diff --git a/clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md b/clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md
index a6fba48..c9b96d9 100644
--- a/clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md
+++ b/clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md
@@ -1,35 +1,23 @@
-# Follow-up email — four open items from the staff list
+# Follow-up email — staff list loose ends + access-policy decision
 
 **To:** Meredith Kuhn, John Trozzi (cc: Ashley Jensen)
 **From:** Howard Enos — Computer Guru
 **Date:** 2026-04-22
-**Subject:** Got the staff list — thank you. Four small follow-ups before I set up accounts.
+**Subject:** Got the staff list — thank you. A few follow-ups before I set up accounts.
 
 ---
 
 Meredith / John,
 
-Thank you for sending back the staff list — that's exactly what I needed and it's going straight into the account setup plan. Before I start creating M365 accounts and access policies, I want to confirm a few small things so I don't make the wrong call on any of them:
+Thank you for sending back the staff list — that's exactly what I needed and it's going straight into the account setup plan. Before I start creating M365 accounts and access policies, I want to confirm a few things so I don't make the wrong call:
 
-1. **Kyla Quick Tiffany** — is her last name three separate words (Quick Tiffany), hyphenated (Quick-Tiffany), or is one of those actually a middle name? I want the account to match whatever her ID / payroll uses.
+1. **Ederick Yuzon** — just confirming the spelling of the first name. "Ederick" vs "Edrick" vs something else?
 
-2. **Ederick Yuzon** — just confirming the spelling of the first name. "Ederick" vs "Edrick" vs something else?
+2. **Alma R Montt** — what's her actual title / role so I can put it on the account?
 
-3. **Christine Nyanzunda (Memory Care Admin Assistant)** — I originally had her on the caregiver shift-staff list as well. The staff list you sent back only has her once, under Memory Care admin. Can you confirm she's one person with one account, not two? (Account-wise it matters because the admin and caregiver tiers get different licenses and phone access.)
+3. **Polett Pinazavala** — I had her on my caregiver roster (AM, Memory Care, MedTech) from earlier notes, and she's not on the returned list either. Did she leave?
 
-4. **Alma R Montt (Life Enrichment)** — the title field on her row came back blank. What's her actual title / role so I can put it on the account?
-
-5. **Britney Thompson** — she's in Active Directory today as a Memory Care Nurse with a real account, but she's not on the list you sent back. Did she leave, is she part-time / on leave, or should she still be there? If she's gone I'll disable the account (and recover the license).
-
-6. **Polett Pinazavala** — I had her on my caregiver roster (AM, Memory Care, MedTech) from earlier notes, and she's not on the returned list either. Same question — did she leave?
-
-One related decision I still need from you when you have a minute:
-
-> Do you want **all staff restricted to signing in only from the building**, or just certain roles (e.g. front desk / kitchen / clinical)?
-
-The staff list confirms who's on D+P vs. D-only vs. P-only, but "restrict everyone to the building" vs. "only restrict some" changes the license count (it roughly doubles the P2-equivalent licenses we'd buy) and the Conditional Access policy design. Either answer is fine — I just need the call.
-
-No rush. Whichever of you can reply fastest on the five spellings/titles will unblock me; the building-vs-selective question can wait another day or two if you want to think about it.
+4. **Access policy default:** I am going to set all staff restricted to signing in only from the building by default. It will be easier to set a list of users allowed to log in from outside the network than to try to lock individual people in one at a time.
 
 Thank you —
 
@@ -37,5 +25,5 @@ Howard
 
 ---
 
-*Draft — prepared 2026-04-22 after processing the staff-editor CSV return.*
-*Related: `reports/cascades-staff-2026-04-22.csv`, `docs/cloud/p2-staff-candidates.md`.*
+*Edited by Howard from the earlier draft. Dropped questions that were resolved live (Kyla's username = `Kyla.QuickTiffany` per her own preference; Britney Thompson still employed; Christine Nyanzunda = one person / one account). Sent: TBD — Howard to update this doc with the actual sent copy.*
+*Related: `reports/cascades-staff-2026-04-22.csv`, `docs/cloud/user-account-rollout-plan.md`.*
diff --git a/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md b/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md
index 0f8fde1..2e11590 100644
--- a/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md
+++ b/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md
@@ -56,7 +56,9 @@ Expected license count at full rollout:
 - Business Standard: 1 + 3 courtesy + 4 reception = **8**
 - F3: 3 drivers = **3**
 
