diff --git a/clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md b/clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md index 83cd72b..7e9303f 100644 --- a/clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md +++ b/clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md @@ -106,6 +106,7 @@ All UPNs above use the `@cascadestucson.com` suffix (standard). - **Paty Doran** — **Resolved 2026-04-22:** legal name `Patricia Camarena Doran`. Account will be `patricia.doran@`. - **Polett Pinazavala** — **Resolved 2026-04-22 (John's reply): departed.** Remove from roster. No AD/M365 account exists so no disable needed. - **Patricia Sandoval-Beck** — **Resolved 2026-04-22 (CSV inline note from Meredith):** hyphen is correct. SamAccountName may still need to be `Patricia.SandovalBeck` if ALIS/MDM reject hyphens — test during Wave 3. +- **Espe Esperance** — **Resolved 2026-05-15:** one person. Legal name Niyonsaba Esperance (Niyonsaba = first, Esperance = last); goes by Espe at work. Account is `e.esperance@cascadestucson.com`, display name "Espe Esperance". She IS already in ALIS as "Niyonsaba Esperance" — Meredith must UPDATE that record's email field to `e.esperance@cascadestucson.com`, not add a new record. - **Ederick Yuzon** — **Still pending:** spelling asked in 2026-04-22 email. - **Maia Baker** — **Resolved 2026-04-22 (CSV inline note):** part-time, still employed. - **Reliable Agency caregivers** — **Final decision 2026-04-22 (post-HIPAA review): NO shared logins.** Originally planned `reliable1@` / `reliable2@`; dropped because shared log-on IDs for PHI access violate 45 CFR §164.312(a)(2)(i) (Required spec, no compensating-control exception). Per-person accounts only, created when Reliable Agency supplies individual names. Rationale in `docs/security/hipaa-review-2026-04-22.md`. @@ -174,14 +175,20 @@ Group-policy impact: the `CSC - Folder Redirection (LE)` work done for Life Enri - [x] ~~Confirm Christine Nyanzunda is one person, not two~~ (resolved 2026-04-22 — one person, one account) - [x] ~~HR spelling confirmation on Paty Doran, Polett Pinazavala, Patricia Sandoval-Beck, Maia Baker~~ (all resolved 2026-04-22) -- [ ] **Ederick Yuzon first-name spelling** — asked in 2026-04-22 email, still outstanding +- [x] ~~Espe Esperance identity~~ (resolved 2026-05-16 — one person, legal name Niyonsaba Esperance, goes by Espe; account e.esperance@cascadestucson.com) +- [x] ~~Create 37 caregiver AD accounts in OU=Caregivers~~ (done 2026-05-16 — 37 created, 0 failed; temp password Cascades2026!) +- [x] ~~Add all caregivers to SG-Caregivers~~ (done 2026-05-16 — 37 added, 0 failed) +- [ ] **Ederick Yuzon first-name spelling** — asked in 2026-04-22 email, still outstanding (created as Ederick from ALIS) - [ ] **Christine Nyanzunda — Phase 2 handling (added 2026-05-14):** exclude her from caregiver AD account creation (she already has accounts). Her existing cloud-only M365 account must be moved/synced as part of the office-staff migration, not the caregiver rollout. See the SYNC WATCH-POINT under "Conflict / verify before creating" above. - [x] ~~Reliable Agency shared-login short usernames~~ (SUPERSEDED 2026-04-22 by HIPAA review — no shared logins, per-person only) - [ ] **Reliable Agency contract review** — confirm staffing contract says caregivers work under Cascades direct clinical control (workforce) vs. agency-supervised (BA). Get individual caregiver names before any PHI access. -- [ ] Will caregivers use ALIS on the shared phones (need ALIS accounts + Entra SSO) or only email? -- [ ] Does Cascades want to purchase 39 additional Business Premium licenses up-front, or roll out in waves (e.g., MedTechs first, then CCGs, then Caregivers)? +- [ ] **ALIS staff