Rewrote with verified IPs and confirmed drivers. All 8 printers created and
shared via GuruRMM 2026-05-20. Deferred: FrontDesk Epson (needs Epson
Universal driver), Health-206 Konica Minolta (needs KM PCL6 Universal driver).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fixed Exchange.ManageAsApp missing from Security Investigator app registration
- Granted role directly in Cascades tenant via Graph API
- Investigated Alma Montt mailbox: no delivery blocks found, specific sender TBD
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Created SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW in OU=Groups.
Created SMB shares Management, Sales, Activities, Server on D:\Shares
with ABE enabled and correct NTFS ACLs per group.
Scripts run on CS-SERVER via GuruRMM 2026-05-20. AD doc updated to live state.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cloud-only M365 user created, SPB license assigned, SSPR group added,
CA/MFA audit, Syncro billing for tickets #109316879 and #110120097.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cascades of Tucson — created 4 new caregiver accounts, Alma Montt admin account,
terminated Niel Castro, reclassified Celia Lassey and Patricia Sandoval-Beck from
SG-Caregivers. Entra sync run; Alma Montt M365 license pending background task.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Gap #13 in hipaa.md marked resolved. Same update in hipaa-caregiver-controls.md and m365.md.
Confirmed 2026-05-14: no separate HIPAA BAA acceptance exists or is required for M365 Business
plan tenants under the Microsoft Customer Agreement.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Full tenant verification sweep: all Intune/Entra objects match session logs
- Entra Connect staging mode exited; 17 AD groups synced to cloud
- CA policies (Block-off-network, Sign-in-frequency-8h, Block-non-compliant) patched from SG-Caregivers-Pilot to AD-synced SG-Caregivers
- Registration Campaign exclusion updated to SG-Caregivers
- Deleted test accounts: howard.enos (AD) and pilot.test (M365)
- Documented Christine Nyanzunda collision risk, Ederick Yuzon open item, standing security-group rule
- Session log written
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Exchange REST API still propagating (28 min). Need manual verification via
Exchange Admin Center to unblock HIPAA compliance check.
Instructions provided:
- Access Exchange Admin Center
- Search for Britney Thompson mailbox
- Document litigation hold status (enabled/disabled, date, duration)
- Report findings back in repo
Priority: HIGH - blocks Wave 1 caregiver rollout planning.
HIPAA requirement: §164.308(a)(3)(ii)(C) + §164.316(b)(2)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
9-hour day on Cascades caregiver phone Shared Device Mode activation.
Root cause of repeated AADSTS50097 was missing Cloud Device Administrator
role -- pilot.test cannot self-register devices for shared mode. Created
dedicated devices@cascadestucson.com (CDA role, MFA on Howard's phone).
Final attempt on Phone A produced an Entra device record with shared-mode
markers (registeredOwners=0, registeredUsers=0). Resume tomorrow by
signing pilot.test in to verify SDM is actually active.
Side wins: ALIS SSO Entra App Registration created (vault commit 90ada33,
blocked on Medtelligent enabling App Store side); 2 of 3 caregiver CA
policies flipped from Report-only to Enforced; kiosk profile bumped to
v13 with full Android nav bar, 12hr inactivity signout, 6-app allowlist
including Company Portal.
Microsoft ticket #2605070040009774 still open.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
All 5 ComputerGuru apps successfully onboarded:
- Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on
- API permissions granted (0 errors)
- Exchange Administrator role assigned to Security Investigator SP
Exchange REST API access pending propagation (15-30 min typical).
Next: Re-test Exchange REST after 09:30 AM MST to verify litigation hold check.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Cannot verify litigation hold status - ComputerGuru Security Investigator
app not onboarded to Cascades tenant (HTTP 401 on Exchange REST).
User account confirmed (Britney.Thompson@cascadestucson.com).
Next steps:
- Onboard Security Investigator app to tenant
- Assign Exchange Administrator role
- Re-run litigation hold verification
HIPAA compliance blocker per Howard's 2026-05-06 note.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Lauren Hasselman could not create a Teams group on 2026-05-05.
Diagnostic confirmed the block is at the Teams Admin policy layer
(intentional, gated on HIPAA prerequisites in m365.md issues #12-#14),
not an Entra/M365-Group permissions defect. New teams-rollout.md
captures prerequisites, HIPAA config checklist, canary test plan
(Lauren as primary canary), and exit criteria. Linked from m365.md
issue #14.
Cascades caregiver shared-phone bypass pilot — 2026-04-29 evening into
2026-04-30 early morning continuation.
Major work:
- Adopted phased per-group CA rollout (corrects original tenant-wide §5
design that would have blocked off-site office users)
- Step A: backfilled admin@ into excludeUsers on all 8 existing Cascades
CA policies (mirrors sysadmin@ exclusion posture; Option 1 break-glass)
- Outlook + Helpany + LinkRx assigned to Cascades - Shared Phones group
and added to MHS kiosk app list (final dashboard: 5 caregiver apps)
- Created cloud-only pilot user pilot.test@cascadestucson.com,
SG-Caregivers-Pilot group, Business Premium license, vault entry
pushed to Gitea vault repo
- Built 4 CA changes: PATCH legacy all-users-MFA to exclude pilot group,
CREATE 3 new Report-only policies (block off-network, block
non-compliant, 8h sign-in frequency) with both admins excluded
- Pilot phone wipe + re-enroll after first attempt stuck; PIN set,
awaiting MHS to take over launcher and SDM sign-in prompt
6 new project/feedback memories. Resume point at top of new session log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Day-long session unblocking the Cascades CA reconciliation that was paused on
the Tenant Admin SP directory-role gap. Discovered Microsoft also tightened
the OAuth scope for /identity/conditionalAccess/* reads (Policy.Read.All now
required, Policy.ReadWrite.ConditionalAccess no longer accepted for reads).
