Gap #13 in hipaa.md marked resolved. Same update in hipaa-caregiver-controls.md and m365.md.
Confirmed 2026-05-14: no separate HIPAA BAA acceptance exists or is required for M365 Business
plan tenants under the Microsoft Customer Agreement.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Full tenant verification sweep: all Intune/Entra objects match session logs
- Entra Connect staging mode exited; 17 AD groups synced to cloud
- CA policies (Block-off-network, Sign-in-frequency-8h, Block-non-compliant) patched from SG-Caregivers-Pilot to AD-synced SG-Caregivers
- Registration Campaign exclusion updated to SG-Caregivers
- Deleted test accounts: howard.enos (AD) and pilot.test (M365)
- Documented Christine Nyanzunda collision risk, Ederick Yuzon open item, standing security-group rule
- Session log written
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Exchange REST API still propagating (28 min). Need manual verification via
Exchange Admin Center to unblock HIPAA compliance check.
Instructions provided:
- Access Exchange Admin Center
- Search for Britney Thompson mailbox
- Document litigation hold status (enabled/disabled, date, duration)
- Report findings back in repo
Priority: HIGH - blocks Wave 1 caregiver rollout planning.
HIPAA requirement: §164.308(a)(3)(ii)(C) + §164.316(b)(2)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
9-hour day on Cascades caregiver phone Shared Device Mode activation.
Root cause of repeated AADSTS50097 was missing Cloud Device Administrator
role -- pilot.test cannot self-register devices for shared mode. Created
dedicated devices@cascadestucson.com (CDA role, MFA on Howard's phone).
Final attempt on Phone A produced an Entra device record with shared-mode
markers (registeredOwners=0, registeredUsers=0). Resume tomorrow by
signing pilot.test in to verify SDM is actually active.
Side wins: ALIS SSO Entra App Registration created (vault commit 90ada33,
blocked on Medtelligent enabling App Store side); 2 of 3 caregiver CA
policies flipped from Report-only to Enforced; kiosk profile bumped to
v13 with full Android nav bar, 12hr inactivity signout, 6-app allowlist
including Company Portal.
Microsoft ticket #2605070040009774 still open.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New client onboarding for The Law Offices of Chris Scileppi with initial
session log documenting diagnosis on Sylvia's Mac mini (Mac14,3, M2, 8 GB).
Issue: System running out of memory; Apple Mail footprint thrashing the box.
Two Envelope Index rebuild attempts confirmed the mailbox itself exceeds what
8 GB can hold. Disabled Mail at the OS level, moved user to webmail, and
recommended replacement with an M4 Mac mini (16 or 24 GB).
Ticket #32262 resolved. 1 hr onsite logged but deliberately not invoiced.
Files:
- clients/scileppi-law/PROJECT_STATE.md
- clients/scileppi-law/docs/overview.md
- clients/scileppi-law/docs/issues/log.md
- clients/scileppi-law/session-logs/2026-05-07-howard-sylvia-mac-mini-mail-memory.md
All 5 ComputerGuru apps successfully onboarded:
- Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on
- API permissions granted (0 errors)
- Exchange Administrator role assigned to Security Investigator SP
Exchange REST API access pending propagation (15-30 min typical).
Next: Re-test Exchange REST after 09:30 AM MST to verify litigation hold check.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Cannot verify litigation hold status - ComputerGuru Security Investigator
app not onboarded to Cascades tenant (HTTP 401 on Exchange REST).
User account confirmed (Britney.Thompson@cascadestucson.com).
Next steps:
- Onboard Security Investigator app to tenant
- Assign Exchange Administrator role
- Re-run litigation hold verification
HIPAA compliance blocker per Howard's 2026-05-06 note.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Approved:
- Memory caps: SQLEXPRESS 12GB, WID 512MB, AIMSQL 256MB
- AIMSQL consolidation (pending backup)
- AD is in use, WSUS is not
Howard may proceed with implementation.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Lauren Hasselman could not create a Teams group on 2026-05-05.
Diagnostic confirmed the block is at the Teams Admin policy layer
(intentional, gated on HIPAA prerequisites in m365.md issues #12-#14),
not an Entra/M365-Group permissions defect. New teams-rollout.md
captures prerequisites, HIPAA config checklist, canary test plan
(Lauren as primary canary), and exit criteria. Linked from m365.md
issue #14.
Follow-up on three pending items from breach check:
- IdentityRiskyUser scope: consented but requires P2 license
- Dime Client app: internal app requiring verification with Dan Center
- Microsoft Authenticator: drafted upgrade plan and recommendations
Created comprehensive follow-up report with action items.
Machine: Mikes-MacBook-Air
User: Mike Swanson (mike)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Darkweb scan follow-up: ran 10-point breach check on jantar@dataforth.com (no IOCs),
revoked eM Client OAuth grant and app role assignment, disabled eM Client SP tenant-wide.
Syncro ticket #109790034 created, billed 1hr prepaid, resolved.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cascades caregiver shared-phone bypass pilot — 2026-04-29 evening into
2026-04-30 early morning continuation.
Major work:
- Adopted phased per-group CA rollout (corrects original tenant-wide §5
design that would have blocked off-site office users)
- Step A: backfilled admin@ into excludeUsers on all 8 existing Cascades
CA policies (mirrors sysadmin@ exclusion posture; Option 1 break-glass)
- Outlook + Helpany + LinkRx assigned to Cascades - Shared Phones group
and added to MHS kiosk app list (final dashboard: 5 caregiver apps)
- Created cloud-only pilot user pilot.test@cascadestucson.com,
SG-Caregivers-Pilot group, Business Premium license, vault entry
pushed to Gitea vault repo
- Built 4 CA changes: PATCH legacy all-users-MFA to exclude pilot group,
CREATE 3 new Report-only policies (block off-network, block
non-compliant, 8h sign-in frequency) with both admins excluded
- Pilot phone wipe + re-enroll after first attempt stuck; PIN set,
awaiting MHS to take over launcher and SDM sign-in prompt
6 new project/feedback memories. Resume point at top of new session log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
