diff --git a/clients/cascades-tucson/session-logs/2026-07/2026-07-01-howard-caretaker-roster-update-phone-login-cutover.md b/clients/cascades-tucson/session-logs/2026-07/2026-07-01-howard-caretaker-roster-update-phone-login-cutover.md new file mode 100644 index 00000000..f4f62fbf --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-07/2026-07-01-howard-caretaker-roster-update-phone-login-cutover.md @@ -0,0 +1,161 @@ +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Processed the client's updated caretaker list for Cascades of Tucson against the live AD +caregiver roster (CS-SERVER via RMM, read-only pull first). The client's 40-entry list mapped +1:1 onto the 40 enabled accounts in `OU=Caregivers` — no unknowns either direction. Howard's +decisions (in-session prompts): full offboard of the 7 marked "no longer with us", keep +`c.lassey` and disable the `t.lassey-assiakoley` duplicate (client confirmed Tele Sepopo +Lassey Assiakoley = Celia Lassey), move Zeke Huerta out of `SG-Caregivers` (front desk now), +leave Christine Nyanzunda out (frontline-only rule stands; she keeps her existing +`christine.nyanzunda` account), and create 4 new caretakers. + +Executed via RMM on CS-SERVER: disabled 8 accounts (7 leavers + Lassey dup) with descriptions, +removed all 8 + e.huerta from `SG-Caregivers`, created a.vallejo / j.munezero / n.cota / +k.robinson in `OU=Caregivers` + `SG-Caregivers` with forced-change temp passwords, triggered +Entra Connect delta sync. Graph side (user-manager tier): usageLocation=US + Business Premium +on the 4 new (two-pass for propagation lag), removed SPB from the 8 offboarded. Verified: 8 +disabled + 0 licenses; 4 new licensed; SG-Caregivers = 35; SPB 45 enabled / 41 consumed +(4 free). Temp passwords vaulted + DM'd to Howard. + +Second phase: Howard asked to make sure the caretakers can actually log in on the phones. +Verified the full chain and found TWO blockers the pilot had masked: (1) `Require MFA for all +users` excluded only the stale `SG-Caregivers-Pilot` group (the known wiki bug) — live +caretakers would be MFA-prompted with no way to satisfy it; (2) `CSC - Block caregivers on +non-compliant device` targeted `SG-Caregivers` while the CSC-* phones report noncompliant in +Intune (and no Windows device is Intune-managed), so every device was blocked. pilot.test had +worked only because it sits in `SG-Caregivers-DeviceTest`, which the compliance-block excludes +and the allow-list targets. + +Howard's ruling: interim posture = ALL caretakers may use desktops AND phones (on-network +only); keep a phones-only tracking list and lock that cohort down to phones near the end of +the rollout. Applied with tenant-admin tier: added `SG-Caregivers` (8b8d9222) to the +MFA-for-all excludeGroups (break-glass excludeUsers + Directory-Sync excludeRole preserved), +disabled the compliance-block policy. Allow-list policy left test-scoped. Verified the +off-network block end-to-end at Howard's request: enabled, block, all apps/client types, +includes SG-Caregivers, excludes only the Cascades named location (two /32 egress IPs +72.211.21.217 + 184.191.143.62) and the 2 break-glass accounts — offsite credential use is +dead, on-site is password-only with 8h sign-in frequency. + +## Key Decisions + +- **Full offboard of 7 leavers** (Mendoza, Tate, Fierros, Williford, K. Flores, Baker, + Kariuki): disable + SG-remove + license reclaim. All were already ALIS-Discharged/absent + and had never logged in. +- **Lassey duplicate: keep `c.lassey`**, disable `t.lassey-assiakoley` + reclaim its license. + Client note resolved the 6/4 open question (Tele = Celia). +- **Huerta: SG-Caregivers removal ONLY, no OU move.