From e1a0996e1a08866302fe4bcc5aa9fb9f106ee028 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Wed, 3 Jun 2026 09:33:34 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-03 09:33:26 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-03 09:33:26 --- .../session-logs/2026-06-03-session.md | 140 ++++++++++++++++++ wiki/clients/cascades-tucson.md | 54 +++++-- wiki/index.md | 2 +- 3 files changed, 183 insertions(+), 13 deletions(-) create mode 100644 clients/cascades-tucson/session-logs/2026-06-03-session.md diff --git a/clients/cascades-tucson/session-logs/2026-06-03-session.md b/clients/cascades-tucson/session-logs/2026-06-03-session.md new file mode 100644 index 0000000..9c8f23f --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06-03-session.md @@ -0,0 +1,140 @@ +# Cascades — ALIS SSO failure diagnosis, admin consent granted, caregiver device allow-list staged + +**Date:** 2026-06-03 +**Client:** Cascades of Tucson (Syncro 20149445, Tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`) + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Investigated reports that some staff could not sign in to ALIS on non-phone devices. Pulled live Entra data via the remediation-tool Security Investigator app and found the failures were `AADSTS65001` (application not consented), not Conditional Access or network. All failing sign-ins (megan.hiatt, karen.rossini, memcarereceptionist) came from the two trusted Cascades WAN IPs with `conditionalAccessStatus: success` — CA was never the gate. The ALIS service principal (`e1cae4ad-5beb-44ca-82d4-434c9bd835ad`) had only two per-user (`Principal`) consent grants for `User.Read` and no tenant-wide admin consent, so every user except the two who had self-consented hit a hard 65001. + +Established that the "two-factor" toggle that fixed login for caregivers/medtechs was ALIS's own native 2FA, not Entra MFA: the `Require multifactor authentication for all users` policy excludes `AllTrusted` locations, so Entra never prompts on the Cascades network. Walked the security model — ALIS-native 2FA and Entra are two independent doors; a non-SSO ALIS user can reach ALIS from anywhere with just ALIS credentials because Entra never sees that login. The correct control is forcing all ALIS logins through Entra SSO (SSO-only, credential fallback disabled), not relying on ALIS-native 2FA. + +Reconstructed the full project design from Syncro tickets #109412123 ("Entra setup" / Syncro #32214) and #110680053 ("Domain setup-entra sync" / Syncro #32303), the migration master plan, wiki, memory, and last month's session logs (two subagents + live Entra pulls). Confirmed the caregiver side is fully built and enforced (SG-Caregivers 38 members synced; three CSC CA policies enabled; phones in SDM), while the office/privileged ALIS path is in a mixed/broken state (some SSO, some direct login + native 2FA) and the office department OUs are not yet expanded into Entra Connect sync scope. + +Per Howard's direction, changed the caregiver device restriction model from compliance-based to an explicit device allow-list (phones + 5 named machines), to be easier and lower-risk while machine compliance is verified later. Allowed devices: NURSESTATION-PC plus laptops Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (confirmed 5 total, no 6th). Verified the Android enrollment token (`CSC - Android Shared Phones (Entra SDM)`, 25 devices enrolled, token expires 2027-05-08) is a join key only — its expiry does not unenroll existing devices. + +Executed two authorized production changes via the Tenant Admin app: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) for the ALIS app, resolving 65001 for everyone; and created a new caregiver device allow-list CA policy in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`). The three existing enforced caregiver policies were left untouched, so nothing was weakened during the transition. + +## Key Decisions + +- Diagnosed root cause as missing admin consent (65001), not CA/network/password. Evidence: all failures from trusted IPs, `conditionalAccessStatus: