# Microsoft Teams Rollout (Cascades) **Status:** Not deployed. Gated on Microsoft BAA + HIPAA policy decisions (see `m365.md` issues #12, #13, #14). **Owner:** Howard (MSP) **Created:** 2026-05-05 ## Why this doc exists On 2026-05-05, **Lauren Hasselman** (Business Office Director, `lauren.hasselman@cascadestucson.com`) reported she could not create a Teams group. Diagnostic ruled out Entra/M365-Group-layer restrictions: - Account enabled, Microsoft Teams service plan (`57ff2da0-773e-42df-b2af-ffb7a2317929`) assigned + enabled - Tenant `groupSettings` empty -> Microsoft defaults apply -> `EnableGroupCreation = true` for all users - No `GroupCreationAllowedGroupId` restriction set - No sensitivity-label-required gating - Lauren has no directory roles and no group memberships (normal user, no special grant needed) Conclusion: the block is at the **Teams Admin Center policy layer** (CsTeamsChannelsPolicy / CsTeamsMessagingPolicy / org-wide team creation setting), not Graph/Entra. This is **expected and intentional** -- Teams is supposed to be off until the HIPAA gates clear. When we roll Teams out, Lauren's case is the canary test. ## Prerequisites (must be true before rollout begins) - [ ] Microsoft BAA signed (`m365.md` issue #12) -- M365 Admin Center > Settings > Org Settings > Security & Privacy > HIPAA BAA - [ ] MFA / Security Defaults or Conditional Access enforced (`m365.md` issue #13) - [ ] Decision on caregiver M365 P2 rollout (`docs/cloud/caregiver-m365-p2-rollout.md`) -- determines who gets Teams, with what license - [ ] Decision on whether Teams replaces or complements existing comms (Synology Chat is currently used) ## HIPAA-required Teams configuration (apply before unblocking creation) Configure in Teams Admin Center (`https://admin.teams.microsoft.com`) and Purview compliance portal. Document each policy's `Identity` so future drift is detectable. ### Messaging / chat - [ ] **Retention policy** for chat + channel messages + meeting recordings (Purview > Data Lifecycle Management). Default decision: 7 years for anything that could touch PHI; 90 days for general operational chat (separate policy on a sensitivity label or by team). - [ ] **DLP policy** flagging SSN, MRN, DOB+name combinations, ALIS resident IDs in chat + channel posts. Action: block + notify sender, audit log. - [ ] **External access (federation):** Disable by default. Allow specific partner domains only if a business case exists. - [ ] **Guest access:** Disable. ### Meetings - [ ] **Recording consent banner:** Enabled. - [ ] **Auto-record:** OFF. - [ ] **Recording storage:** OneDrive/SharePoint of organizer (default) -- review retention against #1. - [ ] **Anonymous join:** Disabled or restricted. - [ ] **Lobby:** Everyone except org users waits in lobby. ### Telephony - [ ] No Teams Phone / PSTN calling planned at this time. If added later, voicemail transcripts are PHI risk -- review storage location. ### Team / channel creation policy - [ ] **Global CsTeamsChannelsPolicy** -- decide: - `AllowOrgWideTeamCreation` -- recommend `False` (only admins create org-wide teams) - `AllowPrivateTeams` / standard team creation -- recommend `True` for licensed staff, gated by an Entra security group via `Group.Unified` `GroupCreationAllowedGroupId` - [ ] If gating creation to a security group: create `M365-TeamCreators` security group, populate with department heads (Meredith, Lauren, John, Crystal, Megan, Tamra, Ashley), then set `groupSettings` `EnableGroupCreation=false` and `GroupCreationAllowedGroupId=`. Document in `m365.md`. ## Test plan (run when policies are in place, before announcing to staff) For each test user, sign in to Teams web (`teams.microsoft.com`) in a private window with their actual credentials. Record pass/fail and exact UI text. ### Canary test users | User | Role | Why included | |---|---|---| | Lauren Hasselman | Business Office Director | Original reporter (2026-05-05). Must succeed. | | Meredith Kuhn | Asst Manager | Department head -- expected creator | | John Trozzi | (role) | Department head -- expected creator | | Ashley Jensen | Accounting | Same dept as Lauren -- regression check | | Sebastian Leon | Courtesy Patrol (unlicensed, shared-mailbox-only user) | Negative test -- should NOT be able to create teams (no Teams license) | ### Test cases 1. **Create a private team from scratch** - Steps: Teams left rail > Teams > Join or create a team > Create team > From scratch > Private > name "TEST--" - Expect (licensed users): team is created, user becomes owner. - Expect (Sebastian): "Create a team" option missing OR error stating creation isn't allowed. 2. **Create a team from an existing M365 group** - Pre-req: have an existing distribution/M365 group user is owner of. - Expect: same as #1 for licensed users. 3. **Create a channel within an existing team** - Confirm `AllowCreateUpdateChannels` matches policy decision. 4. **Add a guest** (only if guest access is intentionally enabled) - Expect: blocked unless org explicitly allows. 5. **Send a chat with mock PHI** (e.g. fake SSN `123-45-6789` and a fake MRN string) - Expect: DLP policy blocks or warns per configured action. 6. **Start a meeting and attempt to record** - Expect: consent banner appears for all attendees. ### Exit criteria - All licensed canaries pass tests 1, 2, 3 with no error. - Unlicensed canary (Sebastian) gets a clean "not allowed" experience -- no confusing partial UI. - DLP test (#5) fires the configured action and writes to audit log (verify in Purview). - Recording consent banner shows on test meeting. Only after all of the above pass do we announce Teams availability to staff. ## Cleanup after testing - Delete TEST-* teams created during canary tests. - Document final policy `Identity` values + `groupSettings` config in `m365.md` under a new "Teams Configuration" section. - Replace this doc's "Status: Not deployed" banner with deployment date + summary of policy decisions made. ## References - `m365.md` issues #12 (BAA), #13 (MFA), #14 (Teams not deployed) - `docs/cloud/caregiver-m365-p2-rollout.md` -- license + identity rollout that determines Teams audience - Microsoft: `https://learn.microsoft.com/microsoftteams/policy-assignment-overview` - Microsoft: `https://learn.microsoft.com/microsoft-365/solutions/groups-services-interactions` (Teams + Group + SharePoint interaction)