records (Meredith):** UPDATE Espe Esperance record email to e.esperance@cascadestucson.com; ADD records for Kasey Flores (k.flores@), Jahmeka Clarke (j.clarke@), Gloria Williford (g.williford@) +- [ ] **ALIS Email = Entra UPN for all caregivers** — set after accounts appear in M365 post-sync; required for ALIS SSO +- [ ] **M365 licensing** — 38 net-new Business Premium licenses needed; Meredith purchase decision; up-front vs. waves? +- [ ] **ALIS BAA (Medtelligent)** — Meredith to verify signed copy exists; if not, request from Medtelligent support +- [ ] **Reliable Agency per-person accounts** — waiting on individual names; cannot create until received - [ ] Confirm pfSense WAN IP(s) are static enough to rely on in a CA Named Location policy -- [ ] Timeline expectations — tying this to the phone deployment, the MDM rollout (7-phase plan in `docs/security/mdm.md`), and the Business Premium purchase +- [ ] Timeline expectations — tying this to the phone deployment and Business Premium purchase ## Related docs diff --git a/clients/cascades-tucson/scripts/add-caregivers-to-sg.ps1 b/clients/cascades-tucson/scripts/add-caregivers-to-sg.ps1 new file mode 100644 index 0000000..4be80b8 --- /dev/null +++ b/clients/cascades-tucson/scripts/add-caregivers-to-sg.ps1 @@ -0,0 +1,82 @@ +# Cascades of Tucson -- Add caregivers to SG-Caregivers +# Date: 2026-05-16 +# Run on: CS-SERVER as a domain admin +# Adds all 37 caregiver accounts to SG-Caregivers. +# This is a deliberate access-control step, separate from account creation. + +$Group = "SG-Caregivers" + +$Accounts = @( + "t.abainza", + "n.castro", + "e.esperance", + "b.johnson", + "k.flores", + "r.flores", + "m.kastner", + "b.mendoza", + "r.morales", + "s.padilla", + "w.reed", + "p.sandoval-beck", + "b.sika", + "j.andrade", + "j.clarke", + "k.aziakpo", + "j.dittbenner", + "a.mcferren", + "s.ramirez", + "e.sanchez", + "k.wyzykowski", + "c.tate", + "a.atwood", + "c.johnson", + "r.cooper", + "m.lopez", + "g.williford", + "s.carroll", + "l.hogan", + "g.williams", + "j.higdon", + "m.kariuki", + "c.lassey", + "p.doran", + "e.huerta", + "m.baker", + "e.yuzon" +) + +$added = 0 +$failed = 0 +$skipped = 0 + +foreach ($sam in $Accounts) { + $user = Get-ADUser -Filter "SamAccountName -eq '$sam'" -ErrorAction SilentlyContinue + if (-not $user) { + Write-Host "[SKIP] $sam -- not found in AD" + $skipped++ + continue + } + + $inGroup = Get-ADGroupMember -Identity $Group -ErrorAction SilentlyContinue | + Where-Object { $_.SamAccountName -eq $sam } + + if ($inGroup) { + Write-Host "[SKIP] $sam -- already in $Group" + $skipped++ + continue + } + + try { + Add-ADGroupMember -Identity $Group -Members $sam + Write-Host "[OK] $sam -- added to $Group" + $added++ + } + catch { + Write-Host "[ERROR] $sam -- $_" + $failed++ + } +} + +Write-Host "" +Write-Host ("Result: {0} added, {1} failed, {2} skipped" -f $added, $failed, $skipped) diff --git a/clients/cascades-tucson/scripts/create-caregiver-accounts.ps1 b/clients/cascades-tucson/scripts/create-caregiver-accounts.ps1 new file mode 100644 index 0000000..48f54d7 --- /dev/null +++ b/clients/cascades-tucson/scripts/create-caregiver-accounts.ps1 @@ -0,0 +1,121 @@ +# Cascades of Tucson -- Caregiver AD Account Creation +# Date: 2026-05-16 +# Run on: CS-SERVER as a domain admin +# OU: OU=Caregivers,OU=Departments,DC=cascades,DC=local +# +# Creates 37 caregiver accounts. +# Display names match ALIS (preferred/known names). +# UPN format: firstinitial.lastname@cascadestucson.com +# +# Exceptions: +# b.sika -- Charity Sika (legal first name Bariffa drives the initial) +# e.huerta -- Zeke Huerta (legal first name Ezekiel drives the initial) +# +# Excluded: +# Christine Nyanzunda -- already has accounts, do not