success`, only two `Principal` consent grants on the ALIS SP. +- Chose an explicit device allow-list (CA device filter on `displayName -startsWith "CSC-"` OR `extensionAttribute1 -eq "CSCCaregiverDevice"`) over compliance-based gating, because the tenant has no Windows compliance policy and `secureByDefault=false` (no-policy devices read as compliant) — compliance-only would let any future-enrolled PC in. Allow-list prevents scope creep. +- Created a NEW report-only allow-list policy rather than editing the existing enforced `CSC - Block caregivers on non-compliant device`, so the live phone lockdown is not weakened during validation. Cutover later = enable allow-list + disable the compliance policy. +- Granted admin consent programmatically as `AllPrincipals` `User.Read` (mirrors the two per-user grants that were already working) rather than the interactive admin-consent URL. +- Mirrored break-glass exclusions from the existing CSC policies (`admin@`, `sysadmin@`) and added the `SG-CA-BreakGlass` group to the new policy. +- ALIS-native 2FA is the wrong perimeter control; the permanent model is all users on ALIS SSO + ALIS set to SSO-only + native 2FA off, with Entra doing onsite-seamless / offsite-MFA. Deferred the office/privileged standardization as a separate workstream. + +## Problems Encountered + +- Sign-in log query returned HTTP 504 (gateway timeout) on an appId-only `$filter`. Resolved by adding a `createdDateTime ge` date bound and URL-encoding the filter (spaces in the raw URL broke curl). +- Investigator (Security Investigator) token lacked Intune DeviceManagement scope (403). Resolved by falling back to the intune-manager tier for `androidDeviceOwnerEnrollmentProfiles`, `deviceCompliancePolicies`, and `deviceManagement/settings`. +- `policies/mobileDeviceManagementPolicies` returned BadRequest; could not read the Windows MDM auto-enroll scope via API. Noted to confirm in the Entra portal instead. +- Memory files referenced by the wiki (`project_cascades_ca_phased_rollout.md`, etc.) did not exist at the expected paths; glob `.claude/memory/*cascade*` returned none. Subagent read the actual sources directly. + +## Configuration Changes + +### Entra / Conditional Access (tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`) + +- **Admin consent granted** for ALIS app. New delegated grant created: + - `oauth2PermissionGrant` id `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds` + - clientId `e1cae4ad-5beb-44ca-82d4-434c9bd835ad` (ALIS SP), resourceId `2c3b653a-54e0-4229-a1f2-83551ae7f9db` (Microsoft Graph SP) + - consentType `AllPrincipals`, scope `User.Read` +- **New CA policy created (report-only):** + - `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` — id `1b7fd025-1aad-47c8-9274-c32c3e0b163c` + - state `enabledForReportingButNotEnforced` + - include group `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`) + - exclude users `sysadmin@` (`471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`, "Computer Guru Support") and `admin@` (`e20f7f21-757a-48cd-bb24-7bdeeb1497d0`, "Cascades Tenant Admin"); exclude group `SG-CA-BreakGlass` (`131e51ac-d69b-44b8-9c81-56890537a796`) + - applications: All; grant: block + - device filter: mode `exclude`, rule `(device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")` + +No files in the repo were modified this session (investigation + live Entra changes only). Session log + wiki recompile are the repo changes. + +## Credentials & Secrets + +No new credentials created or discovered. Relevant existing references (unchanged): +- ALIS Entra app registration + ALIS install key + Inbound Basic Auth: vault `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` +- ALIS app: Application ID `d5108493-cba8-4f08-90b6-1bb0bc09eb2a`, client secret expires 2028-05-06 (rotation reminder — expiry breaks ALIS SSO tenant-wide) +- Remediation-tool app tokens sourced from `msp-tools/computerguru-*.sops.yaml` (Security Investigator, Tenant Admin, Intune Manager tiers) + +Note: there are NO per-caregiver password vault entries; SSO-linked ALIS users have no