sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42

Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-18 10:17:42

clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md

@@ -0,0 +1,183 @@
+# Caregiver M365 + Entra P2 Rollout Plan (Cascades of Tucson)
+
+**Status:** Documentation only — do NOT create accounts or assign licenses yet.
+**Created:** 2026-04-18 (Howard)
+**Source:** `C:\Users\howar\OneDrive\Documents\Caregiver Scheduled shifts and phone #.xlsx` (as of 2026-04-17)
+
+## Goal / why this matters
+
+Cascades is deploying 25 shared Android phones plus 9 kitchen iPads to get caregivers off shared workstations and into their own authenticated sessions (ALIS EHR, Outlook, Edge). For that to actually improve HIPAA posture, every caregiver needs:
+
+1. Their own identity (AD user + M365 mailbox) so actions are attributable per-person rather than to a shared "Caregiver" login
+2. **Entra P2** so we can apply Conditional Access policies that restrict mobile email + ALIS access to:
+   - Managed (Intune-enrolled) shared phones, AND
+   - The Cascades physical network / trusted location (IP ranges or named location)
+3. Policy block on personal-device access to Exchange + ALIS (HIPAA §164.312 access control)
+
+Today none of these caregivers exist in AD or M365 — they use shared workstation logins and don't have email at all. That is the gap this rollout closes.
+
+**Also noted (explicit call-out to add to the proposal):** we did not previously frame the Business Premium proposal as "we're adding phones AND licenses to reach HIPAA compliance." The proposal currently lists 23 licensed users post-cleanup; with caregivers included it is closer to 62. The cost delta + HIPAA rationale should be surfaced in `docs/proposals/m365-premium-upgrade.md` before re-presenting to Meredith.
+
+## Caregiver roster (39 people)
+
+Location codes: **Tower** = assisted living tower, **MC** = Memory Care.
+Role flags: **CCG** = certified caregiver, **MedTech / MED TECH** = medication tech, **PRN** = as-needed/float, **NOC** = overnight.
+
+### Tuesday–Saturday (14)
+
+| # | Name | Proposed UPN | Shift | Location | Role | Phone |
+|---|------|--------------|-------|----------|------|-------|
+| 1 | Thelma Abainza | thelma.abainza@ | AM | Tower | Caregiver | 520-867-2579 |
+| 2 | Niel Castro | niel.castro@ | AM | Tower | MedTech / CCG | 520-697-4644 |
+| 3 | Espe Esperance | espe.esperance@ | PM | Tower | MedTech | 520-788-9558 |
+| 4 | Barbara Johnson | barbara.johnson@ | PM | Tower | Caregiver | 520-204-3449 |
+| 5 | Kasey Flores | kasey.flores@ | AM | MC | Caregiver | 520-250-1451 |
+| 6 | Richard Flores | richard.flores@ | AM | MC | Caregiver | 520-873-7727 |
+| 7 | Marie Kastner | marie.kastner@ | PM | MC | Caregiver | 714-576-9858 |
+| 8 | Bella Mendoza | bella.mendoza@ | PM | MC | Caregiver | 520-358-2000 |
+| 9 | Rosa Morales | rosa.morales@ | PM | MC | MedTech | 312-213-8780 |
+| 10 | Sandra Padilla | sandra.padilla@ | AM | Tower | MedTech / CCG | 520-585-3317 |
+| 11 | Polett Pinazavala | polett.pinazavala@ | AM | MC | MedTech | 520-449-5533 |
+| 12 | Whisper Reed | whisper.reed@ | Overnight | Tower | MedTech | 520-312-7575 |
+| 13 | Patricia Sandoval-Beck | patricia.sandoval-beck@ | AM | Tower | MedTech | 520-343-8093 |
+| 14 | Charity Sika | charity.sika@ | AM | MC | Caregiver | 623-251-8032 |
+| 15 | Ederick Yuzon | ederick.yuzon@ | PM | Tower | Caregiver | 520-603-8816 |
+
+### Sunday–Thursday (10)
+
+| # | Name | Proposed UPN | Shift | Location | Role | Phone |
+|---|------|--------------|-------|----------|------|-------|
+| 16 | Juan Andrade | juan.andrade@ | PM | MC | Caregiver | 520-528-4078 |
+| 17 | Jahmeka Clarke | jahmeka.clarke@ | PM | MC | MedTech | 520-649-7034 |
+| 18 | Karina Aziakpo | karina.aziakpo@ | Overnight | MC | MedTech / CCG | 520-392-6859 |
+| 19 | Jinnelle Dittbenner | jinnelle.dittbenner@ | PM | Tower | Caregiver | 520-499-9996 |
+| 20 | Christine Nyanzunda | christine.nyanzunda@ | AM (Sun/Mon only) | MC | MedTech | 520-304-4251 |
+| 21 | Agnes McFerren | agnes.mcferren@ | AM | Tower | Caregiver | 520-406-3063 |
+| 22 | Samuel Ramirez | samuel.ramirez@ | PM | Tower | Caregiver | 520-488-5798 |
+| 23 | Erica Sanchez | erica.sanchez@ | AM | MC | Caregiver | 520-528-3387 |
+| 24 | Katrina Wyzykowski | katrina.wyzykowski@ | AM | MC | MedTech | 520-347-1448 |
+| 25 | Corey Tate | corey.tate@ | NOC | Tower | Caregiver only (no MedTech) | 520-535-7821 |
+
+### Friday–Monday / weekend (5)
+
+| # | Name | Proposed UPN | Shift | Location | Role | Phone |
+|---|------|--------------|-------|----------|------|-------|
+| 26 | Ashli Atwood | ashli.atwood@ | Overnight | MC | MedTech / CCG | 715-200-1295 |
+| 27 | Cole Johnson | cole.johnson@ | PM | Tower | MedTech | 818-970-0890 |
+| 28 | Roseline Cooper | roseline.cooper@ | Overnight | MC | Caregiver | 520-278-6817 |
+| 29 | Monique Lopez | monique.lopez@ | Doubles (Fri & Sat) | Tower | Caregiver | 520-596-0969 |
+| 30 | Gloria Williford | gloria.williford@ | Doubles (Fri & Sat 5:45a–10p) | MC | MedTech | 928-551-1682 |
+
+### Thursday–Monday (3)
+
+| # | Name | Proposed UPN | Shift | Location | Role | Phone |
+|---|------|--------------|-------|----------|------|-------|
+| 31 | Sarah Carroll | sarah.carroll@ | PM | Tower | Caregiver | 520-409-2341 |
+| 32 | Luke Hogan | luke.hogan@ | AM | Tower | Caregiver | 520-312-0141 |
+| 33 | Gina Williams | gina.williams@ | AM | Tower | Caregiver | 520-612-5075 |
+
+### Split / other patterns (3)
+
+| # | Name | Proposed UPN | Shift | Location | Role | Phone |
+|---|------|--------------|-------|----------|------|-------|
+| 34 | Jen Higdon | jen.higdon@ | Mon/Wed/Fri AM | Tower | Caregiver | 520-730-3548 |
+| 35 | Mary Kariuki | mary.kariuki@ | Sat–Mon + Wed PM | Tower | Caregiver | 520-309-1247 |
+| 36 | CeCe Lassey | cece.lassey@ | Sun/Mon doubles + Tue PM | Tower | Caregiver | 520-248-5982 |
+
+### Sunday & Monday only (1)
+
+| # | Name | Proposed UPN | Shift | Location | Role | Phone |
+|---|------|--------------|-------|----------|------|-------|
+| 37 | Paty Doran | paty.doran@ | AM | Tower | MedTech / CCG | 520-591-7368 |
+
+### PRN / float (2)
+
