sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42
Author: Howard Enos Machine: ACG-TECH03L Timestamp: 2026-04-18 10:17:42
This commit is contained in:
183
clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md
Normal file
183
clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md
Normal file
@@ -0,0 +1,183 @@
|
||||
# Caregiver M365 + Entra P2 Rollout Plan (Cascades of Tucson)
|
||||
|
||||
**Status:** Documentation only — do NOT create accounts or assign licenses yet.
|
||||
**Created:** 2026-04-18 (Howard)
|
||||
**Source:** `C:\Users\howar\OneDrive\Documents\Caregiver Scheduled shifts and phone #.xlsx` (as of 2026-04-17)
|
||||
|
||||
## Goal / why this matters
|
||||
|
||||
Cascades is deploying 25 shared Android phones plus 9 kitchen iPads to get caregivers off shared workstations and into their own authenticated sessions (ALIS EHR, Outlook, Edge). For that to actually improve HIPAA posture, every caregiver needs:
|
||||
|
||||
1. Their own identity (AD user + M365 mailbox) so actions are attributable per-person rather than to a shared "Caregiver" login
|
||||
2. **Entra P2** so we can apply Conditional Access policies that restrict mobile email + ALIS access to:
|
||||
- Managed (Intune-enrolled) shared phones, AND
|
||||
- The Cascades physical network / trusted location (IP ranges or named location)
|
||||
3. Policy block on personal-device access to Exchange + ALIS (HIPAA §164.312 access control)
|
||||
|
||||
Today none of these caregivers exist in AD or M365 — they use shared workstation logins and don't have email at all. That is the gap this rollout closes.
|
||||
|
||||
**Also noted (explicit call-out to add to the proposal):** we did not previously frame the Business Premium proposal as "we're adding phones AND licenses to reach HIPAA compliance." The proposal currently lists 23 licensed users post-cleanup; with caregivers included it is closer to 62. The cost delta + HIPAA rationale should be surfaced in `docs/proposals/m365-premium-upgrade.md` before re-presenting to Meredith.
|
||||
|
||||
## Caregiver roster (39 people)
|
||||
|
||||
Location codes: **Tower** = assisted living tower, **MC** = Memory Care.
|
||||
Role flags: **CCG** = certified caregiver, **MedTech / MED TECH** = medication tech, **PRN** = as-needed/float, **NOC** = overnight.
|
||||
|
||||
### Tuesday–Saturday (14)
|
||||
|
||||
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|
||||
|---|------|--------------|-------|----------|------|-------|
|
||||
| 1 | Thelma Abainza | thelma.abainza@ | AM | Tower | Caregiver | 520-867-2579 |
|
||||
| 2 | Niel Castro | niel.castro@ | AM | Tower | MedTech / CCG | 520-697-4644 |
|
||||
| 3 | Espe Esperance | espe.esperance@ | PM | Tower | MedTech | 520-788-9558 |
|
||||
| 4 | Barbara Johnson | barbara.johnson@ | PM | Tower | Caregiver | 520-204-3449 |
|
||||
| 5 | Kasey Flores | kasey.flores@ | AM | MC | Caregiver | 520-250-1451 |
|
||||
| 6 | Richard Flores | richard.flores@ | AM | MC | Caregiver | 520-873-7727 |
|
||||
| 7 | Marie Kastner | marie.kastner@ | PM | MC | Caregiver | 714-576-9858 |
|
||||
| 8 | Bella Mendoza | bella.mendoza@ | PM | MC | Caregiver | 520-358-2000 |
|
||||
| 9 | Rosa Morales | rosa.morales@ | PM | MC | MedTech | 312-213-8780 |
|
||||
| 10 | Sandra Padilla | sandra.padilla@ | AM | Tower | MedTech / CCG | 520-585-3317 |
|
||||
| 11 | Polett Pinazavala | polett.pinazavala@ | AM | MC | MedTech | 520-449-5533 |
|
||||
| 12 | Whisper Reed | whisper.reed@ | Overnight | Tower | MedTech | 520-312-7575 |
|
||||
| 13 | Patricia Sandoval-Beck | patricia.sandoval-beck@ | AM | Tower | MedTech | 520-343-8093 |
