sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42

Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-18 10:17:42
This commit is contained in:
2026-04-18 10:17:43 -07:00
parent 6a135ac111
commit d2e375df8a
7 changed files with 697 additions and 0 deletions

View File

@@ -0,0 +1,183 @@
# Caregiver M365 + Entra P2 Rollout Plan (Cascades of Tucson)
**Status:** Documentation only — do NOT create accounts or assign licenses yet.
**Created:** 2026-04-18 (Howard)
**Source:** `C:\Users\howar\OneDrive\Documents\Caregiver Scheduled shifts and phone #.xlsx` (as of 2026-04-17)
## Goal / why this matters
Cascades is deploying 25 shared Android phones plus 9 kitchen iPads to get caregivers off shared workstations and into their own authenticated sessions (ALIS EHR, Outlook, Edge). For that to actually improve HIPAA posture, every caregiver needs:
1. Their own identity (AD user + M365 mailbox) so actions are attributable per-person rather than to a shared "Caregiver" login
2. **Entra P2** so we can apply Conditional Access policies that restrict mobile email + ALIS access to:
- Managed (Intune-enrolled) shared phones, AND
- The Cascades physical network / trusted location (IP ranges or named location)
3. Policy block on personal-device access to Exchange + ALIS (HIPAA §164.312 access control)
Today none of these caregivers exist in AD or M365 — they use shared workstation logins and don't have email at all. That is the gap this rollout closes.
**Also noted (explicit call-out to add to the proposal):** we did not previously frame the Business Premium proposal as "we're adding phones AND licenses to reach HIPAA compliance." The proposal currently lists 23 licensed users post-cleanup; with caregivers included it is closer to 62. The cost delta + HIPAA rationale should be surfaced in `docs/proposals/m365-premium-upgrade.md` before re-presenting to Meredith.
## Caregiver roster (39 people)
Location codes: **Tower** = assisted living tower, **MC** = Memory Care.
Role flags: **CCG** = certified caregiver, **MedTech / MED TECH** = medication tech, **PRN** = as-needed/float, **NOC** = overnight.
### TuesdaySaturday (14)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 1 | Thelma Abainza | thelma.abainza@ | AM | Tower | Caregiver | 520-867-2579 |
| 2 | Niel Castro | niel.castro@ | AM | Tower | MedTech / CCG | 520-697-4644 |
| 3 | Espe Esperance | espe.esperance@ | PM | Tower | MedTech | 520-788-9558 |
| 4 | Barbara Johnson | barbara.johnson@ | PM | Tower | Caregiver | 520-204-3449 |
| 5 | Kasey Flores | kasey.flores@ | AM | MC | Caregiver | 520-250-1451 |
| 6 | Richard Flores | richard.flores@ | AM | MC | Caregiver | 520-873-7727 |
| 7 | Marie Kastner | marie.kastner@ | PM | MC | Caregiver | 714-576-9858 |
| 8 | Bella Mendoza | bella.mendoza@ | PM | MC | Caregiver | 520-358-2000 |
| 9 | Rosa Morales | rosa.morales@ | PM | MC | MedTech | 312-213-8780 |
| 10 | Sandra Padilla | sandra.padilla@ | AM | Tower | MedTech / CCG | 520-585-3317 |
| 11 | Polett Pinazavala | polett.pinazavala@ | AM | MC | MedTech | 520-449-5533 |
| 12 | Whisper Reed | whisper.reed@ | Overnight | Tower | MedTech | 520-312-7575 |
| 13 | Patricia Sandoval-Beck | patricia.sandoval-beck@ | AM | Tower | MedTech | 520-343-8093 |
| 14 | Charity Sika | charity.sika@ | AM | MC | Caregiver | 623-251-8032 |
| 15 | Ederick Yuzon | ederick.yuzon@ | PM | Tower | Caregiver | 520-603-8816 |
### SundayThursday (10)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 16 | Juan Andrade | juan.andrade@ | PM | MC | Caregiver | 520-528-4078 |
| 17 | Jahmeka Clarke | jahmeka.clarke@ | PM | MC | MedTech | 520-649-7034 |
| 18 | Karina Aziakpo | karina.aziakpo@ | Overnight | MC | MedTech / CCG | 520-392-6859 |
| 19 | Jinnelle Dittbenner | jinnelle.dittbenner@ | PM | Tower | Caregiver | 520-499-9996 |
| 20 | Christine Nyanzunda | christine.nyanzunda@ | AM (Sun/Mon only) | MC | MedTech | 520-304-4251 |
| 21 | Agnes McFerren | agnes.mcferren@ | AM | Tower | Caregiver | 520-406-3063 |