usable ALIS password (auth delegated to Entra/PHS). + +## Infrastructure & Servers + +- Tenant ID `207fa277-e9d8-4eb7-ada1-1064d2221498` (`cascadestucson.com`) +- ALIS SP objectId `e1cae4ad-5beb-44ca-82d4-434c9bd835ad`; Microsoft Graph SP objectId `2c3b653a-54e0-4229-a1f2-83551ae7f9db` +- Named Location `Cascades` (`061c6b06-b980-40de-bff9-6a50a4071f6f`, isTrusted): `184.191.143.62/32` (primary WAN), `72.211.21.217/32` (secondary WAN, DHCP — stale risk) +- Existing enforced caregiver CA policies (unchanged this session): + - `CSC - Block caregivers off Cascades network` `e35614e1-e896-4a13-9407-076963af488f` + - `CSC - Block caregivers on non-compliant device` `ede985e2-ee7e-4521-88b2-34c847c3db20` (to be DISABLED at allow-list cutover) + - `CSC - Caregiver sign-in frequency 8h` `7d491c7a-ad90-4420-9990-40a1e676a76c` +- `Require multifactor authentication for all users` (`7e87a1c7…`): enabled, grant=mfa, excludeLocations=AllTrusted, excludeGroups=`SG-Caregivers-Pilot` (`0674f0bc…`) — STALE; should reference live `SG-Caregivers` (`8b8d9222…`). Functionally harmless today but a known bug. +- Android enrollment profile `CSC - Android Shared Phones (Entra SDM)` `9a0fcc6d-0a88-466e-aa53-44401bb74fca`: 25 devices enrolled, token expires 2027-05-08. Token = join key only; expiry does NOT unenroll devices. +- Only compliance policy in tenant: `CSC - Android Compliance` (no Windows compliance policy). `deviceManagement/settings.secureByDefault = false`. + +### Caregiver-allowed device list (target — 5 devices) +| Device | OS | GuruRMM agent | Enroll path | +|---|---|---|---| +| NURSESTATION-PC | Win 11 | `8164c6fa-62e7-4aa5-88e4-624f2f656932` | Hybrid Entra Join (domain-joined) | +| Laptop2 | Win 11 | `dc8daf71-a2e6-4181-8cf2-c463c95dcd7d` | Entra join (RMM pending install) | +| LAPTOP-8P7HDSEI | Win 10 (EOL — upgrade) | `9b74852c-623a-4d4a-bdda-1709ee75ae44` | Entra join | +| LAPTOP-DRQ5L558 | Win 11 | `f9e25b3b-da63-40ff-94a6-8cec3b9a19ce` | Entra join | +| LAPTOP-E0STJJE8 | Win 11 | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` | Entra join | + +## Commands & Outputs + +```bash +# Token (read-only investigator) then ALIS sign-in failures (note date bound + URL-encode to avoid 504) +TOK=$(bash scripts/get-token.sh $TEN investigator) +curl -s -G -H "Authorization: Bearer $TOK" \ + --data-urlencode "\$filter=appId eq 'd5108493-...' and createdDateTime ge 2026-05-27T..Z" \ + --data-urlencode "\$top=100" "https://graph.microsoft.com/v1.0/auditLogs/signIns" +# -> errorCode 65001 (AADSTS65001 not consented); conditionalAccessStatus success; IPs all trusted + +# Grant admin consent (tenant-admin tier) +curl -s -X POST -H "Authorization: Bearer $TOK_TA" -H "Content-Type: application/json" \ + -d '{"clientId":"e1cae4ad-...","consentType":"AllPrincipals","resourceId":"2c3b653a-...","scope":"User.Read"}' \ + https://graph.microsoft.com/v1.0/oauth2PermissionGrants # -> HTTP 201 + +# Create report-only allow-list CA policy -> HTTP 201, id 1b7fd025-1aad-47c8-9274-c32c3e0b163c +``` + +- Intune scope requires `intune-manager` tier (investigator 403s on `deviceManagement`). +- Device filter operators used: `-startsWith`, `-eq`, `-or` (mode `exclude`). + +## Pending / Incomplete Tasks + +### Caregiver device allow-list rollout +- [ ] Confirm Windows MDM auto-enroll scope in portal: Entra → Devices → Mobility (MDM and MAM) → Microsoft Intune → MDM user scope = All. +- [ ] Entra-join + Intune-enroll the 4 laptops (Howard). Verify each appears in Intune. +- [ ] NURSESTATION-PC: needs Hybrid Entra Join (Entra Connect device-sync/SCP config) — confirm whether already enabled; separate task. +- [ ] After enrollment, tag each device `extensionAttribute1 = CSCCaregiverDevice` (Claude, via Graph). +- [ ] Review report-only results in sign-in logs (phones + tagged = allowed; else = would-block). +- [ ] CUTOVER (needs Howard OK): set `CSC - Caregivers: allow-listed devices only` to `enabled` AND disable `CSC - Block caregivers on non-compliant device`. +- [ ] LAPTOP-8P7HDSEI: upgrade Win 10 → Win 11 before PHI use. +- [ ] Optional: create `CSC - Windows Compliance` policy for the PHI laptops once allow-list is stable. + +### ALIS / office-privileged standardization (separate workstream) +- [ ] Verify ALIS is set to SSO-only (credential fallback disabled) for linked users — closes the "ALIS from home with just ALIS creds" hole. +- [ ] Move office/managers/directors/nurses onto ALIS SSO; set each ALIS staff Email = Entra UPN; turn off ALIS-native 2FA per user. +- [ ] Once all on SSO, disable ALIS-native 2FA globally. + +### Known fixes / hygiene +- [ ] Fix stale exclude-group on `Require multifactor authentication for all users` (`SG-Caregivers-Pilot` → `SG-Caregivers`). +- [ ] Expand Entra Connect sync to office department OUs + add `cascadestucson.com` UPN suffix (from #32303). +- [ ] Per-caregiver ALIS Email=UPN for several (Esperance; add Kasey Flores, Jahmeka Clarke, Gloria Williford). +- [ ] 38 Business Premium licenses; ALIS (Medtelligent) BAA; break-glass FIDO2 accounts. + +## Reference Information + +- Syncro tickets: #109412123 = Syncro #32214 "Entra setup"; #110680053 = Syncro #32303 "Domain setup-entra sync" +- ALIS tenant: https://cascadestucson.alisonline.com ; ALIS support 888-404-ALIS / support@go-alis.com +- Entra: https://entra.microsoft.com ; Intune: https://intune.microsoft.com +- Admin consent URL (fallback, not used — granted via API): `https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=d5108493-cba8-4f08-90b6-1bb0bc09eb2a` +- Migration master plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md` +- Remediation skill: `.claude/skills/remediation-tool/` (get-token.sh tiers: investigator, intune-manager, tenant-admin) +- New CA policy id: `1b7fd025-1aad-47c8-9274-c32c3e0b163c` ; consent grant id: `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds` diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 6c26a8a..57392f5 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -2,7 +2,7 @@ type: client name: cascades-tucson display_name: Cascades of Tucson -last_compiled: 2026-06-02 +last_compiled: 2026-06-03 compiled_by: HOWARD-HOME/claude-main sources: - session-logs/2026-03-24-session.md @@ -32,6 +32,7 @@ sources: - clients/cascades-tucson/session-logs/2026-05-22-session.md - session-logs/2026-05-26-howard-session.md - clients/cascades-tucson/session-logs/2026-06-02-howard-efax-scanner-ticket.md + - clients/cascades-tucson/session-logs/2026-06-03-session.md - clients/cascades-tucson/docs/overview.md - clients/cascades-tucson/docs/network/topology.md - clients/cascades-tucson/docs/network/vlans.md @@ -100,14 +101,15 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building - **M365 license:** Business Premium (SPB) — 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) — **SUSPENDED**, 31 users still assigned. Relicensing 31 users Business Standard → Business Premium is pending and time-sensitive — those users may have degraded service. - **On-prem AD domain:** cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness) - **MX / mail flow:** Exchange Online (M365). SPF strict (`-all`). DKIM: both M365 selectors published. DMARC: `p=quarantine;pct=100` — upgraded from p=none. Reports to `info@cascadestucson.com` (unmonitored). -- **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass pilot in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section. +- **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section. - **Entra Connect:** Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 — actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added. - **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). Confirmed not yet created as of 2026-05-27 (live tenant check). FIDO2 YubiKeys ordered — arrival unconfirmed. Vault entries not yet created. - **Admin accounts:** - `admin@cascadestucson.com` — Mike's working admin (cloud-only, Connect-excluded by design) - `sysadmin@cascadestucson.com` — Howard's working admin (cloud-only, Connect-excluded by design) -- **ALIS (clinical SaaS):** https://cascadestucson.alisonline.com — Entra SSO live and working; proven end-to-end with pilot.test on Galaxy A15 caregiver phones. Install key: `d796539d-356b-4190-9c17-35f0f1129376`. Vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` (Entra app reg + ALIS Inbound Connections Basic Auth creds + install key). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified — confirm with Meredith. -- **Caregiver phones:** 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: `CSC - Android Shared Phones (Entra SDM)`. Dynamic group: `Cascades - Shared Phones` (`ea96f4b7-3000-45da-ab1f-ddb28f509526`). Used by caregivers for Teams, Outlook, and ALIS. CA policies: block off-network, block non-compliant device, 8h sign-in frequency. +- **ALIS (clinical SaaS):** https://cascadestucson.alisonline.com — Entra SSO live and working; proven end-to-end with pilot.test on Galaxy A15 caregiver phones. Install key: `d796539d-356b-4190-9c17-35f0f1129376`. Vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` (Entra app reg + ALIS Inbound Connections Basic Auth creds + install key). ALIS application ID `d5108493-cba8-4f08-90b6-1bb0bc09eb2a`, client secret expires 2028-05-06 (rotation reminder — expiry breaks ALIS SSO tenant-wide). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified — confirm with Meredith. + - **Admin consent (2026-06-03):** Tenant-wide admin consent (`AllPrincipals` `User.Read`) granted on ALIS Entra service principal (`e1cae4ad-5beb-44ca-82d4-434c9bd835ad`) via Graph API (`oauth2PermissionGrant` id `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`). This resolved `AADSTS65001` sign-in failures that office/clinical staff (megan.hiatt, karen.rossini, memcarereceptionist) were hitting on non-phone devices. Root cause was missing admin consent — NOT Conditional Access, network, or password. Prior state: only two per-user (`Principal`) consent grants existed, so all other users hit 65001. CA policies had `conditionalAccessStatus: success` on all failing sign-ins; both WAN IPs were trusted Named Locations. +- **Caregiver phones:** 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: `CSC - Android Shared Phones (Entra SDM)` (`9a0fcc6d-0a88-466e-aa53-44401bb74fca`); 25 devices enrolled per 2026-06-03 Intune pull. Dynamic group: `Cascades - Shared Phones` (`ea96f4b7-3000-45da-ab1f-ddb28f509526`). Used by caregivers for Teams, Outlook, and ALIS. CA policies: block off-network, block non-compliant device (see below re: pending replacement with allow-list), 8h sign-in frequency. Android enrollment token expires 2027-05-08 — token is a join key only; expiry does NOT unenroll existing devices. - **Audit retention:** Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription `e507e953-2ce9-4887-ba96-9b654f7d3267`, RG `rg-audit-cascadestucson`. **Not yet built.** Runbook: `.claude/skills/remediation-tool/references/audit-retention-runbook.md`. ### Network @@ -163,23 +165,44 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building - **fdeploy1.ini flags:** Changed from `Flags=1211` (included `Grant Exclusive Rights` bit 0x400, causing WRITE_DAC failures on new subfolders) to `Flags=187`. File at `{512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini` on CS-SERVER. -### Conditional Access / Caregiver Pilot +### Conditional Access / Caregiver Policies -- **Phased rollout — never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`. -- **Caregiver CA policy set:** - - PATCH legacy MFA-all-users: add `SG-Caregivers-Pilot` to excludeGroups - - CREATE `CSC - Block caregivers off Cascades network` (BLOCK if location not Cascades) - - CREATE `CSC - Block caregivers on non-compliant device` (BLOCK if device non-compliant) - - CREATE `CSC - Caregiver sign-in frequency 8h` +- **Phased rollout — never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`) (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`. +- **Enforced caregiver CA policy set (unchanged as of 2026-06-03):** + - `CSC - Block caregivers off Cascades network` (`e35614e1-e896-4a13-9407-076963af488f`) — BLOCK if location not Cascades + - `CSC - Block caregivers on non-compliant device` (`ede985e2-ee7e-4521-88b2-34c847c3db20`) — BLOCK if device non-compliant. **Pending