|
||||
| 14 | Charity Sika | charity.sika@ | AM | MC | Caregiver | 623-251-8032 |
|
||||
| 15 | Ederick Yuzon | ederick.yuzon@ | PM | Tower | Caregiver | 520-603-8816 |
|
||||
|
||||
### Sunday–Thursday (10)
|
||||
|
||||
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|
||||
|---|------|--------------|-------|----------|------|-------|
|
||||
| 16 | Juan Andrade | juan.andrade@ | PM | MC | Caregiver | 520-528-4078 |
|
||||
| 17 | Jahmeka Clarke | jahmeka.clarke@ | PM | MC | MedTech | 520-649-7034 |
|
||||
| 18 | Karina Aziakpo | karina.aziakpo@ | Overnight | MC | MedTech / CCG | 520-392-6859 |
|
||||
| 19 | Jinnelle Dittbenner | jinnelle.dittbenner@ | PM | Tower | Caregiver | 520-499-9996 |
|
||||
| 20 | Christine Nyanzunda | christine.nyanzunda@ | AM (Sun/Mon only) | MC | MedTech | 520-304-4251 |
|
||||
| 21 | Agnes McFerren | agnes.mcferren@ | AM | Tower | Caregiver | 520-406-3063 |
|
||||
| 22 | Samuel Ramirez | samuel.ramirez@ | PM | Tower | Caregiver | 520-488-5798 |
|
||||
| 23 | Erica Sanchez | erica.sanchez@ | AM | MC | Caregiver | 520-528-3387 |
|
||||
| 24 | Katrina Wyzykowski | katrina.wyzykowski@ | AM | MC | MedTech | 520-347-1448 |
|
||||
| 25 | Corey Tate | corey.tate@ | NOC | Tower | Caregiver only (no MedTech) | 520-535-7821 |
|
||||
|
||||
### Friday–Monday / weekend (5)
|
||||
|
||||
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|
||||
|---|------|--------------|-------|----------|------|-------|
|
||||
| 26 | Ashli Atwood | ashli.atwood@ | Overnight | MC | MedTech / CCG | 715-200-1295 |
|
||||
| 27 | Cole Johnson | cole.johnson@ | PM | Tower | MedTech | 818-970-0890 |
|
||||
| 28 | Roseline Cooper | roseline.cooper@ | Overnight | MC | Caregiver | 520-278-6817 |
|
||||
| 29 | Monique Lopez | monique.lopez@ | Doubles (Fri & Sat) | Tower | Caregiver | 520-596-0969 |
|
||||
| 30 | Gloria Williford | gloria.williford@ | Doubles (Fri & Sat 5:45a–10p) | MC | MedTech | 928-551-1682 |
|
||||
|
||||
### Thursday–Monday (3)
|
||||
|
||||
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|
||||
|---|------|--------------|-------|----------|------|-------|
|
||||
| 31 | Sarah Carroll | sarah.carroll@ | PM | Tower | Caregiver | 520-409-2341 |
|
||||
| 32 | Luke Hogan | luke.hogan@ | AM | Tower | Caregiver | 520-312-0141 |
|
||||
| 33 | Gina Williams | gina.williams@ | AM | Tower | Caregiver | 520-612-5075 |
|
||||
|
||||
### Split / other patterns (3)
|
||||
|
||||
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|
||||
|---|------|--------------|-------|----------|------|-------|
|
||||
| 34 | Jen Higdon | jen.higdon@ | Mon/Wed/Fri AM | Tower | Caregiver | 520-730-3548 |
|
||||
| 35 | Mary Kariuki | mary.kariuki@ | Sat–Mon + Wed PM | Tower | Caregiver | 520-309-1247 |
|
||||
| 36 | CeCe Lassey | cece.lassey@ | Sun/Mon doubles + Tue PM | Tower | Caregiver | 520-248-5982 |
|
||||
|
||||
### Sunday & Monday only (1)
|
||||
|
||||
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|
||||
|---|------|--------------|-------|----------|------|-------|
|
||||
| 37 | Paty Doran | paty.doran@ | AM | Tower | MedTech / CCG | 520-591-7368 |
|
||||
|
||||
### PRN / float (2)
|
||||
|
||||
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|
||||
|---|------|--------------|-------|----------|------|-------|
|
||||
| 38 | Ezekiel Huerta | ezekiel.huerta@ | PRN | Tower | Caregiver | 520-591-6113 |
|
||||
| 39 | Maia Baker | maia.baker@ | PRN | MC | MedTech | TBD — not on shift list, only on Sheet2 |
|
||||
|
||||
All UPNs above use the `@cascadestucson.com` suffix (standard).