+| # | Name | Proposed UPN | Shift | Location | Role | Phone |
+|---|------|--------------|-------|----------|------|-------|
+| 38 | Ezekiel Huerta | ezekiel.huerta@ | PRN | Tower | Caregiver | 520-591-6113 |
+| 39 | Maia Baker | maia.baker@ | PRN | MC | MedTech | TBD — not on shift list, only on Sheet2 |
+
+All UPNs above use the `@cascadestucson.com` suffix (standard).
+
+## Conflict / verify before creating
+
+- **Christine Nyanzunda** already exists in AD as **Memory Care Admin Assistant** (`Christine.Nyanzunda`, susan.hicks@ department peer — see `docs/servers/active-directory.md` and existing M365 match in `docs/cloud/m365.md`). The caregiver list entry `Christine Nyanzunda-AM shift/MC MED TECH` is likely the same person picking up clinical shifts, not a second identity. **Do not create a second account.** Confirm with Shelby Trozzi / Meredith that her caregiver shifts should use the existing `christine.nyanzunda@` mailbox.
+- **Paty Doran** — spelling could be Patricia / Paty / Patti. Confirm with HR before creating.
+- **Polett Pinazavala** — unusual spelling, verify with HR.
+- **Patricia Sandoval-Beck** — hyphenated last name; SamAccountName may need to be `Patricia.SandovalBeck` if hyphens are disallowed in downstream tools (ALIS, MDM).
+- **Ederick Yuzon** — verify spelling.
+- **Maia Baker** — name on Sheet2 only, no shift/phone data. Confirm employment status with HR.
+
+## Licensing plan (when ready — NOT now)
+
+**Current licensing (per `docs/cloud/m365.md`):**
+- Business Standard: 34 purchased, all assigned (need to free via shared-mailbox conversion first)
+- Entra P2: 1 unassigned (was Sandra Fish)
+
+**Target for caregiver rollout:**
+
+| License | Who gets it | Qty | Rationale |
+|---|---|---|---|
+| M365 Business Premium (replaces Standard) | All 23 existing licensed staff + 38 net-new caregivers (Christine Nyanzunda already counted as existing staff) | **61** | Includes Intune Shared Device Mode + Defender + DLP + the P2-equivalent Conditional Access features — this is the SKU the proposal already describes |
+| Entra ID P2 (standalone, IF we stay on Business Standard instead) | Same 61 | 61 | Only needed if we do NOT upgrade to Business Premium. Premium already bundles the CA features we need; avoid double-paying |
+
+**Recommended:** upgrade everyone to Business Premium, **don't** buy standalone P2. P2 is only listed here as the fallback if budget forces staying on Standard.
+
+### Quick cost math (order-of-magnitude, double-check in proposal)
+
+| Scenario | Licenses | Rate (monthly) | Monthly total |
+|---|---|---|---|
+| Today (actual) | 34 × Standard | $12.50 | $425 |
+| After shared-mailbox cleanup (no caregivers) | 23 × Premium | $22.00 | $506 |
+| After caregiver rollout (this doc) | 61 × Premium | $22.00 | **$1,342** |
+| Delta vs today | +$917/mo | | — |
+
+That is a meaningful jump and needs to be in the proposal conversation with Meredith explicitly — it was missing from the 2026-04-14 version.
+
+## Conditional Access policy plan (rough)
+
+When licenses are in place and accounts exist:
+
+1. **Named Location** in Entra = Cascades public IP(s) from pfSense WAN + VPN exit IP. Name it `CascadesTrustedLocation`.
+2. **Compliant Device** definition in Intune = corporate-enrolled Android (the 25 shared phones) + corporate-enrolled iPad (the 9 kitchen iPads) + domain-joined Windows PCs.
+3. **CA Policy: Caregivers — Mobile Email / ALIS access**
+   - Assignment: Entra group `SG-Caregivers` (populated from AD group once accounts exist)
+   - Cloud apps: Exchange Online, `ALIS` (once registered as Entra app), Outlook Mobile
+   - Conditions: Device Platforms = Android, iOS; Locations = Any
+   - Grant: Require compliant device **AND** require location `CascadesTrustedLocation` (combined grant, both required)
+   - Block everything else (personal phones off-network → blocked)
+4. **CA Policy: Caregivers — Web/browser block off-network**
+   - Same group + cloud apps
+   - Platforms: browser (desktop)
+   - Conditions: not in `CascadesTrustedLocation`
+   - Grant: Block
+5. **Exclusion group** `SG-CA-BreakGlass` for Meredith + sysadmin so we can't lock ourselves out.
+
+CA policies should be deployed in **Report-only** mode for at least 7 days, reviewed against Sign-in logs, then switched to On.
+
+## AD placement (when accounts are created)
+
+Put caregivers in the existing `OU=Departments,OU=...` department OUs:
+
+- Tower/MC caregivers → `OU=Care-Assisted Living,OU=Departments` (or create `OU=Caregivers` sub-OU if we want finer GPO targeting)
+- MedTech-flagged staff → same OU; group membership (SG-MedTech) controls ALIS licensing tier
+- CCG-flagged staff → same OU; group membership (SG-CCG) controls higher-privilege ALIS rights if any
+
+Group-policy impact: the `CSC - Folder Redirection (LE)` work done for Life Enrichment does NOT apply here. Care-Assisted Living GPO pattern needs to be cloned from the finalized LE GPO once that's proven on Susan Hicks' machine (DESKTOP-ROK7VNM).
+
+## Open items / decisions needed from client
+
+- [ ] Confirm Christine Nyanzunda is one person, not two (existing M365 account keeps working for caregiver shifts)
+- [ ] HR spelling confirmation on Paty Doran, Polett Pinazavala, Patricia Sandoval-Beck, Ederick Yuzon, Maia Baker
+- [ ] Will caregivers use ALIS on the shared phones (need ALIS accounts + Entra SSO) or only email?
+- [ ] Does Cascades want to purchase 39 additional Business Premium licenses up-front, or roll out in waves (e.g., MedTechs first, then CCGs, then Caregivers)?
+- [ ] Confirm pfSense WAN IP(s) are static enough to rely on in a CA Named Location policy
+- [ ] Timeline expectations — tying this to the phone deployment, the MDM rollout (7-phase plan in `docs/security/mdm.md`), and the Business Premium purchase
+
+## Related docs
+
+- Proposal: `docs/proposals/m365-premium-upgrade.md` — currently sized for 23 users; needs updating
+- MDM plan: `docs/security/mdm.md` — 25 phones + 9 iPads, ManageEngine; Intune Shared Device Mode is flagged as future
+- M365 current state: `docs/cloud/m365.md`
+- AD roster: `docs/servers/active-directory.md`
+- HIPAA program: `docs/security/hipaa.md`