| 22 | Samuel Ramirez | samuel.ramirez@ | PM | Tower | Caregiver | 520-488-5798 |
| 23 | Erica Sanchez | erica.sanchez@ | AM | MC | Caregiver | 520-528-3387 |
| 24 | Katrina Wyzykowski | katrina.wyzykowski@ | AM | MC | MedTech | 520-347-1448 |
| 25 | Corey Tate | corey.tate@ | NOC | Tower | Caregiver only (no MedTech) | 520-535-7821 |
### FridayMonday / weekend (5)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 26 | Ashli Atwood | ashli.atwood@ | Overnight | MC | MedTech / CCG | 715-200-1295 |
| 27 | Cole Johnson | cole.johnson@ | PM | Tower | MedTech | 818-970-0890 |
| 28 | Roseline Cooper | roseline.cooper@ | Overnight | MC | Caregiver | 520-278-6817 |
| 29 | Monique Lopez | monique.lopez@ | Doubles (Fri & Sat) | Tower | Caregiver | 520-596-0969 |
| 30 | Gloria Williford | gloria.williford@ | Doubles (Fri & Sat 5:45a10p) | MC | MedTech | 928-551-1682 |
### ThursdayMonday (3)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 31 | Sarah Carroll | sarah.carroll@ | PM | Tower | Caregiver | 520-409-2341 |
| 32 | Luke Hogan | luke.hogan@ | AM | Tower | Caregiver | 520-312-0141 |
| 33 | Gina Williams | gina.williams@ | AM | Tower | Caregiver | 520-612-5075 |
### Split / other patterns (3)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 34 | Jen Higdon | jen.higdon@ | Mon/Wed/Fri AM | Tower | Caregiver | 520-730-3548 |
| 35 | Mary Kariuki | mary.kariuki@ | SatMon + Wed PM | Tower | Caregiver | 520-309-1247 |
| 36 | CeCe Lassey | cece.lassey@ | Sun/Mon doubles + Tue PM | Tower | Caregiver | 520-248-5982 |
### Sunday & Monday only (1)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 37 | Paty Doran | paty.doran@ | AM | Tower | MedTech / CCG | 520-591-7368 |
### PRN / float (2)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 38 | Ezekiel Huerta | ezekiel.huerta@ | PRN | Tower | Caregiver | 520-591-6113 |
| 39 | Maia Baker | maia.baker@ | PRN | MC | MedTech | TBD — not on shift list, only on Sheet2 |
All UPNs above use the `@cascadestucson.com` suffix (standard).
## Conflict / verify before creating
- **Christine Nyanzunda** already exists in AD as **Memory Care Admin Assistant** (`Christine.Nyanzunda`, susan.hicks@ department peer — see `docs/servers/active-directory.md` and existing M365 match in `docs/cloud/m365.md`). The caregiver list entry `Christine Nyanzunda-AM shift/MC MED TECH` is likely the same person picking up clinical shifts, not a second identity. **Do not create a second account.** Confirm with Shelby Trozzi / Meredith that her caregiver shifts should use the existing `christine.nyanzunda@` mailbox.
- **Paty Doran** — spelling could be Patricia / Paty / Patti. Confirm with HR before creating.
- **Polett Pinazavala** — unusual spelling, verify with HR.
- **Patricia Sandoval-Beck** — hyphenated last name; SamAccountName may need to be `Patricia.SandovalBeck` if hyphens are disallowed in downstream tools (ALIS, MDM).
- **Ederick Yuzon** — verify spelling.
- **Maia Baker** — name on Sheet2 only, no shift/phone data. Confirm employment status with HR.
## Licensing plan (when ready — NOT now)
**Current licensing (per `docs/cloud/m365.md`):**
- Business Standard: 34 purchased, all assigned (need to free via shared-mailbox conversion first)
- Entra P2: 1 unassigned (was Sandra Fish)
**Target for caregiver rollout:**
| License | Who gets it | Qty | Rationale |
|---|---|---|---|
| M365 Business Premium (replaces Standard) | All 23 existing licensed staff + 38 net-new caregivers (Christine Nyanzunda already counted as existing staff) | **61** | Includes Intune Shared Device Mode + Defender + DLP + the P2-equivalent Conditional Access features — this is the SKU the proposal already describes |
| Entra ID P2 (standalone, IF we stay on Business Standard instead) | Same 61 | 61 | Only needed if we do NOT upgrade to Business Premium. Premium already bundles the CA features we need; avoid double-paying |
**Recommended:** upgrade everyone to Business Premium, **don't** buy standalone P2. P2 is only listed here as the fallback if budget forces staying on Standard.