create +# Polett Pinazavala -- departed, do not create +# +# Espe Esperance -- legal name Niyonsaba Esperance (Niyonsaba = first, Esperance = last) +# Goes by Espe at work. Already in ALIS as Niyonsaba Esperance. +# Meredith must UPDATE that ALIS staff record email to e.esperance@cascadestucson.com +# +# Kasey Flores, Jahmeka Clarke, Gloria Williford -- not in ALIS; Meredith must add staff records. +# +# PasswordNeverExpires = $true during rollout. +# Run enable-caregiver-password-rotation.ps1 when ready to activate 30-day FGPP rotation. + +$OU = "OU=Caregivers,OU=Departments,DC=cascades,DC=local" +$Domain = "cascadestucson.com" +$TempPassword = ConvertTo-SecureString "Cascades2026!" -AsPlainText -Force + +$Caregivers = @( + # --- Tue-Sat --- + @{ First="Thelma"; Last="Abainza"; Sam="t.abainza" }, + @{ First="Niel"; Last="Castro"; Sam="n.castro" }, + @{ First="Espe"; Last="Esperance"; Sam="e.esperance" }, + @{ First="Barb"; Last="Johnson"; Sam="b.johnson" }, + @{ First="Kasey"; Last="Flores"; Sam="k.flores" }, + @{ First="Richard"; Last="Flores"; Sam="r.flores" }, + @{ First="Marie"; Last="Kastner"; Sam="m.kastner" }, + @{ First="Bella"; Last="Mendoza"; Sam="b.mendoza" }, + @{ First="Rosa"; Last="Morales"; Sam="r.morales" }, + @{ First="Sandra"; Last="Padilla"; Sam="s.padilla" }, + @{ First="Whisper"; Last="Reed"; Sam="w.reed" }, + @{ First="Patricia"; Last="Sandoval-Beck"; Sam="p.sandoval-beck" }, + @{ First="Charity"; Last="Sika"; Sam="b.sika" }, + # --- Sun-Thu (Christine Nyanzunda excluded -- already has accounts) --- + @{ First="Juan"; Last="Andrade"; Sam="j.andrade" }, + @{ First="Jahmeka"; Last="Clarke"; Sam="j.clarke" }, + @{ First="Karina"; Last="Aziakpo"; Sam="k.aziakpo" }, + @{ First="Jinnelle"; Last="Dittbenner"; Sam="j.dittbenner" }, + @{ First="Agnes"; Last="McFerren"; Sam="a.mcferren" }, + @{ First="Samuel"; Last="Ramirez"; Sam="s.ramirez" }, + @{ First="Erica"; Last="Sanchez"; Sam="e.sanchez" }, + @{ First="Katrina"; Last="Wyzykowski"; Sam="k.wyzykowski" }, + @{ First="Corey"; Last="Tate"; Sam="c.tate" }, + # --- Fri-Mon --- + @{ First="Ashli"; Last="Atwood"; Sam="a.atwood" }, + @{ First="Cole"; Last="Johnson"; Sam="c.johnson" }, + @{ First="Roseline"; Last="Cooper"; Sam="r.cooper" }, + @{ First="Monique"; Last="Lopez"; Sam="m.lopez" }, + @{ First="Gloria"; Last="Williford"; Sam="g.williford" }, + # --- Thu-Mon --- + @{ First="Sarah"; Last="Carroll"; Sam="s.carroll" }, + @{ First="Luke"; Last="Hogan"; Sam="l.hogan" }, + @{ First="Gina"; Last="Williams"; Sam="g.williams" }, + # --- Split / other --- + @{ First="Jen"; Last="Higdon"; Sam="j.higdon" }, + @{ First="Mary"; Last="Kariuki"; Sam="m.kariuki" }, + @{ First="Celia"; Last="Lassey"; Sam="c.lassey" }, + @{ First="Patricia"; Last="Camarena Doran"; Sam="p.doran" }, + # --- PRN --- + @{ First="Zeke"; Last="Huerta"; Sam="e.huerta" }, + @{ First="Maia"; Last="Baker"; Sam="m.baker" }, + @{ First="Ederick"; Last="Yuzon"; Sam="e.yuzon" } +) + +$created = 0 +$failed = 0 +$skipped = 0 + +foreach ($c in $Caregivers) { + $displayName = if ($c.Display) { $c.Display } else { "$($c.First) $($c.Last)" } + $upn = "$($c.Sam)@$Domain" + + if (Get-ADUser -Filter "SamAccountName -eq '$($c.Sam)'" -ErrorAction SilentlyContinue) { + Write-Host "[SKIP] $displayName already exists ($($c.Sam))" + $skipped++ + continue + } + + try { + New-ADUser ` + -Name $displayName ` + -GivenName $c.First ` + -Surname $c.Last ` + -SamAccountName $c.Sam ` + -UserPrincipalName $upn ` + -Path $OU ` + -AccountPassword $TempPassword ` + -Enabled $true ` + -ChangePasswordAtLogon $false ` + -PasswordNeverExpires $true + + Write-Host "[OK] $displayName -- $upn" + $created++ + } + catch { + Write-Host "[ERROR] $displayName -- $_" + $failed++ + } +} + +Write-Host "" +Write-Host ("Result: {0} created, {1} failed, {2} skipped (already existed)" -f $created, $failed, $skipped) +Write-Host "NOTE: No licenses assigned. No security group memberships set. Both are deliberate next steps." +Write-Host "" +Write-Host "ALIS actions needed (Meredith):" +Write-Host " Espe Esperance -- UPDATE existing ALIS record (listed as Niyonsaba Esperance), set email to e.esperance@cascadestucson.com" +Write-Host " Kasey Flores -- ADD new ALIS staff record, k.flores@cascadestucson.com" +Write-Host " Jahmeka Clarke -- ADD new ALIS staff record, j.clarke@cascadestucson.com" +Write-Host " Gloria Williford -- ADD new ALIS staff record, g.williford@cascadestucson.com" diff --git a/clients/cascades-tucson/scripts/enable-caregiver-password-rotation.ps1 b/clients/cascades-tucson/scripts/enable-caregiver-password-rotation.ps1 new file mode 100644 index 0000000..e608677 --- /dev/null +++ b/clients/cascades-tucson/scripts/enable-caregiver-password-rotation.ps1 @@ -0,0 +1,75 @@ +# Cascades of Tucson — Enable Caregiver Password Rotation via FGPP +# Run on: CS-SERVER as a domain admin +# +# Step 1: Creates a Fine-Grained Password Policy (PSO) with 30-day max age. +# Step 2: Applies it to SG-Caregivers. +# Step 3: Clears PasswordNeverExpires on all caregiver accounts so the FGPP takes effect. +# +# IMPORTANT: Run create-caregiver-accounts.ps1 first (accounts must exist before step 3). +# +# After this runs: +# - Caregiver passwords expire after 30 days +# - No warning prompt on Android/MSDM phones (that prompt is Windows-only) +# - When a caregiver's sign-in fails, Howard resets via ADUC or GuruRMM +# - The "Interactive logon: Prompt user to change password before expiration" GPO +# setting (5 days) only affects Windows PC logons — not relevant for shared phones + +$PolicyName = "PSO-Caregivers-30day" +$Group = "SG-Caregivers" + +# --- Step 1: Create FGPP --- +if (Get-ADFineGrainedPasswordPolicy -Filter "Name -eq '$PolicyName'" -ErrorAction SilentlyContinue) { + Write-Host "[SKIP] FGPP '$PolicyName' already exists" +} else { + New-ADFineGrainedPasswordPolicy ` + -Name $PolicyName ` + -Precedence 10 ` + -MaxPasswordAge "30.00:00:00" ` + -MinPasswordAge "1.00:00:00" ` + -MinPasswordLength 8 ` + -PasswordHistoryCount 5 ` + -ComplexityEnabled $true ` + -LockoutThreshold 5 ` + -LockoutDuration "00:30:00" ` + -LockoutObservationWindow "00:30:00" ` + -ReversibleEncryptionEnabled $false + + Write-Host "[OK] FGPP '$PolicyName' created (30-day max age, precedence 10)" +} + +# --- Step 2: Apply FGPP to SG-Caregivers --- +$existing = Get-ADFineGrainedPasswordPolicySubject -Identity $PolicyName -ErrorAction SilentlyContinue | + Where-Object { $_.Name -eq $Group } + +if ($existing) { + Write-Host "[SKIP] FGPP already applied to $Group" +} else { + Add-ADFineGrainedPasswordPolicySubject -Identity $PolicyName -Subjects $Group + Write-Host "[OK] FGPP applied to $Group" +} + +# --- Step 3: Clear PasswordNeverExpires on all caregiver accounts --- +Write-Host "" +Write-Host "Clearing PasswordNeverExpires on members of $Group..." + +$cleared = 0 +$failed = 0 + +Get-ADGroupMember -Identity $Group -Recursive | ForEach-Object { + try { + Set-ADUser $_.SamAccountName -PasswordNeverExpires $false + Write-Host "[OK] $($_.SamAccountName)" + $cleared++ + } + catch { + Write-Host "[ERROR] $($_.SamAccountName) — $_" + $failed++ + } +} + +Write-Host "" +Write-Host "Done. PasswordNeverExpires cleared on $cleared accounts | $failed failed" +Write-Host "FGPP '$PolicyName' is now active for $Group — passwords expire in 30 days." +Write-Host "" +Write-Host "Verify FGPP is applied correctly with:" +Write-Host " Get-ADUserResultantPasswordPolicy -Identity " diff --git