clients/cascades-tucson/docs/cloud/m365-impersonation-protection.md

@@ -0,0 +1,97 @@
+# M365 Anti-Impersonation Protection — Cascades
+
+**Status:** Documentation only — policy not yet configured. Requires Business Premium (Defender for Office 365 Plan 1) or equivalent Defender for O365 add-on; Business Standard alone does not include the anti-impersonation engine.
+**Trigger:** follow-up to Megan Hiatt's phishing email incident, 2026-04-17.
+**Last updated:** 2026-04-18 (Howard)
+
+## What this covers
+
+Microsoft 365 Defender anti-phishing impersonation protection has two lists that need to be curated per tenant:
+
+1. **Trusted senders / domains** — partners we actually do business with. Adding them prevents legitimate mail from being caught by anti-impersonation rules (which flag lookalikes of these names/domains). This is NOT an allowlist that bypasses spam/malware scanning — it just tells the impersonation engine "yes, this one is the real one, anything that resembles it is suspect."
+2. **Protected users** — internal accounts that are high-value impersonation targets (executives, finance, anyone who can approve money or PHI disclosure). Inbound mail that mimics their display name from outside the tenant gets flagged.
+
+For Cascades we're also protecting the **domain** `cascadestucson.com` itself so lookalike domains (e.g., `cascadestucsom.com`, `cascadestuscon.com`) get flagged as impersonation attempts.
+
+## Currently configured (per Howard's 2026-04-17 email)
+
+### Protected domains
+- cascadestucson.com
+- azcomputerguru.com
+
+### Protected users
+- Megan Hiatt
+- John Trozzi
+- Crystal Rodriguez
+- Meredith Kuhn
+- Tamra Matthews
+- "accounting" (presumably the accounting@cascadestucson.com shared mailbox / anything with that display name)
+
+**Verify on next portal visit:** double-check the exact protected-users list in Defender → Policies → Anti-phishing → Impersonation. Howard's email lists "Megan, John, crystal, Meredith, accounting, crystal and tamra" — the duplicate "crystal" is probably a typo.
+
+## Trusted partners to add (from Megan Hiatt, 2026-04-17)
+
+Megan's "top domains I regularly do business with" reply. Preferred configuration: add the **domain** where we want any sender on that domain trusted; add the **specific email** where we only want that one person trusted.
+
+| Add as | Value | Business purpose |
+|---|---|---|
+| User | Matt Hermes — `Matt.Hermes@kold.com` | KOLD-TV — local media |
+| User | SoAPRA — `soapra.npra@gmail.com` | State senior-living industry assoc (individual Gmail — user, not domain) |
+| User | Lovely Laurence Garcia — `partnersuccess@caring.com` | Caring.com partner success |
+| User | Caring Leads Team — `leadsteam@caring.com` | Caring.com lead routing |
+| User | Assisted Living Locators (N. Tucson) — `sheril@assistedlivinglocators.com` | Senior-living placement agency |
+| User | Angel Ramirez — `angel@placitacare.com` | PlacitaCare — referral partner |
+| User | Anne Connell — `AnneC@cascadeliving.com` | Cascade Living (parent / affiliated property — verify relationship) |
+| User | A Place for Mom AR — `ar@aplaceformom.com` | APFM accounts receivable — referral fees |
+| User | `BillingWO@gray.tv` | Gray Television — ad billing |
+| User | 8x8 Support — `noreply@8x8.com` | VoIP vendor no-reply (may not need impersonation protection since it's already an automated sender — include per Megan) |
+| User | C.J. Duque — `cjduque@trucraftdesign.com` | Tru Craft Design — vendor |
+| User | `compressionprinting@gmail.com` | Compression Printing — vendor |
+| User | Lisa Burns — `lisab4421@gmail.com` | Personal/individual partner contact |
+| User | `jbuenafe-leads@caring.com` | Caring.com lead contact (one of many) |
+
+**Domain-level adds to consider (Howard to decide):** because Cascades gets mail from many different addresses at Caring.com and aplaceformom.com, adding `caring.com` and `aplaceformom.com` as trusted **domains** instead of individual addresses saves constant curation. Megan explicitly called out that Caring.com contacts "are changing all the time." Adding the domain once covers them all. Only risk: if a domain itself is spoofed, any sender claiming to be from it will be trusted — but the anti-impersonation engine is specifically about lookalike sender domains, so this is the correct use case.
+
+Recommended domain-level trusted partners:
+- `caring.com` — multiple contacts, constantly rotating
+- `aplaceformom.com` — same pattern (APFM has many reps)
+- `kold.com` — news media
+- `assistedlivinglocators.com` — agency with multiple reps
+- `cascadeliving.com` — **confirm this is a legitimate affiliated property before trusting the whole domain**
+- `gray.tv` — billing automation from multiple accounts
+
+Individual addresses to keep as **user-level** entries (not domain):
+- The two gmail.com partners (Lisa Burns, Compression Printing) — cannot trust `gmail.com` as a domain, obviously
+- `soapra.npra@gmail.com` — same
+- `angel@placitacare.com` — small vendor, domain-level overkill
+- `cjduque@trucraftdesign.com` — same
+- `noreply@8x8.com` — utility address, not a lookalike impersonation target anyway; Megan may have listed it for general allowlisting rather than anti-impersonation — revisit
+
+## Outstanding / awaiting input
+
+- **John Trozzi** (per 2026-04-17 email, bottom of thread): "I will gather this information for you tomorrow." → follow up for his partners list.
+- **Meredith Kuhn** — did not respond yet on impersonation list; she's the one most likely to be impersonated in a wire-fraud attack as Executive Director. Follow up.
+- **Ashley Jensen** (Assistant ED, Accounting) — same; likely overlaps with Meredith's list heavily.
+- **Cascade Living affiliation** — Anne Connell at `cascadeliving.com`. Verify with Meredith whether Cascades of Tucson is owned/affiliated with Cascade Living properties before trusting the domain wholesale. If affiliated, add as trusted domain; if arm's-length, keep as user-level.
+
+## Implementation notes (when ready)
+
+1. Purchase Business Premium or Defender for O365 P1 add-on (impersonation engine lives in Defender, not EOP baseline)
+2. Defender portal → Email & collaboration → Policies & rules → Threat policies → Anti-phishing → edit the Standard preset or create `CSC - Anti-Phishing Standard`
+3. Impersonation tab:
+   - Add protected users (Meredith, Megan, John, Crystal, Tamra, Ashley — anyone who can approve money/PHI)
+   - Add protected domains: `cascadestucson.com`, `azcomputerguru.com`, and any affiliated properties verified above
+   - Add trusted senders/domains (sections above)
+   - Action when user is impersonated: **Quarantine message** (not just "move to Junk" — attackers test Junk-only delivery)
+   - Mailbox intelligence: **On**, with "impersonated users" action = Quarantine
+4. Spoof intelligence: On, with action Quarantine
+5. Turn on Safety Tips
+6. Review quarantine daily for first 2 weeks — tune the trusted list based on false positives
+7. Document in this file any legitimate senders we have to add mid-operation so the list stays authoritative
+
+## Related docs
+
+- `docs/cloud/m365.md` — overall M365 state
+- `docs/cloud/p2-staff-candidates.md` — staff P2 rollout (overlapping stakeholders)
+- `docs/cloud/caregiver-m365-p2-rollout.md` — phone-side rollout (different user population)
+- `docs/security/hipaa.md` — HIPAA program this feeds into