### Quick cost math (order-of-magnitude, double-check in proposal)
| Scenario | Licenses | Rate (monthly) | Monthly total |
|---|---|---|---|
| Today (actual) | 34 × Standard | $12.50 | $425 |
| After shared-mailbox cleanup (no caregivers) | 23 × Premium | $22.00 | $506 |
| After caregiver rollout (this doc) | 61 × Premium | $22.00 | **$1,342** |
| Delta vs today | +$917/mo | | — |
That is a meaningful jump and needs to be in the proposal conversation with Meredith explicitly — it was missing from the 2026-04-14 version.
## Conditional Access policy plan (rough)
When licenses are in place and accounts exist:
1. **Named Location** in Entra = Cascades public IP(s) from pfSense WAN + VPN exit IP. Name it `CascadesTrustedLocation`.
2. **Compliant Device** definition in Intune = corporate-enrolled Android (the 25 shared phones) + corporate-enrolled iPad (the 9 kitchen iPads) + domain-joined Windows PCs.
3. **CA Policy: Caregivers — Mobile Email / ALIS access**
- Assignment: Entra group `SG-Caregivers` (populated from AD group once accounts exist)
- Cloud apps: Exchange Online, `ALIS` (once registered as Entra app), Outlook Mobile
- Conditions: Device Platforms = Android, iOS; Locations = Any
- Grant: Require compliant device **AND** require location `CascadesTrustedLocation` (combined grant, both required)
- Block everything else (personal phones off-network → blocked)
4. **CA Policy: Caregivers — Web/browser block off-network**
- Same group + cloud apps
- Platforms: browser (desktop)
- Conditions: not in `CascadesTrustedLocation`
- Grant: Block
5. **Exclusion group** `SG-CA-BreakGlass` for Meredith + sysadmin so we can't lock ourselves out.
CA policies should be deployed in **Report-only** mode for at least 7 days, reviewed against Sign-in logs, then switched to On.
## AD placement (when accounts are created)
Put caregivers in the existing `OU=Departments,OU=...` department OUs:
- Tower/MC caregivers → `OU=Care-Assisted Living,OU=Departments` (or create `OU=Caregivers` sub-OU if we want finer GPO targeting)
- MedTech-flagged staff → same OU; group membership (SG-MedTech) controls ALIS licensing tier
- CCG-flagged staff → same OU; group membership (SG-CCG) controls higher-privilege ALIS rights if any
Group-policy impact: the `CSC - Folder Redirection (LE)` work done for Life Enrichment does NOT apply here. Care-Assisted Living GPO pattern needs to be cloned from the finalized LE GPO once that's proven on Susan Hicks' machine (DESKTOP-ROK7VNM).
## Open items / decisions needed from client
- [ ] Confirm Christine Nyanzunda is one person, not two (existing M365 account keeps working for caregiver shifts)
- [ ] HR spelling confirmation on Paty Doran, Polett Pinazavala, Patricia Sandoval-Beck, Ederick Yuzon, Maia Baker
- [ ] Will caregivers use ALIS on the shared phones (need ALIS accounts + Entra SSO) or only email?
- [ ] Does Cascades want to purchase 39 additional Business Premium licenses up-front, or roll out in waves (e.g., MedTechs first, then CCGs, then Caregivers)?
- [ ] Confirm pfSense WAN IP(s) are static enough to rely on in a CA Named Location policy
- [ ] Timeline expectations — tying this to the phone deployment, the MDM rollout (7-phase plan in `docs/security/mdm.md`), and the Business Premium purchase
## Related docs
- Proposal: `docs/proposals/m365-premium-upgrade.md` — currently sized for 23 users; needs updating
- MDM plan: `docs/security/mdm.md` — 25 phones + 9 iPads, ManageEngine; Intune Shared Device Mode is flagged as future
- M365 current state: `docs/cloud/m365.md`
- AD roster: `docs/servers/active-directory.md`
- HIPAA program: `docs/security/hipaa.md`

View File

@@ -0,0 +1,97 @@
# M365 Anti-Impersonation Protection — Cascades
**Status:** Documentation only — policy not yet configured. Requires Business Premium (Defender for Office 365 Plan 1) or equivalent Defender for O365 add-on; Business Standard alone does not include the anti-impersonation engine.
