# Cascades of Tucson — Master Plan v2 (phones-first)

**Built:** 2026-04-24 by Howard + Claude
**Supersedes:** `PLAN-AND-QUESTIONS-2026-04-23-archived.md`
**Target:** Pilot caregiver phone usable end-to-end by Monday 2026-04-27.
**Goal (Howard's exact words):** Authorized user + authorized device + authorized network → no 2FA → M365 sign-in (tied to domain account via PHS) → SSO into ALIS.

> This plan was rewritten after catching scope drift in the 2026-04-23 version. See Part 7 for the honest drift log. The executable path is Track A; Track B runs in parallel; Track C is later phases.

---

## Part 1 — Status as of 2026-04-24

### What's genuinely done
- **AD hygiene (G1)** — idempotent. OU=Excluded-From-Sync, 4 role accounts moved, 34 proxyAddresses populated, 16 SG-* groups created, display names normalized. `reports/2026-04-22-g1-execute.md` + `reports/2026-04-22-g1-post-verify.md`
- **M365 orphan cleanup (G2 partial)** — 7 orphan / former-employee accounts deleted; 1 Business Standard seat freed. `reports/2026-04-22-m365-orphan-deletes.md`
- **CS-SERVER preflight** — time sync, TLS 1.2, WSB installed, rebooted, post-reboot verification clean. Ready for Entra Connect. `reports/2026-04-22-cs-server-preflight-verification.md`
- **Synology discovery** — 10 shares, 35 users, 4 groups inventoried. 7 shared-credential HIPAA violations flagged. `docs/migration/synology-permission-inventory.md`
- **Intune MDM foundation** — MDMS@ service account, Apple MDM push cert, Android enrollment profile (dynamic group), Android compliance policy, config profiles, 7 required apps (incl. ALIS web app). 1 Samsung A15 enrolled compliant, 24 more in box. `PROJECT_STATE.md`
- **DMARC p=quarantine** + post-DMARC spoofing recheck clean. `reports/2026-04-21-post-dmarc-spoofing-recheck.md`
- **Staff CSV + working list** from Meredith/John. `reports/cascades-staff-2026-04-22.csv`
- **HIPAA review + risk register** drafted (with some accuracy issues flagged in Part 7). `docs/security/hipaa-review-2026-04-22.md`

### What's in flight vs not started
- **Entra Connect install** — NOT started. Prep is green.
- **Phone rollout at scale** — NOT started. Pattern validated on 1 device.
- **Role mailbox conversions (G2 remainder)** — have delegation lists for 6/11; 5 pending Meredith.
- **CA policies** — nothing live. No Named Location yet.
- **ALIS SSO** — nothing registered.

---

## Part 2 — Track A: Phone SSO Mission (pilot → caregiver rollout)

**One sentence:** one caregiver, one phone, full end-to-end flow proven by Monday — then scale.

### Phase 1 scope
- **1 pilot caregiver** (Howard picks — must be confirmed-spelling name + willing tester)
- **1 phone** (reuse current enrolled Phone 1 or fresh Samsung A15 from the 24 unopened)
- **Entra Connect sync scoped to `OU=Sync-Phase1-Caregivers` only**
- **PHS enabled** (Howard's decision 2026-04-24 — reverses prior "PHS deferred" call)
- **CA policy: MFA waived when user ∈ SG-Caregivers AND device compliant AND sign-in from Cascades WAN IP**
- **ALIS SSO live via OIDC App Registration**

Nothing else in this tenant is touched. No office staff change. No password cutover for the cloud-only population (that's Track C Phase 2).

### Gate-by-gate plan

| Gate | Target day | What | Blocker / input |
|---|---|---|---|
| **A1** | Fri PM | Entra Connect install on CS-SERVER, staging mode, scope = `OU=Sync-Phase1-Caregivers`, PHS on | Howard at CS-SERVER console |
| **A2** | Fri–Sat | Pull Cascades WAN IP from pfSense; create Entra Named Location "Cascades Office"; create CA policy "Cascades - Phone MFA Exception" in Report-only | Q38 (WAN IP static? — discover from pfSense cfg, not Meredith) |
| **A3** | Fri–Sat | Email `support@medtelligent.com` for SSO Integrations kickoff; create App Registration "Cascades of Tucson - ALIS SSO" (single-tenant, redirect `https://cascadestucson.alisonline.com/ExternalLoginCallback`, ID tokens implicit hybrid enabled); create client secret "ALIS - Single Tenant Secret"; vault creds | Howard / portal access |
| **A4** | Sat | Pilot caregiver AD account in `OU=Sync-Phase1-Caregivers`; add to `SG-Caregivers`; assign unassigned Entra ID P2 (no new spend); verify ALIS staff profile email == Entra UPN exactly | Howard picks pilot (T0-1) |
| **A5** | Sun AM | Exit Entra Connect staging; full sync; verify pilot user appears hybrid with AD password live; CA What-If check confirms MFA bypass fires for correct conditions | A1–A4 green |
| **A6** | Sun PM | Enroll phone (QR from `CSC - Android Shared Phones` profile); pilot caregiver signs in via MSDM; verify zero MFA prompt on Cascades Wi-Fi; verify Teams/Authenticator/ALIS web app all SSO; verify sign-out / second sign-in works (shared-device proof) | A5 green |
| **A7** | Mon AM | CA Report-only logs reviewed (zero unexpected blocks); flip policy to On | A6 green |