|
||||
|
||||
## Conflict / verify before creating
|
||||
|
||||
- **Christine Nyanzunda** already exists in AD as **Memory Care Admin Assistant** (`Christine.Nyanzunda`, susan.hicks@ department peer — see `docs/servers/active-directory.md` and existing M365 match in `docs/cloud/m365.md`). The caregiver list entry `Christine Nyanzunda-AM shift/MC MED TECH` is likely the same person picking up clinical shifts, not a second identity. **Do not create a second account.** Confirm with Shelby Trozzi / Meredith that her caregiver shifts should use the existing `christine.nyanzunda@` mailbox.
|
||||
- **Paty Doran** — spelling could be Patricia / Paty / Patti. Confirm with HR before creating.
|
||||
- **Polett Pinazavala** — unusual spelling, verify with HR.
|
||||
- **Patricia Sandoval-Beck** — hyphenated last name; SamAccountName may need to be `Patricia.SandovalBeck` if hyphens are disallowed in downstream tools (ALIS, MDM).
|
||||
- **Ederick Yuzon** — verify spelling.
|
||||
- **Maia Baker** — name on Sheet2 only, no shift/phone data. Confirm employment status with HR.
|
||||
|
||||
## Licensing plan (when ready — NOT now)
|
||||
|
||||
**Current licensing (per `docs/cloud/m365.md`):**
|
||||
- Business Standard: 34 purchased, all assigned (need to free via shared-mailbox conversion first)
|
||||
- Entra P2: 1 unassigned (was Sandra Fish)
|
||||
|
||||
**Target for caregiver rollout:**
|
||||
|
||||
| License | Who gets it | Qty | Rationale |
|
||||
|---|---|---|---|
|
||||
| M365 Business Premium (replaces Standard) | All 23 existing licensed staff + 38 net-new caregivers (Christine Nyanzunda already counted as existing staff) | **61** | Includes Intune Shared Device Mode + Defender + DLP + the P2-equivalent Conditional Access features — this is the SKU the proposal already describes |
|
||||
| Entra ID P2 (standalone, IF we stay on Business Standard instead) | Same 61 | 61 | Only needed if we do NOT upgrade to Business Premium. Premium already bundles the CA features we need; avoid double-paying |
|
||||
|
||||
**Recommended:** upgrade everyone to Business Premium, **don't** buy standalone P2. P2 is only listed here as the fallback if budget forces staying on Standard.
|
||||
|
||||
### Quick cost math (order-of-magnitude, double-check in proposal)
|
||||
|
||||
| Scenario | Licenses | Rate (monthly) | Monthly total |
|
||||
|---|---|---|---|
|
||||
| Today (actual) | 34 × Standard | $12.50 | $425 |
|
||||
| After shared-mailbox cleanup (no caregivers) | 23 × Premium | $22.00 | $506 |
|
||||
| After caregiver rollout (this doc) | 61 × Premium | $22.00 | **$1,342** |
|
||||
| Delta vs today | +$917/mo | | — |
|
||||
|
||||
That is a meaningful jump and needs to be in the proposal conversation with Meredith explicitly — it was missing from the 2026-04-14 version.
|
||||
|
||||
## Conditional Access policy plan (rough)
|
||||
|
||||
When licenses are in place and accounts exist:
|
||||
|
||||
1. **Named Location** in Entra = Cascades public IP(s) from pfSense WAN + VPN exit IP. Name it `CascadesTrustedLocation`.