-Totals bracket the `p2-staff-candidates.md` estimate of ~61 Premium. If Meredith chooses "restrict everyone to building," it doesn't change this headline — it changes CA policy scope.
+Totals bracket the `p2-staff-candidates.md` estimate of ~61 Premium.
+
+**Post-2026-04-22 update:** With the building-only-by-default CA decision confirmed, every licensed user needs Entra P1 coverage (either via Business Premium, or Business Standard + standalone Entra P1, or F3 + standalone Entra P1). Without P1, CA policies don't apply and the user sidesteps the default-deny. This effectively collapses the mixed-SKU table above into a recommendation for **Business Premium tenant-wide** — the Business Standard and F3 rows stay in the table only as a reference for what we'd buy if budget forces unbundling. Proceed with Premium-tenant-wide unless Meredith pushes back.
 
 ## 4. AD OU + group layout (proposed)
 
@@ -91,19 +93,25 @@ CA policies target groups, not OUs. OUs drive GPO inheritance (folder redirectio
 
 ## 5. Conditional Access policy set
 
-One named CA policy per persona/posture to keep the decision tree flat:
+**Decision 2026-04-22 (Howard → Meredith/John):** Default-deny external sign-in for all licensed users. Maintain a small allow-list group for users who legitimately work off-site.
+
+This collapses the earlier per-persona policy matrix into two primary CA policies plus the existing caregiver shared-phone policy:
 
 | Policy | Targets | Grant |
 |---|---|---|
-| `CSC - Office PHI External` | SG-Office-PHI-External | Require compliant device OR trusted location + MFA |
-| `CSC - Office PHI Internal` | SG-Office-PHI-Internal | Block except from trusted location |
-| `CSC - FrontDesk Building-Only` | SG-FrontDesk | Block except from trusted location |
-| `CSC - Courtesy Patrol Building-Only` | SG-CourtesyPatrol | Block except from trusted location |
-| `CSC - Drivers Phone-Only` | SG-Drivers | Require compliant Intune-managed phone; no web fallback |
-| `CSC - Caregivers Shared Phone` | SG-Caregivers | Already designed per `caregiver-m365-p2-rollout.md` |
+| `CSC - Building Only (Default)` | All licensed users **except** `SG-External-Signin-Allowed` and `SG-Caregivers` | Block sign-in unless from the "Cascades Building" named location + MFA |
+| `CSC - External Sign-in Allowed` | `SG-External-Signin-Allowed` | Require compliant Intune-enrolled device + MFA for external sign-in; trusted-location sign-in waives the compliance grant |
+| `CSC - Caregivers Shared Phone` | `SG-Caregivers` | Already designed per `caregiver-m365-p2-rollout.md` (shared-phone Intune + named location) |
+| `CSC - Drivers Phone-Only` | `SG-Drivers` | Require compliant Intune-managed phone; no web fallback. Drivers added to `SG-External-Signin-Allowed` as well if they need off-site phone access. |
+
+**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column. All 19 office-PHI staff plus Britney Thompson (pending posture confirmation). Everyone else stays on the default building-only policy until Meredith adds them.
 
 **Named location "Cascades Building":** Define once, reuse. Use the site's public IP range(s) from pfSense NAT (`clients/cascades-tucson/pfsense-firewall.sops.yaml`).
 
+**Exception-management process:** Adding a user to `SG-External-Signin-Allowed` is a named-access request that should be logged (ideally in the client's Syncro ticketing or a simple note in the client folder). Removal is equally important — e.g., Tamra Matthews comes off the list on her June 2026 departure in addition to her license being deactivated.
+
+**Impact on licensing:** All users covered by either CA policy need at least Entra P1 (bundled with Business Premium). This reinforces the default recommendation of Business Premium tenant-wide — Business Standard users couldn't be covered by the CA default-deny without an add-on, and a mixed tenant is harder to reason about.
+
 ## 6. Pre-flight reconciliation (CSV vs current AD)
 