** Entra Connect sync scope covers ONLY + OU=Caregivers / OU=Groups / OU=Caregiver Devices — moving him to any other OU would delete + his cloud object. OU move deferred until Administrative OU enters sync scope. He now falls + under MFA-for-all and needs Authenticator registration. +- **Nyanzunda left out of SG-Caregivers** — Howard reaffirmed the 6/30 frontline-only rule + despite the client listing her as a caretaker to add. +- **Interim CA posture (Howard, overriding the 6/24 hold):** caretakers allowed on desktops + + phones, on-network only. Rationale: under compliance-block nothing was compliant so + caretakers were blocked on ALL devices anyway; flipping loses nothing. Phones-only lockdown + deferred to end of rollout with a tracked list. +- **MFA-for-all exclude fix kept the stale pilot-group exclude** — remove at pilot cleanup. + +## Problems Encountered + +- **PowerShell filter quoting via bash→JSON→PS:** `-Filter "X -eq \"$var\""` inside a bash + single-quoted block delivers literal `\"` to PowerShell → ParameterBindingException. Fixed + by writing `:$var:` placeholders and `${SCRIPT//:/\'}` substitution to inject PS single + quotes. +- **Graph propagation lag (known from 6/30):** n.cota license assign failed with "invalid + usage location" seconds after the usageLocation PATCH; k.robinson failed with "no available + licenses" before the 8 removals released seats. Both succeeded on retry after ~45s. + licenseDetails read also lagged ~30s behind a successful assign. +- **CA policy PATCH read-back lag:** compliance-block still read `enabled` immediately after + a 204 disable; consistent ~20s later. +- **Intune managedDevices $filter query returned empty** while an unfiltered $top query + returned Android devices fine — used the raw read instead. + +## Configuration Changes + +- **AD (CS-SERVER, cascades.local), RMM cmd b5329b71:** + - Disabled + SG-removed: b.mendoza, c.tate, d.fierros, g.williford, k.flores, m.baker, + m.kariuki, t.lassey-assiakoley (descriptions stamped 2026-07-01). + - e.huerta removed from SG-Caregivers (enabled, OU unchanged, description stamped). + - Created in OU=Caregivers + SG-Caregivers: a.vallejo, j.munezero, n.cota, k.robinson + (UPN/mail = sam@cascadestucson.com, ChangePasswordAtLogon, PasswordNeverExpires=false). + - SG-Caregivers: 40 → 35 members. Entra Connect delta sync triggered. +- **M365 (tenant 207fa277-e9d8-4eb7-ada1-1064d2221498):** + - 4 new: usageLocation=US + Business Premium (SPB cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46). + - 8 offboarded: SPB removed. Pool now 45 enabled / 41 consumed. + - CA `Require MFA for all users` (7e87a1c7-4836-49df-8769-c4cccadd9dbe): excludeGroups now + [0674f0bc (pilot, stale), 8b8d9222 (SG-Caregivers)]; excludeUsers (2 break-glass) and + excludeRoles (d29b2b05 Directory Sync) preserved. + - CA `CSC - Block caregivers on non-compliant device` (ede985e2): state → disabled. +- **Repo:** `clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md` (new), + `clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md` (new, 35-row tracking + table), `wiki/clients/cascades-tucson.md` (compliance-block line + MFA-bug line updated to + reflect 7/1 state). + +## Credentials & Secrets + +- **New caregiver AD temp passwords (4), forced-change at first login, hybrid PHS (= M365/ + phone sign-in):** a.vallejo=Sunrise4827, j.munezero=Meadow9153, n.cota=Harbor2764, + k.robinson=Willow6398. Vaulted: `clients/cascades-tucson/caregiver-temp-passwords-2026-07-01.sops.yaml` + (keys = sAMAccountName; retrieve with `vault get`, NOT get-field — dotted keys). DM'd to + Howard (Discord msg 1521981205443117116). Vault