# User Account Rollout Plan — Cascades of Tucson **Status:** Planning — no account creation or license assignment yet. **Created:** 2026-04-22 (Howard) **Inputs:** - `reports/cascades-staff-2026-04-22.csv` — returned staff-editor questionnaire, 70 rows (source of truth for *who should exist* and *what access posture*) - `docs/servers/active-directory.md` — current AD state (42 accounts, 40 enabled) - `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver identity/phone plan (39 caregivers) - `docs/cloud/p2-staff-candidates.md` — P2 license sizing for the office-staff side - `docs/cloud/m365.md` — current M365 tenant state ## 1. Scope Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, licensed and policy-covered according to the **Access / Outside Access / ALIS** posture columns they returned. This plan covers the identity layer only — device/MDM work is already tracked in `caregiver-m365-p2-rollout.md` and the Intune rollout, and folder redirection continues under the existing GPO workstream. **Explicitly out of scope here:** - Device enrollment (Intune flow already designed) - Folder redirection GPO edits (separate workstream, already validated on DLTAGOI) - M365 tenant licensing *purchase* decision (decision gated — see §10) ## 2. Personas (derived from CSV access matrix) | Persona | Access | Outside | ALIS | Count | Examples | |---|---|---|---|---|---| | **Office-PHI (external-OK)** | D+P | Y | Y | 18 | Meredith, Megan, Lois, Susan, Alma, JD, John Trozzi, Lupe | | **Office-PHI (in-building)** | D+P | N | Y | 2 | Allison Reibschied, Sharon Edwards | | **Office non-PHI (in-building)** | D+P | N | N | 1 | Ramon Castaneda | | **Maintenance (in-building PHI)** | D+P | N | Y | 1 | Matt Brooks | | **Courtesy Patrol** | D+P | N | N | 3 | Sebastian Leon, Sheldon Gardfrey, Ray Rai | | **Shared-PC Reception** | D | N | N | 4 | Cathy, Shontiel, Kyla, Michelle | | **Caregiver (shared-phone)** | D+P | N | Y | 37 | See caregiver-m365-p2-rollout.md | | **Agency caregivers (per-person)** | D+P | N | Y | 0 | None created. HIPAA-mandated per-person IDs — Reliable must supply names. No shared logins. | | **Driver (no IT access)** | — | — | — | 3 | Richard Adams, Julian Crim, Christopher Holick — on roster for tracking, existing AD accounts to be disabled | | **Departed (disable/remove)** | — | — | — | 2 | Britney Thompson (has AD+M365, must be disabled), Polett Pinazavala (no account, just remove from roster) | (Identities to create or keep active: **66**. Roster-only-no-account: 3 drivers. Departures: Britney + Polett. No agency accounts created — per-person names required. Christine Nyanzunda sits in one persona — Office-PHI — with her caregiver-shift sign-in handled via exception group if needed.) ## 3. License mapping per persona **Guiding principles:** 1. Default to **Business Premium** tenant-wide (already the recommendation in `p2-staff-candidates.md` — bundles Intune + P2 + Defender + DLP). 2. Use **F3** only for phone-only users (drivers) where Premium is overkill and F3 covers Exchange/Teams needs. 3. Reception shared PCs get shared *mailboxes* for `Frontdesk@`, but each named receptionist gets her own licensed account so audits attribute individual actions. | Persona | License | Notes | |---|---|---| | Office-PHI (external-OK) | **Business Premium** | CA: compliant device OR trusted location | | Office-PHI (in-building) | **Business Premium** | CA: trusted location only | | Office non-PHI (in-building) | Business Standard (or Premium if tenant-wide) | CA: trusted location only | | Maintenance PHI (Matt Brooks) | **Business Premium** | MC-adjacent role, ALIS=Y | | Courtesy Patrol | Business Standard | Could be F3 if they don't need full desktop Office; confirm with Meredith | | Shared-PC Reception | Business Standard | Frontdesk@ stays as shared mailbox, named accounts read it | | Caregiver | **Business Premium** | Per `caregiver-m365-p2-rollout.md` — P2 is load-bearing for shared-phone CA | | Agency caregivers (per-person) | **Business Premium** each | Only provisioned when Reliable Agency provides individual names. Zero created as of 2026-04-22. | | Driver | **None** | No IT access — accounts disabled. License previously used (if any) harvested. | | Britney Thompson (departing) | **None** (harvest) | Disable account, free Business Standard + Exchange Online Essentials | Expected license count at full rollout: - Business Premium: 18 (office PHI ext) + 2 (office PHI int) + 1 (Matt) + 37 caregivers = **58** - Business Standard: 1 (Ramon) + 3 courtesy + 4 reception = **8** - F3: 0 (drivers no longer need accounts) - Per-person agency: +1 each if/when Reliable Agency provides names **Post-2026-04-22 update:** With the building-only-by-default CA decision confirmed, every licensed user needs Entra P1 coverage (either via Business Premium, or Business Standard + standalone Entra P1). Without P1, CA policies don't apply and the user sidesteps the default-deny. This