DISABLE** at allow-list cutover (see below). + - `CSC - Caregiver sign-in frequency 8h` (`7d491c7a-ad90-4420-9990-40a1e676a76c`) +- **Caregiver device allow-list (2026-06-03 — report-only):** The device restriction is being changed from compliance-based to an explicit device allow-list (phones matching `displayName -startsWith "CSC-"` plus 5 tagged laptops/PCs with `extensionAttribute1=CSCCaregiverDevice`). Rationale: tenant has no Windows compliance policy and `secureByDefault=false`, meaning compliance-only would admit any future-enrolled machine. New CA policy created in report-only: + - `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` — id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; state `enabledForReportingButNotEnforced` + - Target group: `SG-Caregivers` (`8b8d9222`). Excludes: `sysadmin@`, `admin@`, `SG-CA-BreakGlass` (`131e51ac-d69b-44b8-9c81-56890537a796`) + - Device filter (mode `exclude`): `(device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")` + - **Allowed device list (target — 5 devices tagged `CSCCaregiverDevice`):** + + | Device | OS | GuruRMM agent | + |---|---|---| + | NURSESTATION-PC | Win 11 | `8164c6fa-62e7-4aa5-88e4-624f2f656932` | + | Laptop2 | Win 11 | `dc8daf71-a2e6-4181-8cf2-c463c95dcd7d` | + | LAPTOP-8P7HDSEI | Win 10 (EOL — upgrade) | `9b74852c-623a-4d4a-bdda-1709ee75ae44` | + | LAPTOP-DRQ5L558 | Win 11 | `f9e25b3b-da63-40ff-94a6-8cec3b9a19ce` | + | LAPTOP-E0STJJE8 | Win 11 | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` | + + - **Cutover prerequisites (pending Howard OK):** Entra-join + Intune-enroll the 4 laptops; tag each `extensionAttribute1=CSCCaregiverDevice`; confirm NURSESTATION-PC Hybrid Entra Join; review report-only sign-in results; then enable allow-list policy AND disable `CSC - Block caregivers on non-compliant device`. - **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover. - **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group. Source: `project_cascades_pilot_cleanup.md`. +### Known Issues / Pending Hygiene (as of 2026-06-03) + +- **[BUG] Stale exclude-group on MFA-all-users policy:** The `Require multifactor authentication for all users` policy (`7e87a1c7…`) currently excludes `SG-Caregivers-Pilot` (`0674f0bc…`) instead of the live `SG-Caregivers` (`8b8d9222…`). Functionally harmless today (pilot group still exists), but this is a known bug that must be corrected. Fix: PATCH `excludeGroups` to replace `SG-Caregivers-Pilot` with `SG-Caregivers`. +- **[DESIGN] ALIS-native 2FA is not a perimeter control.** The `Require MFA for all users` policy excludes `AllTrusted` locations, so Entra never prompts on the Cascades network. A non-SSO ALIS user can reach ALIS from anywhere with only ALIS credentials — Entra never sees that login. The correct permanent model: force all ALIS logins through Entra SSO (SSO-only, credential fallback disabled), so Entra enforces onsite-seamless / offsite-MFA. Office/privileged users should be standardized onto ALIS SSO as a separate workstream; ALIS-native 2FA should then be disabled per-user then globally. +- **[INFO] Android enrollment token expiry (2027-05-08) does NOT unenroll devices.** The `CSC - Android Shared Phones (Entra SDM)` enrollment token (`9a0fcc6d`) is a join key only. Existing enrolled devices (25 as of 2026-06-03) are unaffected by token expiry. Renewal is needed only before enrolling new devices after that date. + ### Security Incidents (historical) - **Megan Hiatt (2026-04-16):** Active credential-stuffing — 126 failed sign-ins, bursts from Belfast GB, Hamburg DE. Password reset and SMTP AUTH disable were action items. Mailbox was clean (not breached). - **John Trozzi (2026-04-16, 2026-04-20):** Investigated twice — both times NO BREACH. First: credential stuffing flag (clean). Second: inbound phishing email (clean). Reports in `clients/cascades-tucson/reports/`. - **Crystal Rodriguez (2026-04-19):** Phishing investigation. Report: `clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md`. - **Canva email delivery (2026-05-20):** Alma Montt not receiving Canva invites. Resolved