repo pushed (4bf5c14). +- Tokens used: GuruRMM admin (vault `infrastructure/gururmm-server.sops.yaml`), Graph tiers + investigator / user-manager / tenant-admin via + `remediation-tool/scripts/get-token.sh ` with `VAULT_ROOT_ENV="D:/vault"`. + +## Infrastructure & Servers + +- CS-SERVER agent c39f1de7-d5b6-45ae-b132-e06977ab1713 (resolve live; changes on re-enroll). +- M365 tenant cascadestucson.com 207fa277-e9d8-4eb7-ada1-1064d2221498; SPB SKU cbdc14ab. +- SG-Caregivers cloud group 8b8d9222-5d71-419a-936d-56d895c6c332 (on-prem synced; 35 members). +- Entra Connect sync scope (verified live): ONLY OU=Caregivers, OU=Groups, OU=Caregiver + Devices — nothing else syncs; OU moves out of scope delete cloud objects. +- Named location "Cascades" 061c6b06-b980-40de-bff9-6a50a4071f6f = 72.211.21.217/32 + + 184.191.143.62/32 (trusted). If the facility WAN IP changes, caretakers fail closed on-site. +- CA policy ids: MFA-for-all 7e87a1c7; off-network block e35614e1 (enabled); compliance-block + ede985e2 (DISABLED 7/1); 8h sign-in frequency 7d491c7a (enabled); allow-list 1b7fd025 + (enabled, TEST group db5849ec only). Break-glass excludeUsers: 471b13dc..., e20f7f21.... +- pilot.test groups: SG-Caregivers-DeviceTest (db5849ec) + SG-Caregivers-Test (eee4e9b2) — + NOT in SG-Caregivers-Pilot (0674f0bc) and not in SG-Caregivers. + +## Commands & Outputs + +- Roster pull: RMM cmd bf80962c (OU=Caregivers 42 objects = 40 enabled + pilot.test + + disabled n.castro; SG-Caregivers 40). +- Recon: cmd 3e543898 (OU list, sync scope, e.huerta) + b32ad9bc (name conflicts — all 4 new + sams free, no surname matches). +- Batch write: cmd b5329b71 — all 13 operations OK, SG=35, delta sync triggered. +- Post-change AD state: cmd 5d3fa209 — all 35 Enabled=True, Locked=False, PwExpired=True + (expected: forced-change). +- Graph verify: 8 offboarded accountEnabled=false licenses=0; 4 new SPB; cloud group + count=35 with all 4 new hires present. +- CA patches: both HTTP 204; verified post-propagation. + +## Pending / Incomplete Tasks + +- **ALIS records** for the 3 brand-new hires (Munezero, Cota, Robinson) — need job roles + (Certified vs Resident Caregiver / Med Tech) before building the import .xls (`alis` skill + `build-import`). Vallejo already in ALIS — set her staff Email = a.vallejo@cascadestucson.com. + ALIS Email=UPN sweep for the rest is still with Howard (6/30 pending item). +- **Huerta MFA registration** (Authenticator) — he is now under MFA-for-all with no + registered method. Also his OU move awaits Administrative OU entering sync scope. +- **Phones-only lockdown (end of rollout):** fill the phones-only column in + `docs/cloud/caretaker-phones-only-list.md` with the client, then scope a phones-only block + (CSC-* device filter) to that cohort. Do NOT re-enable ede985e2 (superseded). +- **Pilot cleanup (unchanged):** delete pilot.test, remove SG-Caregivers-Pilot exclude from + MFA-for-all, delete pilot/test groups, clean howard.enos account. +- Notify client that Nyanzunda already has an account and was intentionally not added to the + caregiver group; Kariuki ALIS dup records (429856/429858) still need dedupe if she returns. + +## Reference Information + +- Report: `clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md` +- Phones-only list: `clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md` +- Prior context: 6/29 caretaker crosscheck + 6/30 phone-SSO onboarding session logs (2026-06/) +- RMM command ids: bf80962c, 3e543898, b32ad9bc, b5329b71, 5d3fa209 +- Discord: temp-password DM 1521981205443117116; #dev-alerts CA-change post 1521994546400067805 +- Syncro customer 20149445 (Cascades of Tucson)