azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cascades: document Teams rollout + HIPAA test plan

Browse Source 
Lauren Hasselman could not create a Teams group on 2026-05-05.
Diagnostic confirmed the block is at the Teams Admin policy layer
(intentional, gated on HIPAA prerequisites in m365.md issues #12-#14),
not an Entra/M365-Group permissions defect. New teams-rollout.md
captures prerequisites, HIPAA config checklist, canary test plan
(Lauren as primary canary), and exit criteria. Linked from m365.md
issue #14.
This commit is contained in:
Howard Enos
2026-05-05 22:01:28 -07:00
parent c9a47a4ded
commit 95ad40bdbe
2 changed files with 114 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
clients/cascades-tucson/docs/cloud/m365.md
View File

@@ -287,7 +287,7 @@ Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account
11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email. 11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email.
12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA. 12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA.
13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free). 13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. 14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. **Rollout plan + test plan: `docs/cloud/teams-rollout.md`** (Lauren Hasselman 2026-05-05 inability-to-create-team report is the canary test).
## Notes ## Notes

113
clients/cascades-tucson/docs/cloud/teams-rollout.md Normal file
View File

@@ -0,0 +1,113 @@
# Microsoft Teams Rollout (Cascades)
**Status:** Not deployed. Gated on Microsoft BAA + HIPAA policy decisions (see `m365.md` issues #12, #13, #14).
**Owner:** Howard (MSP)
**Created:** 2026-05-05
## Why this doc exists
On 2026-05-05, **Lauren Hasselman** (Business Office Director, `lauren.hasselman@cascadestucson.com`) reported she could not create a Teams group. Diagnostic ruled out Entra/M365-Group-layer restrictions:
- Account enabled, Microsoft Teams service plan (`57ff2da0-773e-42df-b2af-ffb7a2317929`) assigned + enabled
- Tenant `groupSettings` empty -> Microsoft defaults apply -> `EnableGroupCreation = true` for all users
- No `GroupCreationAllowedGroupId` restriction set
- No sensitivity-label-required gating
- Lauren has no directory roles and no group memberships (normal user, no special grant needed)
Conclusion: the block is at the **Teams Admin Center policy layer** (CsTeamsChannelsPolicy / CsTeamsMessagingPolicy / org-wide team creation setting), not Graph/Entra. This is **expected and intentional** -- Teams is supposed to be off until the HIPAA gates clear. When we roll Teams out, Lauren's case is the canary test.
## Prerequisites (must be true before rollout begins)
- [ ] Microsoft BAA signed (`m365.md` issue #12) -- M365 Admin Center > Settings > Org Settings > Security & Privacy > HIPAA BAA
- [ ] MFA / Security Defaults or Conditional Access enforced (`m365.md` issue #13)
- [ ] Decision on caregiver M365 P2 rollout (`docs/cloud/caregiver-m365-p2-rollout.md`) -- determines who gets Teams, with what license
- [ ] Decision on whether Teams replaces or complements existing comms (Synology Chat is currently used)
## HIPAA-required Teams configuration (apply before unblocking creation)
Configure in Teams Admin Center (`https://admin.teams.microsoft.com`) and Purview compliance portal. Document each policy's `Identity` so future drift is detectable.
### Messaging / chat
- [ ] **Retention policy** for chat + channel messages + meeting recordings (Purview > Data Lifecycle Management). Default decision: 7 years for anything that could touch PHI; 90 days for general operational chat (separate policy on a sensitivity label or by team).
- [ ] **DLP policy** flagging SSN, MRN, DOB+name combinations, ALIS resident IDs in chat + channel posts. Action: block + notify sender, audit log.
- [ ] **External access (federation):** Disable by default. Allow specific partner domains only if a business case exists.
- [ ] **Guest access:** Disable.
### Meetings
- [ ] **Recording consent banner:** Enabled.
- [ ] **Auto-record:** OFF.
- [ ] **Recording storage:** OneDrive/SharePoint of organizer (default) -- review retention against #1.
- [ ] **Anonymous join:** Disabled or restricted.
- [ ] **Lobby:** Everyone except org users waits in lobby.
### Telephony
- [ ] No Teams Phone / PSTN calling planned at this time. If added later, voicemail transcripts are PHI risk -- review storage location.
### Team / channel creation policy
- [ ] **Global CsTeamsChannelsPolicy** -- decide:
- `AllowOrgWideTeamCreation` -- recommend `False` (only admins create org-wide teams)
- `AllowPrivateTeams` / standard team creation -- recommend `True` for licensed staff, gated by an Entra security group via `Group.Unified` `GroupCreationAllowedGroupId`
- [ ] If gating creation to a security group: create `M365-TeamCreators` security group, populate with department heads (Meredith, Lauren, John, Crystal, Megan, Tamra, Ashley), then set `groupSettings` `EnableGroupCreation=false` and `GroupCreationAllowedGroupId=<group-id>`. Document in `m365.md`.
## Test plan (run when policies are in place, before announcing to staff)
For each test user, sign in to Teams web (`teams.microsoft.com`) in a private window with their actual credentials. Record pass/fail and exact UI text.
### Canary test users
| User | Role | Why included |
|---|---|---|
| Lauren Hasselman | Business Office Director | Original reporter (2026-05-05). Must succeed. |
| Meredith Kuhn | Asst Manager | Department head -- expected creator |
| John Trozzi | (role) | Department head -- expected creator |
| Ashley Jensen | Accounting | Same dept as Lauren -- regression check |
| Sebastian Leon | Courtesy Patrol (unlicensed, shared-mailbox-only user) | Negative test -- should NOT be able to create teams (no Teams license) |
### Test cases
1. **Create a private team from scratch**
- Steps: Teams left rail > Teams > Join or create a team > Create team > From scratch > Private > name "TEST-<initials>-<date>"
- Expect (licensed users): team is created, user becomes owner.
- Expect (Sebastian): "Create a team" option missing OR error stating creation isn't allowed.
2. **Create a team from an existing M365 group**
- Pre-req: have an existing distribution/M365 group user is owner of.
- Expect: same as #1 for licensed users.
3. **Create a channel within an existing team**
- Confirm `AllowCreateUpdateChannels` matches policy decision.
4. **Add a guest** (only if guest access is intentionally enabled)
- Expect: blocked unless org explicitly allows.
5. **Send a chat with mock PHI** (e.g. fake SSN `123-45-6789` and a fake MRN string)
- Expect: DLP policy blocks or warns per configured action.
6. **Start a meeting and attempt to record**
- Expect: consent banner appears for all attendees.
### Exit criteria
- All licensed canaries pass tests 1, 2, 3 with no error.
- Unlicensed canary (Sebastian) gets a clean "not allowed" experience -- no confusing partial UI.
- DLP test (#5) fires the configured action and writes to audit log (verify in Purview).
- Recording consent banner shows on test meeting.
Only after all of the above pass do we announce Teams availability to staff.
## Cleanup after testing
- Delete TEST-* teams created during canary tests.
- Document final policy `Identity` values + `groupSettings` config in `m365.md` under a new "Teams Configuration" section.
- Replace this doc's "Status: Not deployed" banner with deployment date + summary of policy decisions made.
## References
- `m365.md` issues #12 (BAA), #13 (MFA), #14 (Teams not deployed)
- `docs/cloud/caregiver-m365-p2-rollout.md` -- license + identity rollout that determines Teams audience
- Microsoft: `https://learn.microsoft.com/microsoftteams/policy-assignment-overview`
- Microsoft: `https://learn.microsoft.com/microsoft-365/solutions/groups-services-interactions` (Teams + Group + SharePoint interaction)