clients/cascades-tucson/docs/cloud/m365.md

@@ -24,6 +24,16 @@
 
 **Note:** Business Standard is fully allocated (34/34, 0 available). Any new hires require purchasing additional licenses.
 
+### Planned expansion — caregiver rollout (not yet purchased)
+
+Separate from the current 34 users, there are **~39 caregivers / med techs / CCGs** with no current AD or M365 account who need identities + Conditional Access in order for the shared-phone + HIPAA story to actually work. Full roster, proposed UPNs, license math, and CA policy design are in `docs/cloud/caregiver-m365-p2-rollout.md`. Rough target: 61 total Business Premium licenses (23 existing staff post-cleanup + 38 net-new caregivers; Christine Nyanzunda overlaps and stays at one account). **Do not create any of these accounts yet** — documentation + proposal update first.
+
+### Staff-side P2 / anti-impersonation tracking
+
+These are in-flight and feed the same Business Premium purchase decision:
+- `docs/cloud/p2-staff-candidates.md` — office staff who need P2 for PHI-in-email or home-access scenarios (Crystal confirmed Megan/Crystal/Tamra; John Trozzi gathering the rest)
+- `docs/cloud/m365-impersonation-protection.md` — Defender anti-impersonation trusted partners + protected users (Megan's partner list captured; awaiting John's additions)
+
 ## AD ↔ M365 Account Mapping
 