effectively collapses the mixed-SKU table above into a recommendation for **Business Premium tenant-wide (~68 seats)** — the Business Standard rows stay in the table only as a reference for what we'd buy if budget forces unbundling. Proceed with Premium-tenant-wide unless Meredith pushes back. Britney's harvested Business Standard + Exchange Online Essentials license plus any freed driver licenses go back into the pool to offset the Premium purchase. ## 4. AD OU + group layout (proposed) Current `cascades.local` OU layout is loose (see `docs/servers/active-directory.md`). Proposed structure to align with the persona matrix and folder-redirection GPOs already in place: ``` OU=Cascades Users ├── OU=Administrative ├── OU=Marketing (new name for existing Marketing dept) ├── OU=Care-AssistedLiving ├── OU=Care-MemoryCare ├── OU=ResidentServices │ ├── OU=FrontDesk (reception shared-PC users) │ └── OU=CourtesyPatrol ├── OU=LifeEnrichment ├── OU=Culinary ├── OU=Maintenance ├── OU=Housekeeping ├── OU=Transportation (drivers) └── OU=Caregivers (all 37 shift staff) ``` **Security groups (AD-synced, Entra-usable):** - `SG-Office-PHI-External` — 19 people, drives CA policy + Premium license group - `SG-Office-PHI-Internal` — 2 people (Allison, Sharon) - `SG-CourtesyPatrol` — 3 - `SG-FrontDesk` — 4 - `SG-Drivers` — 3 - `SG-Caregivers` — 37 (already exists or needs creating — check against current `Cascades - Shared Phones` Entra group, which may already cover this) CA policies target groups, not OUs. OUs drive GPO inheritance (folder redirection, local policy) only. ## 5. Conditional Access policy set **Decision 2026-04-22 (Howard → Meredith/John):** Default-deny external sign-in for all licensed users. Maintain a small allow-list group for users who legitimately work off-site. This collapses the earlier per-persona policy matrix into two primary CA policies plus the existing caregiver shared-phone policy: | Policy | Targets | Grant | |---|---|---| | `CSC - Building Only (Default)` | All licensed users **except** `SG-External-Signin-Allowed` and `SG-Caregivers` | Block sign-in unless from the "Cascades Building" named location + MFA | | `CSC - External Sign-in Allowed` | `SG-External-Signin-Allowed` | Require compliant Intune-enrolled device + MFA for external sign-in; trusted-location sign-in waives the compliance grant | | `CSC - Caregivers Shared Phone` | `SG-Caregivers` | Already designed per `caregiver-m365-p2-rollout.md` (shared-phone Intune + named location) | | `CSC - Drivers Phone-Only` | `SG-Drivers` | Require compliant Intune-managed phone; no web fallback. Drivers added to `SG-External-Signin-Allowed` as well if they need off-site phone access. | **Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 18 office-PHI staff (including Alma R Montt). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22. **Named location "Cascades Building":** Define once, reuse. Use the site's public IP range(s) from pfSense NAT (`clients/cascades-tucson/pfsense-firewall.sops.yaml`). **Exception-management process:** Adding a user to `SG-External-Signin-Allowed` is a named-access request that should be logged (ideally in the client's Syncro ticketing or a simple note in the client folder). Removal is equally important — e.g., Tamra Matthews comes off the list on her June 2026 departure in addition to her license being deactivated. **Impact on licensing:** All users covered by either CA policy need at least Entra P1 (bundled with Business Premium). This reinforces the default recommendation of Business Premium tenant-wide — Business Standard users couldn't be covered by the CA default-deny without an add-on, and a mixed tenant is harder to reason about. ## 6. Pre-flight reconciliation (CSV vs current AD) These must be resolved before creating or converting accounts. See also `cascades-staff-followup-2026-04-22.md`. | Discrepancy | Status | Action | |---|---|---| | **Britney Thompson** — in AD (enabled, Memory Care Nurse) | **RESOLVED 2026-04-22 (John's reply) — DEPARTED.** | Disable AD account `britney.thompson`. Convert mailbox to shared (or archive + delete). Remove Business Standard + Exchange Online Essentials license (harvested). Remove from any security groups. | | **Polett Pinazavala** — was on 2026-04-18 caregiver roster | **RESOLVED 2026-04-22 (John's reply) — DEPARTED.** | Remove from roster. No existing account — no AD/M365 action needed. | | **Drivers (Richard Adams, Julian Crim, Christopher Holick)** — all have AD accounts + Transportation@ shared mailbox | **Decision 2026-04-22 (Howard) — drivers no longer get IT access.** | Disable the 3 AD accounts. Keep them on the working roster for employee tracking. Separate decision: keep or retire `Transportation@` shared mailbox — ask Meredith. | | **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Resolved 2026-04-22 (Howard) — one account covers both roles.