### Phase 1a (post-Monday): expand to full caregiver roster
- Create remaining ~36 caregiver AD accounts in same OU
- Purchase Business Premium seats (Q21 — tenant-wide preferred)
- Add to `SG-Caregivers`
- Factory-reset and enroll remaining 24 phones
- **Blocker resolved before 1a:** Q1 Ederick spelling

### Track A blockers
- **T0-1 (Howard):** pick pilot caregiver — name + consent
- **T0-2 (Howard — discoverable):** pfSense WAN IP — confirm static by inspecting Cox circuit config. If dynamic, plan Named Location update hook.
- **T0-3 (Meredith, cheap ask):** sign Microsoft HIPAA BAA. Doesn't block phones technically — Meredith's covered entity exposure is the driver. 5 min.
- **T0-4 (ALIS, lead time):** ALIS Integrations team response to `support@medtelligent.com`. Send Friday. They may need 24–48h.

---

## Part 3 — Track B: HIPAA Baseline (parallel to A, sized realistically)

**Scope:** compliant-enough-to-survive-an-audit. Not gold-standard. Each item sized honestly.

| ID | Item | Rule | Who | Effort | Cost |
|---|---|---|---|---|---|
| **B1** | Microsoft HIPAA BAA sign | §164.308(b)(1) Required | Meredith | 5 min portal click | $0 |
| **B2** | ALIS BAA confirmed | §164.308(b)(1) Required | Meredith → ALIS support | 1 email, 1–2wk vendor turnaround | $0 |
| **B3** | Risk Analysis document | §164.308(a)(1)(ii)(A) Required | Howard drafts → Mike/Howard sign Security Official → Meredith counter-signs CE | 3–4h | $0 |
| **B4** | Termination Procedures documented | §164.308(a)(3)(ii)(C) Required | Howard drafts from existing process | 1–2h | $0 |
| **B5** | Audit log retention decision | §164.312(b) + §164.316(b)(2) | Meredith picks option; Howard implements | 1h | $0 (option b) or ~$3/user/mo (option a) |
| **B6** | Synology shared-login risk acceptance | §164.312(a)(2)(i) interim | Meredith signs paper acknowledgment until Phase 4 cutover | Howard drafts form + route | $0 |
| **B7** | Break-glass admin **DECISION** (not the injected YubiKey spec — a decision entry only) | §164.312(a)(2)(ii) Addressable | Howard writes decision entry | 30 min | $0 |
| **B8** | Security Rule Implementation Register | §164.316(b) | Howard drafts — single doc listing every Addressable spec + decision | 2h | $0 |

### Audit retention options (B5)
- **(a)** Microsoft Purview Audit (Premium) add-on — 10yr retention — ~$3/user/mo
- **(b)** M365 Compliance retention policy at 7 years — $0 *if we're on Business Premium tenant-wide* (which we would be for Phase 1a anyway)
- **(c)** Monthly export to immutable Azure Blob — $0 but operational burden

**Recommended: (b)**, stacked on the Business Premium tenant-wide purchase we're already teeing up for Phase 1a. No additional spend.

### What Track B does NOT include (drift scrubbed)
- ~~FIDO2 YubiKey purchase~~ — was injected; Emergency Access Procedure is Addressable, not Required; documented decision (B7) suffices
- ~~Per-user DLP policies~~ — not in Security Rule Required set
- ~~Defender for Identity / SIEM~~ — nice-to-have, not baseline

---

## Part 4 — Track C: Future phases (not this week)

| Item | When | Blocker |
|---|---|---|
| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Alma, Kyla, etc.) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window |
| **C2** Phase 3 sync — remaining staff | Week-3 or later | Same mechanics as C1, larger batch |
| **C3** G2 role mailbox conversion (6 ready, 5 pending delegations) | Any time — execute the 6 with lists we have | 5 of 11 pending Meredith answers on delegates (Q8, Q11, Q14, Q15, Q16) |
| **C4** Synology → CS-SERVER file-share migration (Phase 4) | After Phase 2/3 sync | John answers on pacs/Activities/chat/Sandra Fish shares + MainOffice group membership |
| **C5** Wave 5 hardening — BitLocker fleet, LAPS, password policy, krbtgt rotation | After Phase 4 | Previous phases complete |

---

## Part 5 — Open questions (slimmed, re-tiered)

### T0 — Blocks Monday
- **T0-1 (Howard):** Pilot caregiver — who? Must be confirmed-spelling name, willing tester.
- **T0-2 (Howard, discoverable):** pfSense WAN IP — static? Query the appliance.
- **T0-3 (Meredith, Friday ask):** sign Microsoft HIPAA BAA.
- **T0-4 (ALIS, send Friday):** kick off SSO Integrations engagement via `support@medtelligent.com`.