 ### Matched Accounts (AD user → M365 mailbox)

clients/cascades-tucson/docs/cloud/p2-staff-candidates.md

@@ -0,0 +1,89 @@
+# Staff Entra P2 Candidates — Cascades
+
+**Status:** Documentation only — no license purchase or policy activation yet. Awaiting full list from John Trozzi.
+**Last updated:** 2026-04-18 (Howard)
+**Related (different population):** `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver phone rollout.
+
+## Why this list is separate
+
+Two different problems both use P2 features, and conflating them makes the license math fuzzy:
+
+- **Caregiver rollout** (covered elsewhere): ~39 hourly staff, shared Android phones, goal is location-locked mobile access during shifts.
+- **This list** — office staff whose risk is:
+  - Receives / sends PHI (new resident intake forms, doctor-supplied medical info)
+  - Works from home or checks email on a personal phone, which is where we need either Conditional Access compliance enforcement or just a targeted location restriction
+  - Or — should be restricted to in-building sign-in only
+
+The Conditional Access policies will likely differ between the two groups (office staff need "work from home or from trusted device with compliance", caregivers need strict "on-prem network + managed shared phone only"), so tracking them separately keeps the policy design clean.
+
+## Criteria (from Howard → leadership email, 2026-04-16)
+
+A staff member needs P2 if they match one or more:
+1. Signs in on a phone or tablet at Cascades (skip-MFA-in-building story)
+2. Should only sign in from the building (enforce location restriction)
+3. Handles sensitive / medical information via email (PHI — need to enforce encryption + DLP policies that P2-tier features back)
+
+## Candidates confirmed so far
+
+### From Crystal Rodriguez (2026-04-16 reply)
+
+| Name | Role | Reason P2 is needed | Notes |
+|---|---|---|---|
+| Megan Hiatt | Sales Director | Handles new-resident intake forms (PHI from doctors); works from home; email on personal cell | Already a protected user for anti-impersonation |
+| Crystal Rodriguez | Sales Associate | Same as Megan — intake forms, home + cell access | Already a protected user |
+| Tamra Matthews | Move-In Coordinator | Same — intake forms | **Leaving in June 2026** — license can be re-harvested on exit. Value of buying P2 for ~2 months is a call for Meredith (short-term HIPAA coverage vs. one-off cost). |
+
+### Awaiting from John Trozzi
+
+Per his 2026-04-17 email: "I will gather this information for you tomorrow." Expected additions likely include:
+- Meredith Kuhn (Executive Director — CEO-equivalent, highest impersonation / PHI risk)
+- Ashley Jensen (Assistant Executive Director)
+- John Trozzi himself (Facilities/Maintenance Director — judgment call on PHI exposure)
+- Lois Lane (Health Services Director — clinical data)
+- Karen Rossini (Health Services Manager — clinical data)
+- Britney Thompson (Memory Care Nurse — clinical data)
+- Shelby Trozzi (Memory Care Director — clinical data)
+- Christina DuPras (Resident Services Director)
+- Christine Nyanzunda (Memory Care Admin Assistant)
+- Susan Hicks (Life Enrichment Director — activity records may include PHI-adjacent data)
+- Sharon Edwards (Life Enrichment Assistant)
+
+Don't presume — wait for John's actual reply before buying licenses.
+
+## Decision still open (from Howard's 2026-04-16 email to leadership)
+
+> "Do you want all staff restricted to signing in only from the building, or just certain roles/users (like front desk, kitchen, clinical)?"
+
+No answer yet. This decision directly changes the license count and the CA policy design:
+- If **all staff restricted to building-only** → every AD-synced user needs P2 and a matching CA policy. Larger spend.
+- If **only some restricted** → P2 only for those users; cheaper, but requires ongoing judgment on who gets which policy.
+
+## Intersection with other rollouts
+
+- **Anti-impersonation protection** (`docs/cloud/m365-impersonation-protection.md`) — same top-tier users are the protected users there. Keep the lists in sync.
+- **Business Premium upgrade** (`docs/proposals/m365-premium-upgrade.md`) — Business Premium bundles P2-equivalent CA features, so if we go Premium tenant-wide, standalone P2 purchases go away. Default recommendation: **bundle everything into Business Premium**, only buy standalone P2 if budget forces staying on Business Standard for some users.
+- **Caregiver rollout** (`docs/cloud/caregiver-m365-p2-rollout.md`) — ~39 additional licenses. Combined target ~61 Premium licenses for the whole org.
+
+## Rough license math (staff side only)
+
+| Scenario | Qty | Notes |
+|---|---|---|
+| Confirmed today (Crystal, Megan, Tamra-through-June) | 3 | Crystal's reply |
+| Likely additions from John + Meredith (guessed) | ~5–8 | Wait for actual reply |
+| All staff (if "restrict everyone" decision) | ~23 | Equals the full post-cleanup licensed-user count from `docs/cloud/m365.md` |
+
+## Action items
+
+- [ ] Follow up with John Trozzi on the gathering — he owes us the list
+- [ ] Push Meredith for the "restrict everyone or just some" decision
+- [ ] When list is final, decide: standalone P2 add-on OR move those users to Business Premium OR move the whole tenant to Business Premium (recommended)
+- [ ] Build CA policy `CSC - Office Staff PHI Access` separate from the caregiver mobile policy
+- [ ] Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026)
+
+## Related docs
+
+- `docs/cloud/m365.md`
+- `docs/cloud/m365-impersonation-protection.md`
+- `docs/cloud/caregiver-m365-p2-rollout.md`
+- `docs/proposals/m365-premium-upgrade.md`
+- `docs/security/hipaa.md`

clients/cascades-tucson/docs/proposals/m365-premium-upgrade.md

@@ -3,6 +3,7 @@
 
 **Prepared by:** Howard Enos, MSP
 **Date:** April 14, 2026
+**Revision needed (flagged 2026-04-18):** this proposal sizes Premium at 23 users, but the caregiver roster (`docs/cloud/caregiver-m365-p2-rollout.md`) lists ~39 caregivers / MedTechs / CCGs with no current M365 identity who actually USE the 25 shared phones. Without their accounts + Conditional Access, the phones don't deliver per-person HIPAA auditability. Updated target is closer to **61 Premium licenses (~$1,342/mo)**, not 23 (~$506/mo). The "saves $56.50/mo" narrative below is true of the staff-only cleanup but must be re-framed as "licensing the people who will use the phones is new spend driven by HIPAA compliance, not a cost-saving move." Leave this document as the starting point; re-present to Meredith with the updated math before purchasing.
 
 ---
 

clients/cascades-tucson/docs/security/mdm.md

@@ -1,5 +1,7 @@
 # Mobile Device Management — Cascades
 
+> **2026-04-18 note:** the HIPAA rationale for moving from ManageEngine kiosk-only to Intune Shared Device Mode + Entra Conditional Access is that each of the ~39 caregivers / MedTechs / CCGs needs their own identity on the shared phones — not a device-level kiosk login. That identity list is documented in `docs/cloud/caregiver-m365-p2-rollout.md` and drives the Business Premium license count. Until those accounts exist and CA policies are in place, the phones + ManageEngine kiosk are a stepping stone, not the HIPAA end-state.
+
 ## Product
 - **Platform:** ManageEngine Mobile Device Manager Plus
 - **URL:** https://mdm.manageengine.com/