**Trigger:** follow-up to Megan Hiatt's phishing email incident, 2026-04-17.
**Last updated:** 2026-04-18 (Howard)
## What this covers
Microsoft 365 Defender anti-phishing impersonation protection has two lists that need to be curated per tenant:
1. **Trusted senders / domains** — partners we actually do business with. Adding them prevents legitimate mail from being caught by anti-impersonation rules (which flag lookalikes of these names/domains). This is NOT an allowlist that bypasses spam/malware scanning — it just tells the impersonation engine "yes, this one is the real one, anything that resembles it is suspect."
2. **Protected users** — internal accounts that are high-value impersonation targets (executives, finance, anyone who can approve money or PHI disclosure). Inbound mail that mimics their display name from outside the tenant gets flagged.
For Cascades we're also protecting the **domain** `cascadestucson.com` itself so lookalike domains (e.g., `cascadestucsom.com`, `cascadestuscon.com`) get flagged as impersonation attempts.
## Currently configured (per Howard's 2026-04-17 email)
### Protected domains
- cascadestucson.com
- azcomputerguru.com
### Protected users
- Megan Hiatt
- John Trozzi
- Crystal Rodriguez
- Meredith Kuhn
- Tamra Matthews
- "accounting" (presumably the accounting@cascadestucson.com shared mailbox / anything with that display name)
**Verify on next portal visit:** double-check the exact protected-users list in Defender → Policies → Anti-phishing → Impersonation. Howard's email lists "Megan, John, crystal, Meredith, accounting, crystal and tamra" — the duplicate "crystal" is probably a typo.
## Trusted partners to add (from Megan Hiatt, 2026-04-17)
Megan's "top domains I regularly do business with" reply. Preferred configuration: add the **domain** where we want any sender on that domain trusted; add the **specific email** where we only want that one person trusted.
| Add as | Value | Business purpose |
|---|---|---|
| User | Matt Hermes — `Matt.Hermes@kold.com` | KOLD-TV — local media |
| User | SoAPRA — `soapra.npra@gmail.com` | State senior-living industry assoc (individual Gmail — user, not domain) |
| User | Lovely Laurence Garcia — `partnersuccess@caring.com` | Caring.com partner success |
| User | Caring Leads Team — `leadsteam@caring.com` | Caring.com lead routing |
| User | Assisted Living Locators (N. Tucson) — `sheril@assistedlivinglocators.com` | Senior-living placement agency |
| User | Angel Ramirez — `angel@placitacare.com` | PlacitaCare — referral partner |
| User | Anne Connell — `AnneC@cascadeliving.com` | Cascade Living (parent / affiliated property — verify relationship) |
| User | A Place for Mom AR — `ar@aplaceformom.com` | APFM accounts receivable — referral fees |
| User | `BillingWO@gray.tv` | Gray Television — ad billing |
| User | 8x8 Support — `noreply@8x8.com` | VoIP vendor no-reply (may not need impersonation protection since it's already an automated sender — include per Megan) |
| User | C.J. Duque — `cjduque@trucraftdesign.com` | Tru Craft Design — vendor |
| User | `compressionprinting@gmail.com` | Compression Printing — vendor |
| User | Lisa Burns — `lisab4421@gmail.com` | Personal/individual partner contact |
| User | `jbuenafe-leads@caring.com` | Caring.com lead contact (one of many) |
**Domain-level adds to consider (Howard to decide):** because Cascades gets mail from many different addresses at Caring.com and aplaceformom.com, adding `caring.com` and `aplaceformom.com` as trusted **domains** instead of individual addresses saves constant curation. Megan explicitly called out that Caring.com contacts "are changing all the time." Adding the domain once covers them all. Only risk: if a domain itself is spoofed, any sender claiming to be from it will be trusted — but the anti-impersonation engine is specifically about lookalike sender domains, so this is the correct use case.
Recommended domain-level trusted partners:
- `caring.com` — multiple contacts, constantly rotating
- `aplaceformom.com` — same pattern (APFM has many reps)
- `kold.com` — news media
- `assistedlivinglocators.com` — agency with multiple reps
- `cascadeliving.com`**confirm this is a legitimate affiliated property before trusting the whole domain**
- `gray.tv` — billing automation from multiple accounts
Individual addresses to keep as **user-level** entries (not domain):
- The two gmail.com partners (Lisa Burns, Compression Printing) — cannot trust `gmail.com` as a domain, obviously
- `soapra.npra@gmail.com` — same
- `angel@placitacare.com` — small vendor, domain-level overkill
- `cjduque@trucraftdesign.com` — same
- `noreply@8x8.com` — utility address, not a lookalike impersonation target anyway; Megan may have listed it for general allowlisting rather than anti-impersonation — revisit
## Outstanding / awaiting input
- **John Trozzi** (per 2026-04-17 email, bottom of thread): "I will gather this information for you tomorrow." → follow up for his partners list.