|
||||
2. **Compliant Device** definition in Intune = corporate-enrolled Android (the 25 shared phones) + corporate-enrolled iPad (the 9 kitchen iPads) + domain-joined Windows PCs.
|
||||
3. **CA Policy: Caregivers — Mobile Email / ALIS access**
|
||||
- Assignment: Entra group `SG-Caregivers` (populated from AD group once accounts exist)
|
||||
- Cloud apps: Exchange Online, `ALIS` (once registered as Entra app), Outlook Mobile
|
||||
- Conditions: Device Platforms = Android, iOS; Locations = Any
|
||||
- Grant: Require compliant device **AND** require location `CascadesTrustedLocation` (combined grant, both required)
|
||||
- Block everything else (personal phones off-network → blocked)
|
||||
4. **CA Policy: Caregivers — Web/browser block off-network**
|
||||
- Same group + cloud apps
|
||||
- Platforms: browser (desktop)
|
||||
- Conditions: not in `CascadesTrustedLocation`
|
||||
- Grant: Block
|
||||
5. **Exclusion group** `SG-CA-BreakGlass` for Meredith + sysadmin so we can't lock ourselves out.
|
||||
|
||||
CA policies should be deployed in **Report-only** mode for at least 7 days, reviewed against Sign-in logs, then switched to On.
|
||||
|
||||
## AD placement (when accounts are created)
|
||||
|
||||
Put caregivers in the existing `OU=Departments,OU=...` department OUs:
|
||||
|
||||
- Tower/MC caregivers → `OU=Care-Assisted Living,OU=Departments` (or create `OU=Caregivers` sub-OU if we want finer GPO targeting)
|
||||
- MedTech-flagged staff → same OU; group membership (SG-MedTech) controls ALIS licensing tier
|
||||
- CCG-flagged staff → same OU; group membership (SG-CCG) controls higher-privilege ALIS rights if any
|
||||
|
||||
Group-policy impact: the `CSC - Folder Redirection (LE)` work done for Life Enrichment does NOT apply here. Care-Assisted Living GPO pattern needs to be cloned from the finalized LE GPO once that's proven on Susan Hicks' machine (DESKTOP-ROK7VNM).
|
||||
|
||||
## Open items / decisions needed from client
|
||||
|
||||
- [ ] Confirm Christine Nyanzunda is one person, not two (existing M365 account keeps working for caregiver shifts)
|
||||
- [ ] HR spelling confirmation on Paty Doran, Polett Pinazavala, Patricia Sandoval-Beck, Ederick Yuzon, Maia Baker
|
||||
- [ ] Will caregivers use ALIS on the shared phones (need ALIS accounts + Entra SSO) or only email?
|
||||
- [ ] Does Cascades want to purchase 39 additional Business Premium licenses up-front, or roll out in waves (e.g., MedTechs first, then CCGs, then Caregivers)?
|
||||
- [ ] Confirm pfSense WAN IP(s) are static enough to rely on in a CA Named Location policy
|
||||
- [ ] Timeline expectations — tying this to the phone deployment, the MDM rollout (7-phase plan in `docs/security/mdm.md`), and the Business Premium purchase
|
||||
|
||||
## Related docs
|
||||
|
||||
- Proposal: `docs/proposals/m365-premium-upgrade.md` — currently sized for 23 users; needs updating
|
||||
- MDM plan: `docs/security/mdm.md` — 25 phones + 9 iPads, ManageEngine; Intune Shared Device Mode is flagged as future
|
||||
- M365 current state: `docs/cloud/m365.md`
|
||||
- AD roster: `docs/servers/active-directory.md`
|
||||
- HIPAA program: `docs/security/hipaa.md`
|
||||
@@ -0,0 +1,97 @@
|
||||
# M365 Anti-Impersonation Protection — Cascades
|
||||
|
||||
**Status:** Documentation only — policy not yet configured. Requires Business Premium (Defender for Office 365 Plan 1) or equivalent Defender for O365 add-on; Business Standard alone does not include the anti-impersonation engine.
