From 3c071069c7017fe88b53a5a74e06b47081d14c05 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Fri, 5 Jun 2026 14:05:06 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-05 14:04:58 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-05 14:04:58 --- wiki/clients/cascades-tucson.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 75fe842..2914b22 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -59,6 +59,36 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building --- +## Entra Access Architecture (canonical overview) + +**In one line:** a HIPAA-driven, identity-based access-control system that splits staff into two security postures and enforces them with **Microsoft Entra Conditional Access** on top of **hybrid identity** (Entra Connect), with **ALIS (clinical EHR) wired for SSO**. Tickets: #109412123 (Entra setup), #110680053 (domain migration). + +### Foundation — hybrid identity +- On-prem AD `cascades.local` synced to Entra/M365 via **Entra Connect** (PHS + Seamless SSO). UPN suffix `cascadestucson.com`, so a user's **Windows login = email = M365/ALIS identity** (one credential everywhere). + +### Two user buckets (the core design) +1. **Restricted — caregivers + medtechs** (group `SG-Caregivers`, `8b8d9222`): sign in **only on the Cascades network** and **only on approved devices** (shared Galaxy phones + a set of caregiver laptops/desktops). **No MFA** (no personal devices) — protected by **location + device** controls + 8h sign-in frequency instead. Effect: caregiver credentials are **useless off-site or off an approved device** — the anti-hacker / bad-employee-from-home control. +2. **Privileged — admins / directors / managers / nurses** (NOT in `SG-Caregivers`): email + ALIS **from anywhere**, **seamless onsite / 2FA offsite** (Authenticator/PIN). Untouched by the caregiver lockdown. + +### Conditional Access enforcement (caregivers) +- `CSC - Block caregivers off Cascades network` (`e35614e1`) +- `CSC - Block caregivers on non-compliant device` (`ede985e2`) — being replaced by a **device allow-list** (`CSC - Caregivers: allow-listed devices only`, `1b7fd025`): phones (`displayName -startsWith "CSC-"`) + tagged caregiver machines (`extensionAttribute1 -eq "CSCCaregiverDevice"`, or explicit deviceId). Note: extensionAttribute changes lag >70 min into CA's filter cache — **deviceId matching is the lag-free lever** for the small device set. +- `CSC - Caregiver sign-in frequency 8h` (`7d491c7a`) +- Rollout is **per-user via group membership** (test group `SG-Caregivers-DeviceTest` `db5849ec` carries the full rule set for one-at-a-time validation; promote to `SG-Caregivers` + disable compliance-block when validated). + +### Devices +- **Phones:** Samsung A15s in Intune **Shared Device Mode** (Android Enterprise, device-token enrolled) — live. +- **Laptops/desktops:** caregiver shared machines (Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC) joined to Entra so CA recognizes them and they go on the allow-list (group `Cascades - Caregiver Devices` `02c6f698` for policy targeting). + +### ALIS SSO +- Entra app registration -> OIDC SSO into ALIS; **tenant-wide admin consent granted** (2026-06-03). Per-user join key = **ALIS staff Email must equal the Entra UPN**. Caregivers SSO silently on phones (ALIS-native 2FA off); office users SSO with offsite MFA. + +### Status (as of 2026-06-05) +- **Proven working:** the access model — caregiver lockdown + ALIS SSO — end-to-end on a desktop (pilot.test). +- **Blocker / pivot:** device-level **Intune** policies (disable Windows Hello, idle-lock, Shared PC Mode profile-cleanup) can't deploy because the tenant's per-user Intune (`INTUNE_A`) won't provision — stuck `PendingInput` tenant-wide; no Windows device has ever Intune-enrolled (Android works via device-token, which needs no per-user Intune). Microsoft case open. **Pivot:** deliver those device settings via **Group Policy** (Hybrid Entra Join / domain join) or local policy — no Intune dependency. Caregiver access itself does NOT depend on Intune. + +--- + ## Profile - **Contract type:** Prepaid hour block