- **Meredith Kuhn** — did not respond yet on impersonation list; she's the one most likely to be impersonated in a wire-fraud attack as Executive Director. Follow up.
- **Ashley Jensen** (Assistant ED, Accounting) — same; likely overlaps with Meredith's list heavily.
- **Cascade Living affiliation** — Anne Connell at `cascadeliving.com`. Verify with Meredith whether Cascades of Tucson is owned/affiliated with Cascade Living properties before trusting the domain wholesale. If affiliated, add as trusted domain; if arm's-length, keep as user-level.
## Implementation notes (when ready)
1. Purchase Business Premium or Defender for O365 P1 add-on (impersonation engine lives in Defender, not EOP baseline)
2. Defender portal → Email & collaboration → Policies & rules → Threat policies → Anti-phishing → edit the Standard preset or create `CSC - Anti-Phishing Standard`
3. Impersonation tab:
- Add protected users (Meredith, Megan, John, Crystal, Tamra, Ashley — anyone who can approve money/PHI)
- Add protected domains: `cascadestucson.com`, `azcomputerguru.com`, and any affiliated properties verified above
- Add trusted senders/domains (sections above)
- Action when user is impersonated: **Quarantine message** (not just "move to Junk" — attackers test Junk-only delivery)
- Mailbox intelligence: **On**, with "impersonated users" action = Quarantine
4. Spoof intelligence: On, with action Quarantine
5. Turn on Safety Tips
6. Review quarantine daily for first 2 weeks — tune the trusted list based on false positives
7. Document in this file any legitimate senders we have to add mid-operation so the list stays authoritative
## Related docs
- `docs/cloud/m365.md` — overall M365 state
- `docs/cloud/p2-staff-candidates.md` — staff P2 rollout (overlapping stakeholders)
- `docs/cloud/caregiver-m365-p2-rollout.md` — phone-side rollout (different user population)
- `docs/security/hipaa.md` — HIPAA program this feeds into

View File

@@ -24,6 +24,16 @@
**Note:** Business Standard is fully allocated (34/34, 0 available). Any new hires require purchasing additional licenses.
### Planned expansion — caregiver rollout (not yet purchased)
Separate from the current 34 users, there are **~39 caregivers / med techs / CCGs** with no current AD or M365 account who need identities + Conditional Access in order for the shared-phone + HIPAA story to actually work. Full roster, proposed UPNs, license math, and CA policy design are in `docs/cloud/caregiver-m365-p2-rollout.md`. Rough target: 61 total Business Premium licenses (23 existing staff post-cleanup + 38 net-new caregivers; Christine Nyanzunda overlaps and stays at one account). **Do not create any of these accounts yet** — documentation + proposal update first.
### Staff-side P2 / anti-impersonation tracking
These are in-flight and feed the same Business Premium purchase decision:
- `docs/cloud/p2-staff-candidates.md` — office staff who need P2 for PHI-in-email or home-access scenarios (Crystal confirmed Megan/Crystal/Tamra; John Trozzi gathering the rest)
- `docs/cloud/m365-impersonation-protection.md` — Defender anti-impersonation trusted partners + protected users (Megan's partner list captured; awaiting John's additions)
## AD ↔ M365 Account Mapping
### Matched Accounts (AD user → M365 mailbox)

View File

@@ -0,0 +1,89 @@
# Staff Entra P2 Candidates — Cascades
**Status:** Documentation only — no license purchase or policy activation yet. Awaiting full list from John Trozzi.
**Last updated:** 2026-04-18 (Howard)
**Related (different population):** `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver phone rollout.
## Why this list is separate
Two different problems both use P2 features, and conflating them makes the license math fuzzy:
- **Caregiver rollout** (covered elsewhere): ~39 hourly staff, shared Android phones, goal is location-locked mobile access during shifts.
