From 95ad40bdbec4d1240b794464bb2536a338c785cb Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Tue, 5 May 2026 22:01:28 -0700 Subject: [PATCH] cascades: document Teams rollout + HIPAA test plan Lauren Hasselman could not create a Teams group on 2026-05-05. Diagnostic confirmed the block is at the Teams Admin policy layer (intentional, gated on HIPAA prerequisites in m365.md issues #12-#14), not an Entra/M365-Group permissions defect. New teams-rollout.md captures prerequisites, HIPAA config checklist, canary test plan (Lauren as primary canary), and exit criteria. Linked from m365.md issue #14. --- clients/cascades-tucson/docs/cloud/m365.md | 2 +- .../docs/cloud/teams-rollout.md | 113 ++++++++++++++++++ 2 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 clients/cascades-tucson/docs/cloud/teams-rollout.md diff --git a/clients/cascades-tucson/docs/cloud/m365.md b/clients/cascades-tucson/docs/cloud/m365.md index 7f516e4..eddb211 100644 --- a/clients/cascades-tucson/docs/cloud/m365.md +++ b/clients/cascades-tucson/docs/cloud/m365.md @@ -287,7 +287,7 @@ Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account 11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email. 12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA. 13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free). -14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. +14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. **Rollout plan + test plan: `docs/cloud/teams-rollout.md`** (Lauren Hasselman 2026-05-05 inability-to-create-team report is the canary test). ## Notes diff --git a/clients/cascades-tucson/docs/cloud/teams-rollout.md b/clients/cascades-tucson/docs/cloud/teams-rollout.md new file mode 100644 index 0000000..7821597 --- /dev/null +++ b/clients/cascades-tucson/docs/cloud/teams-rollout.md @@ -0,0 +1,113 @@ +# Microsoft Teams Rollout (Cascades) + +**Status:** Not deployed. Gated on Microsoft BAA + HIPAA policy decisions (see `m365.md` issues #12, #13, #14). +**Owner:** Howard (MSP) +**Created:** 2026-05-05 + +## Why this doc exists + +On 2026-05-05, **Lauren Hasselman** (Business Office Director, `lauren.hasselman@cascadestucson.com`) reported she could not create a Teams group. Diagnostic ruled out Entra/M365-Group-layer restrictions: + +- Account enabled, Microsoft Teams service plan (`57ff2da0-773e-42df-b2af-ffb7a2317929`) assigned + enabled +- Tenant `groupSettings` empty -> Microsoft defaults apply -> `EnableGroupCreation = true` for all users +- No `GroupCreationAllowedGroupId` restriction set +- No sensitivity-label-required gating +- Lauren has no directory roles and no group memberships (normal user, no special grant needed) + +Conclusion: the block is at the **Teams Admin Center policy layer** (CsTeamsChannelsPolicy / CsTeamsMessagingPolicy / org-wide team creation setting), not Graph/Entra. This is **expected and intentional** -- Teams is supposed to be off until the HIPAA gates clear. When we roll Teams out, Lauren's case is the canary test. + +## Prerequisites (must be true before rollout begins) + +- [ ] Microsoft BAA signed (`m365.md` issue #12) -- M365 Admin Center > Settings > Org Settings > Security & Privacy > HIPAA BAA +- [ ] MFA / Security Defaults or Conditional Access enforced (`m365.md` issue #13) +- [ ] Decision on caregiver M365 P2 rollout (`docs/cloud/caregiver-m365-p2-rollout.md`) -- determines who gets Teams, with what license +- [ ] Decision on whether Teams replaces or complements existing comms (Synology Chat is currently used) + +## HIPAA-required Teams configuration (apply before unblocking creation) + +Configure in Teams Admin Center (`https://admin.teams.microsoft.com`) and Purview compliance portal. Document each policy's `Identity` so future drift is detectable. + +### Messaging / chat + +- [ ] **Retention policy** for chat + channel messages + meeting recordings (Purview > Data Lifecycle Management). Default decision: 7 years for anything that could touch PHI; 90 days for general operational chat (separate policy on a sensitivity label or by team). +- [ ] **DLP policy** flagging SSN, MRN, DOB+name combinations, ALIS resident IDs in chat + channel posts. Action: block + notify sender, audit log. +- [ ] **External access (federation):** Disable by default. Allow specific partner domains only if a business case exists. +- [ ] **Guest access:** Disable. + +### Meetings + +- [ ] **Recording consent banner:** Enabled. +- [ ] **Auto-record:** OFF. +- [ ] **Recording storage:** OneDrive/SharePoint of organizer (default) -- review retention against #1. +- [ ] **Anonymous join:** Disabled or restricted. +- [ ] **Lobby:** Everyone except org users waits in lobby. + +### Telephony + +- [ ] No Teams Phone / PSTN calling planned at this time. If added later, voicemail transcripts are PHI risk -- review storage location. + +### Team / channel creation policy + +- [ ] **Global CsTeamsChannelsPolicy** -- decide: + - `AllowOrgWideTeamCreation` -- recommend `False` (only admins create org-wide teams) + - `AllowPrivateTeams` / standard team creation -- recommend `True` for licensed staff, gated by an Entra security group via `Group.Unified` `GroupCreationAllowedGroupId` +- [ ] If gating creation to a security group: create `M365-TeamCreators` security group, populate with department heads (Meredith, Lauren, John, Crystal, Megan, Tamra, Ashley), then set `groupSettings` `EnableGroupCreation=false` and `GroupCreationAllowedGroupId=`. Document in `m365.md`. + +## Test plan (run when policies are in place, before announcing to staff) + +For each test user, sign in to Teams web (`teams.microsoft.com`) in a private window with their actual credentials. Record pass/fail and exact UI text. + +### Canary test users + +| User | Role | Why included | +|---|---|---| +| Lauren Hasselman | Business Office Director | Original reporter (2026-05-05). Must succeed. | +| Meredith Kuhn | Asst Manager | Department head -- expected creator | +| John Trozzi | (role) | Department head -- expected creator | +| Ashley Jensen | Accounting | Same dept as Lauren -- regression check | +| Sebastian Leon | Courtesy Patrol (unlicensed, shared-mailbox-only user) | Negative test -- should NOT be able to create teams (no Teams license) | + +### Test cases + +1. **Create a private team from scratch** + - Steps: Teams left rail > Teams > Join or create a team > Create team > From scratch > Private > name "TEST--" + - Expect (licensed users): team is created, user becomes owner. + - Expect (Sebastian): "Create a team" option missing OR error stating creation isn't allowed. + +2. **Create a team from an existing M365 group** + - Pre-req: have an existing distribution/M365 group user is owner of. + - Expect: same as #1 for licensed users. + +3. **Create a channel within an existing team** + - Confirm `AllowCreateUpdateChannels` matches policy decision. + +4. **Add a guest** (only if guest access is intentionally enabled) + - Expect: blocked unless org explicitly allows. + +5. **Send a chat with mock PHI** (e.g. fake SSN `123-45-6789` and a fake MRN string) + - Expect: DLP policy blocks or warns per configured action. + +6. **Start a meeting and attempt to record** + - Expect: consent banner appears for all attendees. + +### Exit criteria + +- All licensed canaries pass tests 1, 2, 3 with no error. +- Unlicensed canary (Sebastian) gets a clean "not allowed" experience -- no confusing partial UI. +- DLP test (#5) fires the configured action and writes to audit log (verify in Purview). +- Recording consent banner shows on test meeting. + +Only after all of the above pass do we announce Teams availability to staff. + +## Cleanup after testing + +- Delete TEST-* teams created during canary tests. +- Document final policy `Identity` values + `groupSettings` config in `m365.md` under a new "Teams Configuration" section. +- Replace this doc's "Status: Not deployed" banner with deployment date + summary of policy decisions made. + +## References + +- `m365.md` issues #12 (BAA), #13 (MFA), #14 (Teams not deployed) +- `docs/cloud/caregiver-m365-p2-rollout.md` -- license + identity rollout that determines Teams audience +- Microsoft: `https://learn.microsoft.com/microsoftteams/policy-assignment-overview` +- Microsoft: `https://learn.microsoft.com/microsoft-365/solutions/groups-services-interactions` (Teams + Group + SharePoint interaction)