sync: auto-sync from HOWARD-HOME at 2026-04-23 06:21:23
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-04-23 06:21:23
This commit is contained in:
@@ -165,7 +165,8 @@ Without Entra Connect, new accounts are cloud-only and create the same AD-vs-M36
|
||||
| **G4. Take out of staging, directory sync ONLY (no Password Hash Sync)** | Hybrid identity appears in Entra. Passwords remain separate between AD and M365. | None — users sign in exactly as today | 48 hours stable with no new support tickets about sign-in |
|
||||
| **G5. Announce + enable Password Hash Sync** | AD password hash pushes to Entra. Next Outlook / Teams / Edge launch, prompts once for password. Users enter AD password. | **ONE password prompt, once.** After that: one password for everything. | Zero unresolved helpdesk tickets; test user confirms PC + Outlook + OWA work on same password |
|
||||
| **G6. Conditional Access policies go live in REPORT-ONLY mode** | CA evaluates every sign-in and records what WOULD have been blocked, but doesn't actually block. | None | 7–14 days of logs reviewed — zero "would have been blocked" events for legitimate users. Fix trusted-location / compliance gaps as needed. |
|
||||
| **G7. CA enforcement flip** | Policy blocks out-of-scope sign-ins for real. | Off-site users unexpectedly on the allow-list see no change; users NOT on allow-list get blocked from outside the building as intended. | Break-glass account confirmed working. Meredith notified. |
|
||||
| **G7. CA enforcement flip** | Policy blocks out-of-scope sign-ins for real. | Off-site users unexpectedly on the allow-list see no change; users NOT on allow-list get blocked from outside the building as intended. | Break-glass account confirmed working. Meredith notified. **User comms sent 48h before flip** — see G7a below. |
|
||||
| **G7a. Pre-enforcement user comms (MUST run before G7)** | Query Entra sign-in logs for any licensed user with >0 off-site sign-ins in last 30 days. Anyone NOT in `SG-External-Signin-Allowed` gets a targeted email: "Starting [date] you will only be able to sign into Cascades email and apps from inside the building. If you work from home / travel / check email on your phone off-site, reply to Meredith by [date-1] to be added to the allow-list." | Users who legitimately work off-site get warned; those who don't get confirmation that silent behavior change is coming. | Report from Entra sign-in logs shows comms sent to every off-site-active user. No silent blocks at G7 cutover. |
|
||||
| **G8 (separate project). ALIS SSO Enterprise App registration** | "Sign in with Microsoft" option appears on ALIS login. Existing ALIS username/password keeps working during transition. | Optional new sign-in button. | N/A — rollout when ALIS support has provided federation metadata. |
|
||||
|
||||
**Rollback points:** G3 through G5 all have clean reverse paths (remove from staging, disable PHS, reset individual passwords). G6/G7 CA policies can be disabled with one click. Only hard-to-reverse step is G1's AD renames — mitigated by the pre-change reg-exports/backups already in the `D:\Backups\pre-entra-connect-*` folder from the 2026-04-22 preflight remediation.
|
||||
|
||||
Reference in New Issue
Block a user