by adding canva.com domains to AllowedSenderDomains in EOP policies. +- **ALIS AADSTS65001 (2026-06-03):** megan.hiatt, karen.rossini, memcarereceptionist could not sign in to ALIS on non-phone devices. Root cause: missing tenant-wide admin consent on ALIS SP (`e1cae4ad`). Resolved by granting `AllPrincipals` `User.Read` via Graph API. CA was NOT the cause — all failures showed `conditionalAccessStatus: success` from trusted IPs. - **dunedolly21@gmail.com:** External guest invited 2026-04-14 by Lauren Hasselman from mobile. Status unknown — confirm with Lauren. [unverified] ### HIPAA Compliance @@ -217,6 +240,10 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro # - Entra Connect: OU=Administrative not yet in sync scope; UPN suffix updates for that OU pending - NURSESTATION-PC: auto-lock GPO (HIPAA, ~10 min idle) not yet applied - #32370 (open): Howard onsite — eFax setup on Karen's and Christin's machines; portable scanner setup on both. No appointment scheduled as of 2026-06-02. +- Caregiver device allow-list: 4 laptops need Entra-join + Intune-enroll + `extensionAttribute1` tagging before cutover (see Patterns section) +- ALIS office/privileged standardization: move office/managers/nurses to ALIS SSO-only; disable ALIS-native 2FA per-user then globally (separate workstream) +- Fix stale `SG-Caregivers-Pilot` exclude-group on `Require MFA for all users` policy (known bug, see Known Issues) +- LAPTOP-8P7HDSEI: upgrade Win 10 → Win 11 before PHI use --- @@ -245,12 +272,13 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro # | 2026-05-23 | Lauren Hasselman folder redirect complete. Megan Hiatt (Marketing) confirmed in AD, domain join pending. | | 2026-05-24 | RECEPTIONIST-PC GuruRMM agent noted as 0.6.37 straggler while fleet at 0.6.38. Flaky WebSocket. | | 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). | +| 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. | --- ## Compilation Notes -**Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-02. +**Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-03. **Client folder:** `clients/cascades-tucson/` (NOT `clients/cascades/` — that directory does not exist). @@ -259,10 +287,12 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro # - Break-glass accounts + YubiKeys — confirmed not created as of 2026-05-27; YubiKey arrival unconfirmed - Audit retention infra — approved 2026-04-29, not yet built - dunedolly21@gmail.com guest invite — confirm with Lauren +- Windows MDM auto-enroll scope — confirm in portal (Entra → Devices → Mobility → Microsoft Intune → MDM user scope) **Resolved since last compile:** - New tiered remediation app suite — confirmed consented 2026-04-21 (all 6 apps active) - DMARC — confirmed upgraded to p=quarantine;pct=100 +- ALIS AADSTS65001 sign-in failures — resolved 2026-06-03 by granting admin consent ## Backlinks diff --git a/wiki/index.md b/wiki/index.md index 5a15106..79d973d 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | Article | Summary | Last Compiled | |---|---|---| -| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, ~28.0 hrs remaining; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; open ticket #32370 (eFax + scanner onsite) | 2026-06-02 | +| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, ~28.0 hrs remaining; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; ALIS admin consent granted 2026-06-03 (resolved AADSTS65001); caregiver device allow-list CA policy staged (report-only); open ticket #32370 (eFax + scanner onsite) | 2026-06-03 | | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo; signal conditioning manufacturer; 64 DOS test stations; 2025 crypto attack recovery; 2026-03-27 phishing incident + MFA rollout; active test datasheet pipeline project; Neptune Exchange colocated at D2; 2026-06-02 Syncro asset reconciliation (78→20 keep/21 flag/28 remove/9 verify); fleet-wide Syncro agent break ~2025-10-06; Bitdefender phase-off in progress | 2026-06-02 | | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 | | [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-05-24 |