|
||||
**Trigger:** follow-up to Megan Hiatt's phishing email incident, 2026-04-17.
|
||||
**Last updated:** 2026-04-18 (Howard)
|
||||
|
||||
## What this covers
|
||||
|
||||
Microsoft 365 Defender anti-phishing impersonation protection has two lists that need to be curated per tenant:
|
||||
|
||||
1. **Trusted senders / domains** — partners we actually do business with. Adding them prevents legitimate mail from being caught by anti-impersonation rules (which flag lookalikes of these names/domains). This is NOT an allowlist that bypasses spam/malware scanning — it just tells the impersonation engine "yes, this one is the real one, anything that resembles it is suspect."
|
||||
2. **Protected users** — internal accounts that are high-value impersonation targets (executives, finance, anyone who can approve money or PHI disclosure). Inbound mail that mimics their display name from outside the tenant gets flagged.
|
||||
|
||||
For Cascades we're also protecting the **domain** `cascadestucson.com` itself so lookalike domains (e.g., `cascadestucsom.com`, `cascadestuscon.com`) get flagged as impersonation attempts.
|
||||
|
||||
## Currently configured (per Howard's 2026-04-17 email)
|
||||
|
||||
### Protected domains
|
||||
- cascadestucson.com
|
||||
- azcomputerguru.com
|
||||
|
||||
### Protected users
|
||||
- Megan Hiatt
|
||||
- John Trozzi
|
||||
- Crystal Rodriguez
|
||||
- Meredith Kuhn
|
||||
- Tamra Matthews
|
||||
- "accounting" (presumably the accounting@cascadestucson.com shared mailbox / anything with that display name)
|
||||
|
||||
**Verify on next portal visit:** double-check the exact protected-users list in Defender → Policies → Anti-phishing → Impersonation. Howard's email lists "Megan, John, crystal, Meredith, accounting, crystal and tamra" — the duplicate "crystal" is probably a typo.
|
||||
|
||||
## Trusted partners to add (from Megan Hiatt, 2026-04-17)
|
||||
|
||||
Megan's "top domains I regularly do business with" reply. Preferred configuration: add the **domain** where we want any sender on that domain trusted; add the **specific email** where we only want that one person trusted.
|
||||
|
||||
| Add as | Value | Business purpose |
|
||||
|---|---|---|
|
||||
| User | Matt Hermes — `Matt.Hermes@kold.com` | KOLD-TV — local media |
|
||||
| User | SoAPRA — `soapra.npra@gmail.com` | State senior-living industry assoc (individual Gmail — user, not domain) |
|
||||
| User | Lovely Laurence Garcia — `partnersuccess@caring.com` | Caring.com partner success |
|
||||
| User | Caring Leads Team — `leadsteam@caring.com` | Caring.com lead routing |
|
||||
| User | Assisted Living Locators (N. Tucson) — `sheril@assistedlivinglocators.com` | Senior-living placement agency |
|
||||
| User | Angel Ramirez — `angel@placitacare.com` | PlacitaCare — referral partner |
|
||||
| User | Anne Connell — `AnneC@cascadeliving.com` | Cascade Living (parent / affiliated property — verify relationship) |
|
||||
| User | A Place for Mom AR — `ar@aplaceformom.com` | APFM accounts receivable — referral fees |
|
||||
| User | `BillingWO@gray.tv` | Gray Television — ad billing |
|
||||
| User | 8x8 Support — `noreply@8x8.com` | VoIP vendor no-reply (may not need impersonation protection since it's already an automated sender — include per Megan) |
|
||||
| User | C.J. Duque — `cjduque@trucraftdesign.com` | Tru Craft Design — vendor |
|
||||
| User | `compressionprinting@gmail.com` | Compression Printing — vendor |
|
||||
| User | Lisa Burns — `lisab4421@gmail.com` | Personal/individual partner contact |
|
||||
| User | `jbuenafe-leads@caring.com` | Caring.com lead contact (one of many) |
|
||||
|
||||
**Domain-level adds to consider (Howard to decide):** because Cascades gets mail from many different addresses at Caring.com and aplaceformom.com, adding `caring.com` and `aplaceformom.com` as trusted **domains** instead of individual addresses saves constant curation. Megan explicitly called out that Caring.com contacts "are changing all the time." Adding the domain once covers them all. Only risk: if a domain itself is spoofed, any sender claiming to be from it will be trusted — but the anti-impersonation engine is specifically about lookalike sender domains, so this is the correct use case.