 These must be resolved before creating or converting accounts. See also `cascades-staff-followup-2026-04-22.md`.
@@ -112,7 +120,7 @@ These must be resolved before creating or converting accounts. See also `cascade
 |---|---|---|
 | **Britney Thompson** — in AD (enabled, Memory Care Nurse), NOT on returned CSV | **Resolved 2026-04-22 (Howard) — still employed. Desktop + maybe Phone.** | Keep existing AD account. Treat as Office-PHI / clinical (D+P, ALIS=Y). Confirm phone tier and Outside posture with Meredith. |
 | **Polett Pinazavala** — on 2026-04-18 caregiver roster, NOT on returned CSV | **Resolved 2026-04-22 (Howard) — still employed. Desktop + maybe Phone.** | Keep on caregiver roster. Include in Wave 3 caregiver account creation. Confirm phone tier with Meredith. |
-| **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Confirmed 2026-04-22 (Howard) — one person, one account.** | One account in `OU=Care-MemoryCare`. Office-PHI CA policy as primary; verify shared-phone sign-in works within that envelope before caregiver-CA change is considered. |
+| **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Resolved 2026-04-22 (Howard) — one account covers both roles.** | Single account in `OU=Care-MemoryCare`. Default building-only CA policy. When she's covering a MedTech shift she logs into the shared MC phone with her own account. If that sign-in gets blocked by the shared-phone CA, add her to a specific exception group rather than splitting into two accounts. |
 | **Alma R Montt** — on CSV (Life Enrichment), NOT in AD, title blank | **Username assigned 2026-04-22 (Howard): `Alma.Montt`.** Title still pending Meredith. | Create AD account at `Alma.Montt` (UPN `alma.montt@cascadestucson.com`). Populate title once Meredith answers. |
 | **Kyla Quick Tiffany** — on CSV and in AD "needs account" list | **Username assigned 2026-04-22 (Howard, per Kyla's preference): `Kyla.QuickTiffany`** — last name treated as a single word. | Create AD account at `Kyla.QuickTiffany` (UPN `kyla.quicktiffany@cascadestucson.com`). Persona: Shared-PC Reception. |
 | **Ederick Yuzon** — spelling not confirmed | Still pending Meredith. | Block on creation; use `Ederick.Yuzon` tentatively if Meredith confirms. |
@@ -173,16 +181,21 @@ Applies to Wave 1 + Wave 3 (and any future hire). Precise script will be built l
 
 ## 10. Open decisions blocking the rollout
 
-1. **"Restrict everyone to building" vs. selective** — Meredith, outstanding since 2026-04-16. Determines CA scope.
-2. **Business Premium tenant-wide vs. mixed SKUs** — Meredith, tied to the upgrade proposal.
-3. **Ederick Yuzon spelling** — Meredith/John, in the 2026-04-22 follow-up email.
-4. **Alma R Montt title** — Meredith/John, in the follow-up email.
-5. **Britney phone + Outside posture** — Meredith (employment confirmed by Howard; access tier still TBD).
-6. **Polett phone + Outside posture** — Meredith (employment confirmed by Howard; access tier still TBD).
-7. **Agency placeholder accounts — real or ALIS-only?** — Meredith.
-8. **Drivers: F3 or Business Standard?** — Meredith (cost vs. Office install need).
+1. **Business Premium tenant-wide vs. mixed SKUs** — Meredith, tied to the upgrade proposal. Building-only-by-default decision reinforces Premium tenant-wide (see §5).
+2. **Ederick Yuzon spelling** — Meredith/John, in the 2026-04-22 follow-up email.
+3. **Alma R Montt title** — Meredith/John, in the follow-up email.
+4. **Britney phone + Outside posture** — Meredith (employment confirmed by Howard; access tier still TBD).
+5. **Polett employment confirmation** — Meredith (Howard assumes still employed; formal Meredith confirmation requested in follow-up email).
+6. **Agency placeholder accounts — names + ALIS-only vs. real accounts?** — John added two agency rows to the CSV but left Name and Notes blank. Need the actual agency names + whether they need AD/M365 identities or just ALIS web logins.
+7. **Drivers: F3 or Business Standard?** — Meredith (cost vs. Office install need). Note: drivers need allow-list membership to sign in off-site, so whichever tier must include P1 for CA coverage (F3 does not; Business Premium or Business Standard + Entra P1 add-on required).
 
-**Resolved 2026-04-22 (Howard):** Christine Nyanzunda = one person, one account. Kyla = `Kyla.QuickTiffany` (her preference). Alma = `Alma.Montt`. Britney + Polett both still employed.
+**Resolved 2026-04-22 (Howard):**
+- Restrict-everyone default vs. selective → **building-only by default, allow-list for exceptions** (§5).
+- Christine Nyanzunda → one account covers both roles.
+- Kyla Quick Tiffany username → `Kyla.QuickTiffany` (her preference — sign-in confirmed by Howard).
+- Alma R Montt username → `Alma.Montt`.
+- Britney Thompson → still employed; stays in AD.
+- Polett Pinazavala → still employed (awaiting Meredith formal confirmation via email).
 
 ## 11. Related docs