a/clients/cascades-tucson/session-logs/2026-05-16-howard-caregiver-ad-account-creation.md b/clients/cascades-tucson/session-logs/2026-05-16-howard-caregiver-ad-account-creation.md new file mode 100644 index 0000000..a98e154 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-05-16-howard-caregiver-ad-account-creation.md @@ -0,0 +1,166 @@ +# Cascades of Tucson -- Caregiver AD Account Creation + +**Date:** 2026-05-16 +**Syncro ticket:** #32214 (Entra setup -- In Progress) + +## User +- **User:** Howard Enos (howard) +- **Machine:** HOWARD-HOME +- **Role:** tech + +## Goal + +Create all 37 caregiver AD accounts in OU=Caregivers and add them to SG-Caregivers. +This is the identity layer prerequisite for the shared-phone rollout -- accounts must +exist in AD so Entra Connect can sync them to M365 and CA policies can apply. + +--- + +## Espe Esperance -- identity correction + +The create-caregiver-accounts.ps1 script previously treated "Niyonsaba Esperance" and +"Espe Esperance" as two different people. Howard confirmed they are one person: + +- Legal name: **Niyonsaba Esperance** (Niyonsaba = first, Esperance = last) +- Goes by **Espe** at work + +Graph search confirmed no existing mailbox or user object for Esperance in the tenant +(searched by UPN prefix and display name -- both returned empty). Net-new account. + +AD account created as: +- Display name: Espe Esperance +- GivenName: Espe +- Surname: Esperance +- sAMAccountName / UPN: e.esperance@cascadestucson.com + +ALIS action (Meredith): UPDATE the existing ALIS staff record for "Niyonsaba Esperance" +-- set the Email field to e.esperance@cascadestucson.com. Do NOT add a new record. + +Script updated in repo to reflect the correction. Script header, inline comment, and +output block all corrected. + +--- + +## Account creation + +Script: `clients/cascades-tucson/scripts/create-caregiver-accounts.ps1` +Run on: CS-SERVER, elevated PowerShell, sysadmin context +OU: `OU=Caregivers,OU=Departments,DC=cascades,DC=local` +Temp password: Cascades2026! (PasswordNeverExpires = true during rollout) +No licenses assigned. No security group memberships set at creation time. + +**Result: 37 created, 0 failed, 0 skipped** + +Accounts created: + +| sAMAccountName | Display Name | Notes | +|---|---|---| +| t.abainza | Thelma Abainza | | +| n.castro | Niel Castro | | +| e.esperance | Espe Esperance | Legal: Niyonsaba Esperance | +| b.johnson | Barb Johnson | | +| k.flores | Kasey Flores | Not in ALIS -- Meredith must add | +| r.flores | Richard Flores | | +| m.kastner | Marie Kastner | | +| b.mendoza | Bella Mendoza | | +| r.morales | Rosa Morales | | +| s.padilla | Sandra Padilla | | +| w.reed | Whisper Reed | | +| p.sandoval-beck | Patricia Sandoval-Beck | | +| b.sika | Charity Sika | Legal first: Bariffa (drives initial) | +| j.andrade | Juan Andrade | | +| j.clarke | Jahmeka Clarke | Not in ALIS -- Meredith must add | +| k.aziakpo | Karina Aziakpo | | +| j.dittbenner | Jinnelle Dittbenner | | +| a.mcferren | Agnes McFerren | | +| s.ramirez | Samuel Ramirez | | +| e.sanchez | Erica Sanchez | | +| k.wyzykowski | Katrina Wyzykowski | | +| c.tate | Corey Tate | | +| a.atwood | Ashli Atwood | | +| c.johnson | Cole Johnson | | +| r.cooper | Roseline Cooper | | +| m.lopez | Monique Lopez | | +| g.williford | Gloria Williford | Not in ALIS -- Meredith must add | +| s.carroll | Sarah Carroll | | +| l.hogan | Luke Hogan | | +| g.williams | Gina Williams | | +| j.higdon | Jen Higdon | | +| m.kariuki | Mary Kariuki | | +| c.lassey | Celia Lassey | | +| p.doran | Patricia Camarena Doran | ALIS: "Camarena Doran, Patricia" | +| e.huerta | Zeke Huerta | Legal first: Ezekiel (drives initial) | +| m.baker | Maia Baker | | +| e.yuzon | Ederick Yuzon | Spelling