|
||||
|
||||
Recommended domain-level trusted partners:
|
||||
- `caring.com` — multiple contacts, constantly rotating
|
||||
- `aplaceformom.com` — same pattern (APFM has many reps)
|
||||
- `kold.com` — news media
|
||||
- `assistedlivinglocators.com` — agency with multiple reps
|
||||
- `cascadeliving.com` — **confirm this is a legitimate affiliated property before trusting the whole domain**
|
||||
- `gray.tv` — billing automation from multiple accounts
|
||||
|
||||
Individual addresses to keep as **user-level** entries (not domain):
|
||||
- The two gmail.com partners (Lisa Burns, Compression Printing) — cannot trust `gmail.com` as a domain, obviously
|
||||
- `soapra.npra@gmail.com` — same
|
||||
- `angel@placitacare.com` — small vendor, domain-level overkill
|
||||
- `cjduque@trucraftdesign.com` — same
|
||||
- `noreply@8x8.com` — utility address, not a lookalike impersonation target anyway; Megan may have listed it for general allowlisting rather than anti-impersonation — revisit
|
||||
|
||||
## Outstanding / awaiting input
|
||||
|
||||
- **John Trozzi** (per 2026-04-17 email, bottom of thread): "I will gather this information for you tomorrow." → follow up for his partners list.
|
||||
- **Meredith Kuhn** — did not respond yet on impersonation list; she's the one most likely to be impersonated in a wire-fraud attack as Executive Director. Follow up.
|
||||
- **Ashley Jensen** (Assistant ED, Accounting) — same; likely overlaps with Meredith's list heavily.
|
||||
- **Cascade Living affiliation** — Anne Connell at `cascadeliving.com`. Verify with Meredith whether Cascades of Tucson is owned/affiliated with Cascade Living properties before trusting the domain wholesale. If affiliated, add as trusted domain; if arm's-length, keep as user-level.
|
||||
|
||||
## Implementation notes (when ready)
|
||||
|
||||
1. Purchase Business Premium or Defender for O365 P1 add-on (impersonation engine lives in Defender, not EOP baseline)
|
||||
2. Defender portal → Email & collaboration → Policies & rules → Threat policies → Anti-phishing → edit the Standard preset or create `CSC - Anti-Phishing Standard`
|
||||
3. Impersonation tab:
|
||||
- Add protected users (Meredith, Megan, John, Crystal, Tamra, Ashley — anyone who can approve money/PHI)
|
||||
- Add protected domains: `cascadestucson.com`, `azcomputerguru.com`, and any affiliated properties verified above
|
||||
- Add trusted senders/domains (sections above)
|
||||
- Action when user is impersonated: **Quarantine message** (not just "move to Junk" — attackers test Junk-only delivery)
|
||||
- Mailbox intelligence: **On**, with "impersonated users" action = Quarantine
|
||||
4. Spoof intelligence: On, with action Quarantine
|
||||
5. Turn on Safety Tips
|
||||
6. Review quarantine daily for first 2 weeks — tune the trusted list based on false positives
|
||||
7. Document in this file any legitimate senders we have to add mid-operation so the list stays authoritative
|
||||
|
||||
## Related docs
|
||||
|
||||
- `docs/cloud/m365.md` — overall M365 state
|
||||
- `docs/cloud/p2-staff-candidates.md` — staff P2 rollout (overlapping stakeholders)
|
||||
- `docs/cloud/caregiver-m365-p2-rollout.md` — phone-side rollout (different user population)
|
||||
- `docs/security/hipaa.md` — HIPAA program this feeds into
|
||||
@@ -24,6 +24,16 @@
|
||||
|
||||
**Note:** Business Standard is fully allocated (34/34, 0 available). Any new hires require purchasing additional licenses.