** | Single account in `OU=Care-MemoryCare`. Default building-only CA policy. When she's covering a MedTech shift she logs into the shared MC phone with her own account. If that sign-in gets blocked by the shared-phone CA, add her to a specific exception group rather than splitting into two accounts. | | **Alma R Montt** — on CSV (Life Enrichment), NOT in AD | **RESOLVED 2026-04-22 (John's reply).** Username `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y. LE staff assigned to Memory Care residents — stays in `OU=Life Enrichment`. | Create AD account `Alma.Montt` (UPN `alma.montt@cascadestucson.com`). Add to SG-External-Signin-Allowed (Outside=Y). | | **Kyla QuickTiffany** — on CSV and in AD "needs account" list | **Resolved 2026-04-22 (Howard, per Kyla's preference): `Kyla.QuickTiffany`** — last name treated as a single word. | Create AD account `Kyla.QuickTiffany` (UPN `kyla.quicktiffany@cascadestucson.com`). Persona: Shared-PC Reception. Building-only, no outside sign-in. | | **Ederick Yuzon** — spelling not confirmed | **Still pending Meredith/John.** | Block on creation of his caregiver account only. Everyone else proceeds. Tentative: `Ederick.Yuzon` if needed to unblock Wave 3. | | **Matt Brooks** — AD dept = Maintenance, CSV note "works in both departments" | Confirmed (CSV-inline). | Keep in Maintenance OU; add to secondary MC group for access overlap. | | **37 caregivers** — on CSV, none in AD | Unchanged. | Create all 37 AD accounts (+ M365) in Wave 3. | | **2 agency placeholders** — on CSV, not in AD | **RESOLVED 2026-04-22 (Howard, post-HIPAA-review) — NO shared logins. Per-person accounts only.** | Do NOT create `reliable1`/`reliable2`. Reliable Agency must supply individual names before any caregiver can access PHI. Until then, agency staff work under direct supervision of a Cascades-employed caregiver who is signed in. Rationale documented in `docs/security/hipaa-review-2026-04-22.md`. | | **Generic AD accounts** (`Culinary`, `RECEPTIONIST`, `saleshare`, `directoryshare`) | Unchanged. | Phase 5 cleanup after named-account coverage. | **Username convention for new accounts:** TitleCase `First.Last` (e.g., `Alma.Montt`, `Kyla.QuickTiffany`). Existing lowercase exceptions in AD (`britney.thompson`, `karen.rossini`, `lauren.hasselman`) are the known legacy cases — leave as-is, don't rename. All net-new accounts follow TitleCase. ## 7. Rollout sequence ### Wave 0 — HIPAA pre-flight (must complete before any account changes) Per `docs/security/hipaa-review-2026-04-22.md`. These are compliance blockers, not operational blockers — fix before touching accounts. - **Sign Microsoft HIPAA BAA** (5 min, free) — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA - **Verify/sign ALIS BAA** (Meredith-ask) - **Create break-glass cloud-only admin** (`breakglass@cascadestucson.com`): excluded from all CA, FIDO2 security key, vaulted password, sign-in alerts to Howard + Meredith - **Enable SMB3 encryption** on `\\CS-SERVER\homes`: `Set-SmbShare -Name homes -EncryptData $true` - **Extend M365 audit retention** to 6+ years (Purview Audit Premium add-on or retention policy) - **Put Britney's mailbox on Litigation Hold** with verified archive license — BEFORE her account is disabled - **Ask Meredith** for the Reliable Agency staffing contract (confirm direct-control language = workforce, not BA) - **Draft Risk Analysis** `docs/security/risk-analysis-2026-04.md` following NIST 800-66 Rev 2 §3 - **Create Security Rule Implementation Register** `docs/security/implementation-register.md` ### Wave 0.5 — Entra Connect / AD-M365 identity tie-in (before any account creation in Wave 1) Without Entra Connect, new accounts are cloud-only and create the same AD-vs-M365 drift the tenant already suffers from. **Staged enablement — each gate must pass before advancing to the next:** | Gate | What happens | User-visible impact | Pass criteria before advancing | |---|---|---|---| | **G1. AD prereq hygiene** | Renames, UPN suffix add, `proxyAddresses` populate, null-password account cleanup, former-employee deletes | None | `Get-ADUser` report shows 0 UPN mismatches vs. the M365 mailbox list; 0 enabled accounts with null `PasswordLastSet` | | **G2. Role-account → shared mailbox conversions in M365** | Convert `accounting@`, `frontdesk@`, `hr@`, `transportation@`, etc. to shared mailboxes per `docs/cloud/m365.md` | Licensed-user count drops, frees ~11 seats | Every role-based UPN shows as shared mailbox in Exchange Admin; members are assigned | | **G3. Connect install in STAGING MODE** | Sync engine runs, reads AD, produces preview report. **No writes to Entra.** | None | Preview shows ≥95% clean soft-matches against existing M365 users; zero unintended duplicate-creates | | **G4. Take out of staging, directory sync ONLY (no Password Hash Sync)** | Hybrid identity appears in Entra. Passwords remain separate between AD and M365. | None — users sign in exactly as today | 48 hours stable with no new support tickets about sign-in | | **G5. