/project_cascades_ca_phased_rollout.md` — treat any "let's just push tenant-wide now that the pilot worked" suggestion as a regression of this decision and ping me.
2. **Your `admin@cascadestucson.com` posture changed.** It's now excluded from all 8 existing CA policies + all 3 new ones, mirroring `sysadmin@`'s posture. Howard's call (Option 1). Net effect: your account no longer hits the admin-MFA policies — it's a CA-clean Global Admin. No FIDO2 enrolled yet. When you have time, enroll the YubiKey on `admin@` (and ideally sit down and decide whether you want a dedicated `breakglass@` or to keep this Option 1 posture). Until then, your account's only protections are password + per-user Authenticator (no CA enforcement, no FIDO2). Not blocking, just noting the trade.
---
**Session duration:** ~7 hours (2026-04-29 ~21:00 PT through 2026-04-30 ~04:30 PT, with breaks while Howard drove the phone enrollment)
**Pilot status at session end:** phone in "Syncing policies" state, pilot user vaulted, all CA changes live (legacy PATCH enforced, 3 new in Report-only)