|
||||
|
||||
### Planned expansion — caregiver rollout (not yet purchased)
|
||||
|
||||
Separate from the current 34 users, there are **~39 caregivers / med techs / CCGs** with no current AD or M365 account who need identities + Conditional Access in order for the shared-phone + HIPAA story to actually work. Full roster, proposed UPNs, license math, and CA policy design are in `docs/cloud/caregiver-m365-p2-rollout.md`. Rough target: 61 total Business Premium licenses (23 existing staff post-cleanup + 38 net-new caregivers; Christine Nyanzunda overlaps and stays at one account). **Do not create any of these accounts yet** — documentation + proposal update first.
|
||||
|
||||
### Staff-side P2 / anti-impersonation tracking
|
||||
|
||||
These are in-flight and feed the same Business Premium purchase decision:
|
||||
- `docs/cloud/p2-staff-candidates.md` — office staff who need P2 for PHI-in-email or home-access scenarios (Crystal confirmed Megan/Crystal/Tamra; John Trozzi gathering the rest)
|
||||
- `docs/cloud/m365-impersonation-protection.md` — Defender anti-impersonation trusted partners + protected users (Megan's partner list captured; awaiting John's additions)
|
||||
|
||||
## AD ↔ M365 Account Mapping
|
||||
|
||||
### Matched Accounts (AD user → M365 mailbox)
|
||||
|
||||
89
clients/cascades-tucson/docs/cloud/p2-staff-candidates.md
Normal file
89
clients/cascades-tucson/docs/cloud/p2-staff-candidates.md
Normal file
@@ -0,0 +1,89 @@
|
||||
# Staff Entra P2 Candidates — Cascades
|
||||
|
||||
**Status:** Documentation only — no license purchase or policy activation yet. Awaiting full list from John Trozzi.
|
||||
**Last updated:** 2026-04-18 (Howard)
|
||||
**Related (different population):** `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver phone rollout.
|
||||
|
||||
## Why this list is separate
|
||||
|
||||
Two different problems both use P2 features, and conflating them makes the license math fuzzy:
|
||||
|
||||
- **Caregiver rollout** (covered elsewhere): ~39 hourly staff, shared Android phones, goal is location-locked mobile access during shifts.
|
||||
- **This list** — office staff whose risk is:
|
||||
- Receives / sends PHI (new resident intake forms, doctor-supplied medical info)
|
||||
- Works from home or checks email on a personal phone, which is where we need either Conditional Access compliance enforcement or just a targeted location restriction
|
||||
- Or — should be restricted to in-building sign-in only
|
||||
|
||||
The Conditional Access policies will likely differ between the two groups (office staff need "work from home or from trusted device with compliance", caregivers need strict "on-prem network + managed shared phone only"), so tracking them separately keeps the policy design clean.