### T1 — Blocks Phase 1a (full caregiver rollout, not pilot)
- **Q1** Ederick Yuzon spelling — Meredith
- **Q21** Business Premium tenant-wide vs mixed SKU — Meredith (approve PO)
- **Q48** Reliable Agency shift scheduling pattern — Meredith (determines per-person vs supervised model)

### T2 — Track B completion (parallel)
- **Q17** MS BAA (= T0-3)
- **Q18** ALIS BAA — Meredith
- **Q19** Synology shared-login risk posture (a/b/c) — Meredith → B6
- **Q20** Audit retention path — Meredith → B5 (recommend (b))
- **Q25** Reliable Agency contract → workforce vs BA — Meredith
- **Q27–29** Training, sanctions, termination procedure docs — Meredith

### T3 — Blocks Phase 2/3 + Wave 4 (later)
- **Q2** Stephanie Devin status — Meredith
- **Q3** Dax Howard identity — Meredith
- **Q4** Tamra Matthews exit date — Meredith
- **Q6–16** Role mailbox delegations — Meredith (G2 remainder)
- **Q30–35** Synology content + MainOffice group — John
- **Q36** John's email activity — John
- **Q37** Matt Brooks cross-role delegation — John
- **Q38** WAN IP stability — John (confirms T0-2)
- **Q39** Dell R610 replacement — John

### Dropped (drift — see Part 7)
- ~~**Q23** FIDO2 security key purchase~~
- ~~**Q24** Second break-glass holder~~

---

## Part 6 — Executable now (no client answers needed)

| Item | Agent / effort | Blocks what |
|---|---|---|
| Draft Risk Analysis (B3) | Howard, 3–4h | Nothing — parallel to Track A |
| Draft Termination Procedures (B4) | Howard, 1–2h | Nothing |
| Draft Security Rule Implementation Register (B8) | Howard, 2h | Nothing |
| Draft Synology risk-acceptance form for Meredith's signature (B6) | Howard, 30min | Nothing |
| SMB3 encryption on `\\CS-SERVER\homes` | `Set-SmbShare -Name homes -EncryptData $true` via GuruRMM | H3 HIPAA risk |
| Create `OU=Sync-Phase1-Caregivers` on CS-SERVER | Howard, 5 min | Track A Gate A1 prep |
| ALIS App Registration in Entra (A3) | Howard, 20 min | Track A Gate A5 verify |
| Email ALIS support for SSO kickoff | Howard, 10 min | Lead-time |

---

## Part 7 — Drift log (honest record)

The 2026-04-23 master plan had four accuracy/scope problems traced to doc-generation drift. Captured here so we don't repeat:

1. **FIDO2 / YubiKey recommendation appeared without user input.** First showed up in `docs/cloud/user-account-rollout-plan.md` line 160 (commit `c077d58` — a staff-CSV ingest session where the session log has zero FIDO2 mention). Escalated to Required HIPAA finding H2 in `docs/security/hipaa-review-2026-04-22.md` (commit `6bd4166`, auto-sync, no session log). Then to Q23–24 T1 blocker in `PLAN-AND-QUESTIONS-2026-04-23.md` asking Meredith to buy a specific YubiKey 5C NFC (~$55). **The §164.312(a)(2)(ii) citation is Addressable, not Required, and doesn't prescribe FIDO2.** Removed.

2. **ALIS SSO marked "Optional / separate project."** Gate G8 labeled optional in the old plan. In reality ALIS SSO is the endpoint of Howard's goal. Promoted to Track A Gate A3.

3. **PHS deferred indefinitely.** Gate G5 was labeled deferred. Howard's confirmed intent 2026-04-24 is PHS enabled so M365 password == AD password. Reversed.

4. **SAML / Enterprise App vs OIDC / App Registration.** My old writeup described ALIS SSO as "Enterprise App with SAML/OIDC." The ALIS doc (https://support.alisonline.com/hc/en-us/articles/34831696021901) specifies **App Registration with OIDC implicit hybrid flow and a client secret.** Not SAML, not Enterprise Application. Corrected in Gate A3.

**Anti-drift commitment going forward:** new architectural decisions must trace back to a session log or user message, not be drafted unilaterally during document generation. When a document auto-adds a technical spec that nobody discussed, that's drift — we flag it rather than carrying it forward.

---

## Revision history
- 2026-04-23 — original plan drafted by Howard (now archived)
- 2026-04-24 — rewritten: Track A/B/C split, phased Entra Connect sync, drift log added, Monday pilot target locked in