clients/cascades-tucson/reports/2026-04-18-tenant-inventory.md

@@ -0,0 +1,315 @@
+# Cascades Tucson — M365 Tenant Inventory Report
+
+**Pulled:** 2026-04-18 (Howard + Claude remediation tool)
+**Tenant:** cascadestucson.com (`207fa277-e9d8-4eb7-ada1-1064d2221498`)
+**Access method:** Microsoft Graph + Exchange REST via `ComputerGuru - AI Remediation` app (App ID `fabb3421-8b34-484b-bc17-e46de9703418`)
+**Scope:** Read-only. No changes made.
+
+---
+
+## TL;DR — three findings that need action
+
+### 1. Business Premium is already purchased but nobody has it
+
+| SKU | Friendly name | Enabled (prepaid) | Consumed | Status |
+|---|---|---|---|---|
+| `SPB` | **M365 Business Premium** | **34** | **0** | Enabled (unused) |
+| `O365_BUSINESS_PREMIUM` | M365 Business Standard (note: misleading SKU name) | 0 | 33 | **Warning state — 34 units, 3 suspended** |
+| `EXCHANGE_S_ESSENTIALS` | Exchange Online Essentials | 0 | 6 | **Suspended — 24 units** |
+| `AAD_PREMIUM_P2` | Entra ID P2 | 1 | 0 | Enabled (unused — this is Sandra Fish's old license) |
+| `FLOW_FREE` | Power Automate Free | 10000 | 3 | Enabled |
+| `STREAM` | Microsoft Stream trial | 1000000 | 0 | Enabled (trial) |
+
+**What this means:**
+- **Cascades is already paying for 34 Business Premium licenses** — nobody has been assigned. That is ~$34 × $22 = ~$748/mo of purchased product sitting idle.
+- **Business Standard has expired** and is in the Microsoft grace/warning window. 34 prepaid units show `warning` (grace before deprovision). 3 units are already `suspended`. If users aren't migrated to the Premium SKU before the grace window closes, they lose mailboxes and Office apps.
+- **Exchange Online Essentials is fully suspended** — 6 users depend on it (see below). Those mailboxes may already be in reduced-function mode.
+- The Business Premium proposal I'd been drafting (`docs/proposals/m365-premium-upgrade.md`) is moot — **the purchase is done, just not deployed.**
+
+### 2. Megan Hiatt is under active credential-stuffing attack
+
+In the last 7 days of sign-ins (167 total, sampled):
+- **54 failed sign-ins against `megan.hiatt@cascadestucson.com`** from IP `80.94.92.102` in GB (United Kingdom)
+- All failures with error code `50053` (account locked from repeated wrong-password attempts)
+- Also seen: error `50053` with reason "Sign-in was blocked because it came from an IP address with malicious activity" — Microsoft IP-reputation is catching some of these
+- No successful foreign sign-ins in the 7-day window (everyone's US-only for successes)
+
+**What this confirms:** the phishing email Megan received on 2026-04-17 was not an isolated probe. Attackers have her address and are actively attempting to brute-force it. Her account is repeatedly locking out, which is why lockout policy is working. But the attack is ongoing.
+
+**Action items (separate from the license work):**
+- Force a password rotation on Megan's account
+- Verify her MFA method is Authenticator app, not SMS (SMS can be sim-swapped)
+- Add Megan to a targeted Conditional Access policy that blocks all non-US sign-ins (already partially covered by existing CA, but explicit block is cleaner)
+- Consider temporarily blocking IP `80.94.92.102` at the tenant level (Entra sign-in blocks, or via Conditional Access Named Location "Deny")
+
+### 3. Intune entitlement is fully unused
+
+| Item | Count |
+|---|---|
+| Intune managed devices | **0** |
+| Intune compliance policies | **0** |
+| Intune device configuration profiles | **0** |
+| Entra-registered devices (pre-Intune) | 89 (87 Windows, 1 Android, 1 Windows non-compliant) |
+
+Business Premium includes Intune. The 25 phones + 9 kitchen iPads + domain PCs could all be enrolled today. The 89 already-registered Entra devices could be converted to Intune-managed with policy push. Right now the MDM story is still "ManageEngine planned" (see `docs/security/mdm.md`) — but **ManageEngine is now redundant spend** once Business Premium is actually assigned.
+
+---
+
+## Full tenant state
+
+### Identity / directory
+
+- Created: 2018-08-08
+- Country: US
+- Default domain: `cascadestucson.com` (has Email + Teams + Intune capabilities)
+- Initial domain: `NETORGFT4257522.onmicrosoft.com` (Email + Teams only)
+- No additional custom domains
+- **On-premises sync:** not enabled (Entra Connect planned — `cloud/m365.md`)
+- Directory size: 637 objects / 300,000 quota
+
+### Global / Privileged admins
+
+| Role | Member |
+|---|---|
+| Global Administrator | sysadmin@cascadestucson.com (our MSP account) |
+
+No other admin-role assignments visible. Sandra Fish's removal (2026-04-14) is confirmed — she's not in any privileged role.
+
+### User accounts (53 total)
+
+| Category | Count | Notes |
+|---|---|---|
+| Licensed member accounts | 38 | See breakdown below |
+| Unlicensed member (Kitchen iPad device account) | 1 | `Kitchenipad@cascadestucson.com` — intentional |
+| Disabled members | 7 | former employees (Anna Pitzlin, Jeff Bristol, Nela Durut-Azizi, Kristiana Dowse, Nick Pavloff, Stephanie Devin) + old tenant admin `admin@NETORGFT4257522...` |
+| Guest users (external) | 7 | a.r.jensen018@gmail, Debora Morris (teepasnow.com), dunedolly21@gmail, duprasc2002@yahoo, eugenie.nicoud (helpany.com), howard@azcomputerguru.com, karenrossini7@gmail |
+
+**`dunedolly21_gmail.com` and `eugenie.nicoud_helpany.com`** were NOT in the prior documentation. Worth reviewing — is eugenie.nicoud a legit business partner, or a stale invite? Same for dunedolly21. Both are enabled guests.
+
+### Licensed users — per SKU breakdown
+
+**M365 Business Standard (f245ecc8 — the expiring SKU):** 33 consumed
+- Allison.Reibschied, Training@, accounting@, accountingassistant@, alyssa.brooks, ann.dery, ashley.jensen, boadmin@, christina.dupras, christine.nyanzunda, crystal.rodriguez, dax.howard, frontdesk@, hr@, jd.martin, jodi.ramstack, john.trozzi, karen.rossini, lauren.hasselman, lois.lane, lupe.sanchez, matthew.brooks, megan.hiatt, memcarereceptionist@, meredith.kuhn, ramon.castaneda, security@, sharon.edwards, susan.hicks, tamra.matthews, veronica.feller
+- **Plus `accounting@`** which is actually a Shared Mailbox now (doesn't need a license — reclaim)
+- **Plus `jodi.ramstack`** which was supposed to be deleted per 2026-04-13 cleanup — account still enabled + licensed
+
+**Exchange Online Essentials (suspended):** 6 consumed
+- fax@, medtech@, nurse@, transportation@, Britney.Thompson, Shelby.Trozzi
+- SKU is in `Suspended` state — these mailboxes may already be at reduced function. Migrate to SPB before they break.