- **This list** — office staff whose risk is:
- Receives / sends PHI (new resident intake forms, doctor-supplied medical info)
- Works from home or checks email on a personal phone, which is where we need either Conditional Access compliance enforcement or just a targeted location restriction
- Or — should be restricted to in-building sign-in only
The Conditional Access policies will likely differ between the two groups (office staff need "work from home or from trusted device with compliance", caregivers need strict "on-prem network + managed shared phone only"), so tracking them separately keeps the policy design clean.
## Criteria (from Howard → leadership email, 2026-04-16)
A staff member needs P2 if they match one or more:
1. Signs in on a phone or tablet at Cascades (skip-MFA-in-building story)
2. Should only sign in from the building (enforce location restriction)
3. Handles sensitive / medical information via email (PHI — need to enforce encryption + DLP policies that P2-tier features back)
## Candidates confirmed so far
### From Crystal Rodriguez (2026-04-16 reply)
| Name | Role | Reason P2 is needed | Notes |
|---|---|---|---|
| Megan Hiatt | Sales Director | Handles new-resident intake forms (PHI from doctors); works from home; email on personal cell | Already a protected user for anti-impersonation |
| Crystal Rodriguez | Sales Associate | Same as Megan — intake forms, home + cell access | Already a protected user |
| Tamra Matthews | Move-In Coordinator | Same — intake forms | **Leaving in June 2026** — license can be re-harvested on exit. Value of buying P2 for ~2 months is a call for Meredith (short-term HIPAA coverage vs. one-off cost). |
### Awaiting from John Trozzi
Per his 2026-04-17 email: "I will gather this information for you tomorrow." Expected additions likely include:
- Meredith Kuhn (Executive Director — CEO-equivalent, highest impersonation / PHI risk)
- Ashley Jensen (Assistant Executive Director)
- John Trozzi himself (Facilities/Maintenance Director — judgment call on PHI exposure)
- Lois Lane (Health Services Director — clinical data)
- Karen Rossini (Health Services Manager — clinical data)
- Britney Thompson (Memory Care Nurse — clinical data)
- Shelby Trozzi (Memory Care Director — clinical data)
- Christina DuPras (Resident Services Director)
- Christine Nyanzunda (Memory Care Admin Assistant)
- Susan Hicks (Life Enrichment Director — activity records may include PHI-adjacent data)
- Sharon Edwards (Life Enrichment Assistant)
Don't presume — wait for John's actual reply before buying licenses.
## Decision still open (from Howard's 2026-04-16 email to leadership)
> "Do you want all staff restricted to signing in only from the building, or just certain roles/users (like front desk, kitchen, clinical)?"
No answer yet. This decision directly changes the license count and the CA policy design:
- If **all staff restricted to building-only** → every AD-synced user needs P2 and a matching CA policy. Larger spend.
- If **only some restricted** → P2 only for those users; cheaper, but requires ongoing judgment on who gets which policy.
## Intersection with other rollouts
- **Anti-impersonation protection** (`docs/cloud/m365-impersonation-protection.md`) — same top-tier users are the protected users there. Keep the lists in sync.
- **Business Premium upgrade** (`docs/proposals/m365-premium-upgrade.md`) — Business Premium bundles P2-equivalent CA features, so if we go Premium tenant-wide, standalone P2 purchases go away. Default recommendation: **bundle everything into Business Premium**, only buy standalone P2 if budget forces staying on Business Standard for some users.
- **Caregiver rollout** (`docs/cloud/caregiver-m365-p2-rollout.md`) — ~39 additional licenses. Combined target ~61 Premium licenses for the whole org.
## Rough license math (staff side only)
| Scenario | Qty | Notes |
|---|---|---|
| Confirmed today (Crystal, Megan, Tamra-through-June) | 3 | Crystal's reply |
| Likely additions from John + Meredith (guessed) | ~58 | Wait for actual reply |
| All staff (if "restrict everyone" decision) | ~23 | Equals the full post-cleanup licensed-user count from `docs/cloud/m365.md` |
## Action items
- [ ] Follow up with John Trozzi on the gathering — he owes us the list
- [ ] Push Meredith for the "restrict everyone or just some" decision
- [ ] When list is final, decide: standalone P2 add-on OR move those users to Business Premium OR move the whole tenant to Business Premium (recommended)
- [ ] Build CA policy `CSC - Office Staff PHI Access` separate from the caregiver mobile policy
- [ ] Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026)
## Related docs
- `docs/cloud/m365.md`
- `docs/cloud/m365-impersonation-protection.md`
- `docs/cloud/caregiver-m365-p2-rollout.md`
- `docs/proposals/m365-premium-upgrade.md`
- `docs/security/hipaa.md`