from ALIS; email confirm still pending | + +Excluded (intentional): +- Christine Nyanzunda -- already has AD + M365 accounts +- Polett Pinazavala -- departed + +--- + +## SG-Caregivers + +Script: `clients/cascades-tucson/scripts/add-caregivers-to-sg.ps1` +Run on: CS-SERVER, elevated PowerShell, sysadmin context + +**Result: 37 added, 0 failed, 0 skipped** + +All 37 caregiver accounts are now members of SG-Caregivers. This is the group that +controls Conditional Access policy coverage (Block-off-network, Sign-in-frequency, +Block-non-compliant) and the Registration Campaign exclusion (no Authenticator nudge). + +--- + +## State after this session + +The AD identity layer is complete: + +- [x] 37 caregiver accounts exist in OU=Caregivers +- [x] All 37 in SG-Caregivers (CA coverage active on next sync) +- [x] Entra Connect live (exited staging 2026-05-14) -- next sync cycle will push accounts to cloud +- [x] SG-Caregivers already synced to cloud (ID: 8b8d9222-5d71-419a-936d-56d895c6c332) +- [x] CA policies target synced SG-Caregivers + +After the next Entra Connect sync cycle (~30 min or force with Start-ADSyncSyncCycle +on CS-SERVER), M365 will provision Exchange mailboxes automatically for all 37 accounts. + +--- + +## Remaining open items before phone rollout + +| Item | Owner | Notes | +|---|---|---| +| Entra Connect sync -- push new accounts to cloud | Auto (next cycle) or force on CS-SERVER | Run: Start-ADSyncSyncCycle -PolicyType Delta | +| ALIS: UPDATE Espe Esperance staff record email | Meredith | Set to e.esperance@cascadestucson.com (she is Niyonsaba Esperance in ALIS) | +| ALIS: ADD Kasey Flores staff record | Meredith | k.flores@cascadestucson.com | +| ALIS: ADD Jahmeka Clarke staff record | Meredith | j.clarke@cascadestucson.com | +| ALIS: ADD Gloria Williford staff record | Meredith | g.williford@cascadestucson.com | +| Set ALIS Email = Entra UPN for ALL caregivers | Meredith / ALIS admin | Required for ALIS SSO to link; do after accounts appear in M365 | +| M365 licensing -- Business Premium for caregivers | Meredith (purchase decision) | 38 net-new licenses needed; $22/user/mo; proposal in docs/proposals/ | +| Reliable Agency per-person accounts | Howard (when names provided) | Cannot create until Reliable supplies individual names; HIPAA -- no shared logins | +| Ederick Yuzon first-name spelling confirm | Meredith (email) | Still outstanding; created as Ederick from ALIS | +| ALIS BAA (Medtelligent) | Meredith | Check if signed BAA was provided at contract time; if not, request from Medtelligent support | +| Stale vault entries cleanup | Howard | howard-enos-pilot.sops.yaml, pilot-test-user.sops.yaml | + +## Deferred (not blocking rollout) + +| Item | Notes | +|---|---| +| Knox OEMConfig (MHS half-screen) | Separate follow-up | +| MHS welcome-screen branding | Post-rollout | +| Portrait wallpaper upload | Post-rollout | +| Disable devices@cascadestucson.com | Post-rollout | +| SG-MedTech / SG-CCG groups | Create when ALIS licensing tiers confirmed | +| LinkRx SSO | Revisit only if vendor offers SSO | +| Folder redirection GPO rollout | Separate project track | +| Fleet hostname rename | Separate project track | + +## Related docs + +- `docs/cloud/caregiver-m365-p2-rollout.md` -- caregiver roster, AD placement, licensing +- `session-logs/2026-05-14-howard-cascades-phone-verification-closeout.md` -- architecture verified +- `session-logs/2026-05-08-howard-cascades-sdm-token-success-and-alis-sso.md` -- ALIS SSO proven +- `scripts/create-caregiver-accounts.ps1` -- account creation script +- `scripts/add-caregivers-to-sg.ps1` -- SG-Caregivers assignment script +- `scripts/enable-caregiver-password-rotation.ps1` -- run when ready for 30-day FGPP rotation