+
+**Power Automate Free (no mailbox value):** 3 consumed — ashley.jensen, lauren.hasselman, sysadmin
+
+**M365 Business Premium (SPB):** 0 consumed out of 34 — **this is the finding**
+
+**Entra ID P2:** 0 consumed out of 1
+
+### Shared mailboxes (6)
+
+| Mailbox | Alias | Notes |
+|---|---|---|
+| accounting@cascadestucson.com | (GUID alias) | **Still has Business Standard license — remove** |
+| anna.pitzlin@cascadestucson.com | anna.pitzlin | Former employee |
+| fax@cascadestucson.com | fax | Fax-to-email |
+| jeff.bristol@cascadestucson.com | jeff.bristol | Former employee |
+| kristiana.dowse@cascadestucson.com | (GUID alias) | Former employee (HR-confirmed delete candidate) |
+| nela.durut-azizi@cascadestucson.com | nela.durut-azizi | Former employee, forwards to lois.lane (see below) |
+
+### Mailbox inventory
+
+| Type | Count |
+|---|---|
+| UserMailbox | 35 |
+| SharedMailbox | 6 |
+| DiscoveryMailbox | 1 (built-in, for eDiscovery) |
+
+**Mailbox auditing:** Enabled on all with 90-day retention. Good.
+
+### Mailbox forwarding (external or to terminated accounts)
+
+Only two forwards configured, both internal:
+- `medtech@` → `nurses@cascadestucson.com` (keep copy: true) — legitimate, routes med tech notifications to clinical team
+- `nela.durut-azizi@` → `lois.lane@cascadestucson.com` (keep copy: true) — legitimate handoff after Nela left
+
+No external forwarding. Good — this is a common attacker persistence mechanism (forward mail to gmail.com) and it's not present.
+
+### Conditional Access policies (8, all enabled)
+
+1. `Microsoft-managed: Block legacy authentication` — All users / All apps / grant: Block
+2. `Microsoft-managed: Require phishing-resistant MFA for admins` — Admin roles / All apps
+3. `Require MFA for admins` — Admin roles / All apps / grant: MFA
+4. `Require MFA for external and guest users` — Guests/External / All apps / grant: MFA
+5. `Block all legacy sign-ins that don't support MFA` — All users / grant: Block
+6. `Require MFA and a password change when high-risk users are detected` — All users / grant: MFA + passwordChange **(requires P2 to actually detect risk — currently 0 P2 assigned)**
+7. `Require MFA when risky sign-ins are detected` — All users / grant: MFA **(same — P2 required)**
+8. `Require MFA for all users` — All users / All apps / grant: MFA
+
+**Observations:**
+- Policies 6 + 7 are "Identity Protection" templates. They're enabled but toothless without P2 assignment to users.
+- No location-based policy (trusted locations / named locations) exists yet. This is the gap for the caregiver rollout story.
+- No device-compliance requirement. Adding a policy like "Grant access if compliant device" is the main reason to actually deploy Intune.
+
+**Security Defaults:** Off (correct — you can't have both Security Defaults and CA policies).
+
+### Authentication methods policy
+
+Enabled: FIDO2 keys, Microsoft Authenticator, SMS, Software OATH, Temporary Access Pass
+Disabled: Voice, Email, X509 Certificate, QR Code PIN
+
+Reasonable baseline. Consider disabling SMS in favor of Authenticator-only as a future hardening step.
+
+### Anti-phishing / Defender for Office config
+
+**Default Office 365 AntiPhish policy:** enabled, but **NO impersonation targets set** — relies only on mailbox intelligence.
+
+**Standard Preset Security Policy (active):**
+- Protected users: **Megan Hiatt, John Trozzi, Meredith Kuhn, Crystal Rodriguez, Tamra Matthews** (5)
+- Protected domains: **cascadestucson.com, azcomputerguru.com** (2)
+- Similar-user safety tips: **on**
+- Similar-domain safety tips: **on**
+- Unusual-character safety tips: **on**
+- User impersonation action: **Quarantine**
+- Domain impersonation action: **Quarantine**
+- Mailbox intelligence impersonation action: **MoveToJmf** (Junk — soft, consider upgrading to Quarantine)
+- Phish threshold: **3** (Aggressive) — fine
+
+**Confirmation:** this matches Howard's 2026-04-17 email exactly. The protected list ready to expand with Megan's partner list and John's pending list.
+
+### Defender for Office 365 add-ons
+
+| Feature | State |
+|---|---|
+| Safe Links (Standard Preset) | Enabled — ScanUrls on, ClickThrough blocked, email tracking on |
+| Safe Links (Built-in) | Enabled — ClickThrough allowed (built-in is less strict) |
+| Safe Attachments (Standard Preset) | Enabled — Action: Block |
+| Safe Attachments (Built-in) | Enabled |
+| Safe Docs | Enabled (Office client-side scanning) |
+| ATP for SharePoint/Teams/OneDrive | Enabled |
+| Malware Filter (Standard Preset) | Enabled — file-type filter on |
+| Malware Filter (Default) | Enabled — file-type filter **off** |
+
+**Note:** these preset policies rely on Defender for Office P1 per-user licensing to fully enforce. Defender for O365 P1 comes bundled in Business Premium (SPB). So technically the policies are in place but the user-level enforcement requires SPB assignment. Once SPB is assigned to a user, these policies start protecting them.
+
+### Transport rules
+
+Only one rule:
+- `Fax Forward and Retain Copy` — priority 0, Enforce mode, Enabled
+
+Clean. No suspicious rules.
+
+### Intune / device state
+
+| Metric | Value |
+|---|---|
+| Intune managed devices | 0 |
+| Intune compliance policies | 0 |
+| Intune device configuration profiles | 0 |
+| Entra-registered devices (not Intune-managed) | 89 |
+| Windows devices registered | 88 |
+| Android devices registered | 1 |
+
+The 89 Entra-registered devices are mostly `Workplace` trust type (user joined via "Add work or school account" from personal PC) — they're visible in Entra but not managed. Moving them to Intune requires enrollment.
+
+### OAuth consent / third-party apps (user-granted)
+
+100 service principals total. Non-Microsoft ones with user-granted OAuth:
+- Alignable (business networking)
+- BlueMail (mobile email client)
+- SaaS Alerts (looks like an MSP monitoring tool — verify whether Cascades or ACG set this up)
+- SurveyMonkey
+- Azure Static Web Apps (probably Microsoft-owned actually)
+- Microsoft Photos Services
+
+**SaaS Alerts** warrants a double-check — is this us (ACG) using it for Cascades monitoring, or an old consent from a prior MSP? Search `docs/` for prior mentions.
+
+### Services activated vs unused (Business Premium SKU plans)
+
+Business Premium (SPB) includes 50+ service plans. Noteworthy:
+
+**In active use (evidence found):**
+- Exchange Online Standard (mail)
+- SharePoint Standard (implied by Teams/OneDrive)
+- Teams