Patched Tenant Admin manifest accordingly and re-consented in Cascades.
Phase B Intune state turned out to be far more built than the 4/20 log
suggested -- compliance policy, Wi-Fi, device restrictions, both SDM app
configs (Authenticator + Teams), and 7 of 8 apps were already deployed and
assigned. PATCHed device restrictions to block camera/Bluetooth/roaming
and enabled Managed Home Screen multi-app kiosk (ALIS + Teams visible,
10-min auto-signout). PATCHed Cascades named location to add primary WAN
(184.191.143.62/32). Howard added Outlook from Managed Play; SMB encryption
enabled on \CS-SERVER\homes.
CA bypass design corrected -- original §5 plan in user-account-rollout-plan.md
called for "block off-site + MFA on-site" which doesn't match the actual goal
of bypass when network + device assurance present. Reshaped to three policies
that produce on-site-compliant = password only, anything else = MFA or block.
onboard-tenant.sh patched to:
1. Backfill Policy.Read.All on Tenant Admin SP if missing (idempotent --
for tenants consented before the 2026-04-29 manifest update).
2. Assign Conditional Access Administrator directory role to Tenant Admin
SP at onboard time. Mirrors the Exchange Operator fix Mike landed in
16f95e8.
Validated with --dry-run against Cascades. Customer-facing tenants already
onboarded should be re-run with this script to backfill both items.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Thread 1 (AD-side prep on CS-SERVER) completed:
- howard.enos password reset to memorable value (PHS will sync to M365 once staging exits)
- proxyAddresses=SMTP:howard.enos@cascadestucson.com added (G1 convention)
Thread 2 (CA reconciliation) blocked: ComputerGuru - Tenant Admin SP
(appId 709e6eed-...) has zero directory role assignments in Cascades.
Graph CA endpoints 403 despite Policy.ReadWrite.ConditionalAccess on token.
Decision pending: Path A (Graph-side role assignment via existing
RoleManagement.ReadWrite.Directory) vs Path B (portal click as admin@).
Target role: Conditional Access Administrator
(b1be1c3e-b65d-4f19-8427-f6fa0d97feb9) on SP objectId
a5fa89a9-b735-4e10-b664-f042e265d137.
Follow-up: extend onboard-tenant.sh to assign this role at onboard time
(parallels 16f95e8 Exchange Admin fix for Exchange Operator SP).
Pilot target slipped 2026-04-27 to 2026-04-28. ALIS App Store still
inaccessible — install-side of ALIS SSO still deferred regardless.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Comprehensive log of the Entra setup work spanning 4/24 evening through 4/25.
Includes a Resume Point at the top so the next session can pick up cleanly.
Highlights:
- Entra Connect Sync installed in staging mode on CS-SERVER, scope OU=Caregivers
- Pilot AD account howard.enos@cascadestucson.com created
- Master plan v2 with explicit drift log (FIDO2/YubiKey injection caught)
- HIPAA retention remediation: 7 mailboxes restored from soft-delete (4/22 deletes
violated 164.316(b)(2)); termination procedures policy + IR-2026-04-24-001 documented
- admin@cascadestucson.com re-promoted to Global Admin (Sandra Fish cleanup had
stripped role); residual profile data cleaned
- Existing Cascades CA architecture discovered (Named Location 72.211.21.217 + all-users
MFA policy from 2026-02-11) — adjusts plan, no duplicate policies needed
- Syncro ticket #32214 'Entra setup' with hidden private rollup (~40-45 billable hrs)
Released session lock; resume point flagged in PROJECT_STATE.md.
Major work from 2026-04-23:
Folder redirection (OU=Life Enrichment):
- Added 5 folders (Desktop, Pictures, Music, Videos, Favorites) to CSC - Folder
Redirection (LE) alongside existing Documents + Downloads. All use Flags=1021
(Basic + create folder per user + move contents + policy-removal: redirect back).
- Created CSC - Always Wait For Network GPO, linked at OU=Workstations. Disables
FLO via correct Winlogon registry path (HKLM\Software\Policies\Microsoft\
Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy=1). First attempt used
wrong path (Windows\System) which Winlogon ignored.
- Proved GPO FR works for clean-hive users (test user LE.FRTest, now removed).
- Wrote susan-profile-fix.ps1 to repair ProfWiz-poisoned profiles: robocopies
local content to \CS-SERVER\homes\<user>, loads NTUSER.DAT, rewrites User
Shell Folders (legacy + modern GUIDs) to UNC, unloads. Applied to Susan Hicks,
verified via live SMB session + content access.
Share access review doc:
- share-access-matrix-2026-04-23.md drafted for John/Meredith review. One
short block per employee (department + position + folders they can access).
All settled decisions from today's calls captured (Sandra Fish = Meredith-
only, Culinary = kitchen + M/J/A, no chat share, caregivers zero on-prem,
Veronica = Meredith tier, CasAdmin201 retired, pacs empty).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