|
||||
|
||||
## Criteria (from Howard → leadership email, 2026-04-16)
|
||||
|
||||
A staff member needs P2 if they match one or more:
|
||||
1. Signs in on a phone or tablet at Cascades (skip-MFA-in-building story)
|
||||
2. Should only sign in from the building (enforce location restriction)
|
||||
3. Handles sensitive / medical information via email (PHI — need to enforce encryption + DLP policies that P2-tier features back)
|
||||
|
||||
## Candidates confirmed so far
|
||||
|
||||
### From Crystal Rodriguez (2026-04-16 reply)
|
||||
|
||||
| Name | Role | Reason P2 is needed | Notes |
|
||||
|---|---|---|---|
|
||||
| Megan Hiatt | Sales Director | Handles new-resident intake forms (PHI from doctors); works from home; email on personal cell | Already a protected user for anti-impersonation |
|
||||
| Crystal Rodriguez | Sales Associate | Same as Megan — intake forms, home + cell access | Already a protected user |
|
||||
| Tamra Matthews | Move-In Coordinator | Same — intake forms | **Leaving in June 2026** — license can be re-harvested on exit. Value of buying P2 for ~2 months is a call for Meredith (short-term HIPAA coverage vs. one-off cost). |
|
||||
|
||||
### Awaiting from John Trozzi
|
||||
|
||||
Per his 2026-04-17 email: "I will gather this information for you tomorrow." Expected additions likely include:
|
||||
- Meredith Kuhn (Executive Director — CEO-equivalent, highest impersonation / PHI risk)
|
||||
- Ashley Jensen (Assistant Executive Director)
|
||||
- John Trozzi himself (Facilities/Maintenance Director — judgment call on PHI exposure)
|
||||
- Lois Lane (Health Services Director — clinical data)
|
||||
- Karen Rossini (Health Services Manager — clinical data)
|
||||
- Britney Thompson (Memory Care Nurse — clinical data)
|
||||
- Shelby Trozzi (Memory Care Director — clinical data)
|
||||
- Christina DuPras (Resident Services Director)
|
||||
- Christine Nyanzunda (Memory Care Admin Assistant)
|
||||
- Susan Hicks (Life Enrichment Director — activity records may include PHI-adjacent data)
|
||||
- Sharon Edwards (Life Enrichment Assistant)
|
||||
|
||||
Don't presume — wait for John's actual reply before buying licenses.
|
||||
|
||||
## Decision still open (from Howard's 2026-04-16 email to leadership)
|
||||
|
||||
> "Do you want all staff restricted to signing in only from the building, or just certain roles/users (like front desk, kitchen, clinical)?"
|
||||
|
||||
No answer yet. This decision directly changes the license count and the CA policy design:
|
||||
- If **all staff restricted to building-only** → every AD-synced user needs P2 and a matching CA policy. Larger spend.
|
||||
- If **only some restricted** → P2 only for those users; cheaper, but requires ongoing judgment on who gets which policy.
|
||||
|
||||
## Intersection with other rollouts
|
||||
|
||||
- **Anti-impersonation protection** (`docs/cloud/m365-impersonation-protection.md`) — same top-tier users are the protected users there. Keep the lists in sync.
|
||||
- **Business Premium upgrade** (`docs/proposals/m365-premium-upgrade.md`) — Business Premium bundles P2-equivalent CA features, so if we go Premium tenant-wide, standalone P2 purchases go away. Default recommendation: **bundle everything into Business Premium**, only buy standalone P2 if budget forces staying on Business Standard for some users.
|
||||
- **Caregiver rollout** (`docs/cloud/caregiver-m365-p2-rollout.md`) — ~39 additional licenses. Combined target ~61 Premium licenses for the whole org.
|
||||
|
||||
## Rough license math (staff side only)
|
||||
|
||||
| Scenario | Qty | Notes |
|
||||
|---|---|---|
|
||||
| Confirmed today (Crystal, Megan, Tamra-through-June) | 3 | Crystal's reply |
|
||||
| Likely additions from John + Meredith (guessed) | ~5–8 | Wait for actual reply |
|
||||
| All staff (if "restrict everyone" decision) | ~23 | Equals the full post-cleanup licensed-user count from `docs/cloud/m365.md` |
|
||||
|
||||
## Action items
|
||||
|
||||
- [ ] Follow up with John Trozzi on the gathering — he owes us the list
|
||||
- [ ] Push Meredith for the "restrict everyone or just some" decision
|
||||
- [ ] When list is final, decide: standalone P2 add-on OR move those users to Business Premium OR move the whole tenant to Business Premium (recommended)
|
||||
- [ ] Build CA policy `CSC - Office Staff PHI Access` separate from the caregiver mobile policy
|
||||
- [ ] Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026)
|
||||
|
||||
## Related docs
|
||||
|
||||
- `docs/cloud/m365.md`
|
||||
- `docs/cloud/m365-impersonation-protection.md`
|
||||
- `docs/cloud/caregiver-m365-p2-rollout.md`
|
||||
- `docs/proposals/m365-premium-upgrade.md`
|
||||
- `docs/security/hipaa.md`
|
||||
Reference in New Issue
Block a user