+- Office apps (Business Standard currently — Business Premium would replace)
+- Defender for Office 365 (ATP_ENTERPRISE) — **configured but not licensed per-user yet**
+
+**Provisioned / licensed but **not used** (becomes available once SPB is assigned):**
+- **Microsoft Intune (INTUNE_A, INTUNE_SMBIZ)** — 0 devices enrolled
+- **Microsoft Defender for Business (MDE_SMB)** — endpoint EDR, 0 devices onboarded
+- **Azure Information Protection Premium (RMS_S_PREMIUM)** — no labels configured
+- **Universal Print (UNIVERSAL_PRINT_01)** — not set up
+- **Microsoft Bookings (MICROSOFTBOOKINGS)** — not used
+- **Viva Learning, Viva Engage, Viva Insights** — not set up
+- **Clipchamp, Loop, Whiteboard, Bookings, Bing Chat Enterprise, Mesh Avatars** — not used
+- **Power BI embedded (POWER_VIRTUAL_AGENTS_O365_P2)** — not used
+- **MFA Premium + Entra ID P1 (AAD_PREMIUM, MFA_PREMIUM)** — CA already configured, will be properly backed once SPB assigned
+- **Microsoft Defender for Cloud Apps Discovery (ADALLOM_S_DISCOVERY)** — not set up
+- **Exchange Archive (EXCHANGE_S_ARCHIVE_ADDON)** — not configured
+- **Office Shared Computer Activation (OFFICE_SHARED_COMPUTER_ACTIVATION)** — relevant for Cascades' shared front-desk machines, not set up
+- **Windows 11 Business entitlement (WINBIZ)** — users aren't activating via their M365 account yet
+- **Kaizala (KAIZALA_O365_P2)** — deprecated by Microsoft, skip
+- **DYN365 Business Central Invoicing (DYN365BC_MS_INVOICING)** — unused
+
+**Features that are stuck "PendingActivation":**
+- `INTUNE_O365` — Intune for O365 (overlaps with INTUNE_A), seen in both Business Standard and Business Premium SKUs. This is a known Microsoft state — it activates when you actually use Intune.
+
+### Identity Protection / risky users
+
+Query returned `scopes missing` — our `ComputerGuru - AI Remediation` app doesn't have `IdentityRiskyUser.Read.All` consented in Cascades' tenant. If Howard wants me to read risk data programmatically, the app needs that scope added and consented (admin consent URL can be generated from the skill). Or the data can be read directly from the Entra portal by Howard — it's there, just not via our app right now.
+
+### DLP policies
+
+Query returned `segment not found` — the DLP endpoint moved to Purview, and our app scope doesn't include Purview read. Check manually via the compliance portal. Business Premium includes DLP (BPOS_S_DlpAddOn) so the feature is available; whether any policies are defined is unknown from this inventory pass.
+
+---
+
+## What Premium unlocks that Cascades hasn't touched
+
+Short version of the "what are we paying for" question:
+
+| Feature | Status today | What assigning SPB + configuring unlocks |
+|---|---|---|
+| Intune MDM / MAM | 0 devices | Enroll 25 phones + 9 iPads + all Windows PCs; push policies, compliance, app management. Replaces ManageEngine. |
+| Conditional Access (P1 backing) | Policies exist but P1 not per-user-assigned | Full CA enforcement — location-based, device-compliance grants |
+| Defender for Business (EDR on endpoints) | Not onboarded | Endpoint detection & response on every Windows PC |
+| Defender for Office (anti-phish etc.) | Policies configured | Per-user enforcement kicks in |
+| Azure Information Protection | No labels | Sensitivity labels for PHI-tagged docs/emails |
+| DLP policies | Not visible via Graph | PHI email blocking, external-send restrictions |
+| Office Shared Computer Activation | Not set up | Proper Office licensing on front-desk shared PC |
+| Universal Print | Not set up | Cloud-managed printing; could replace CS-SERVER print server |
+| Bookings | Not set up | Tour/appointment scheduling (Sales team — Megan) |
+| Viva Learning | Not set up | HIPAA training content delivery |
+
+---
+
+## Recommended next actions (sequence matters)
+
+Leaving these as recommendations — no changes made, all documentation only:
+
+### Immediately (this week)
+1. **Rotate Megan Hiatt's password and verify her MFA method is Authenticator app** (active attack)
+2. **Migrate licenses from expiring Business Standard to Business Premium** for the 33 consumed users. Start with leadership + clinical. Standard is in `warning` grace — timer is running.
+3. **Move 6 Exchange Online Essentials users to Business Premium** too. That SKU is already `Suspended`.
+4. **Reclaim `accounting@` license** — it's a shared mailbox now, doesn't need a seat.
+5. **Verify `jodi.ramstack` status** — still enabled + licensed despite 2026-04-13 cleanup plan.
+
+### Near-term (next two weeks)
+6. Assign the 1 available P2 license — probably to Meredith (highest-risk protected user), and request a volume add as part of the caregiver/P2 rollout
+7. Enroll pilot devices in Intune (1 phone + 1 iPad + 1 PC) — prove the path before batch
+8. Build the trusted-sender + protected-user expansion per `docs/cloud/m365-impersonation-protection.md` (already documented, waiting on John Trozzi's additions)
+9. Review two unexpected guests: `dunedolly21@gmail.com`, `eugenie.nicoud@helpany.com`. Keep or remove.
+10. Verify `SaaS Alerts` service principal is ours, not a stale consent.
+
+### Medium-term (phase 2)
+11. Caregiver account creation per `docs/cloud/caregiver-m365-p2-rollout.md` — 39 new licenses added (probably to 61 total Premium). **But since the tenant already sits on 34 Premium, we only need to purchase the difference.**
+12. Implement Entra Connect per `cloud/m365.md` Entra Connect plan
+13. Build location-based CA policy after pfSense WAN IPs are confirmed static
+14. Retire the GP-Preferences folder redirection workaround once GPO pattern is proven on Susan Hicks
+
+---
+
+## Proposal / doc updates this inventory forces
+
+- `docs/proposals/m365-premium-upgrade.md` — this document's core assumption ("upgrade and save $56.50/mo") is no longer accurate. The upgrade was already purchased. The real ask is about license assignment + configuration work + possibly additional Premium licenses for caregivers. Reframe the proposal as an **operational services engagement** to actually deploy what's already paid for.
+- `docs/cloud/m365.md` — update license table. Current state shows Business Standard 34/34 but that's reading cached data; reality is Business Standard in warning, Business Premium 34/0 purchased-but-unused.
+- `docs/cloud/p2-staff-candidates.md` — note that Entra P2 quantity is currently 1, need volume purchase for the staff P2 rollout.
+- `docs/security/mdm.md` — the "Intune Shared Device Mode (requires Business Premium upgrade)" future-note is now applicable **now**, not future.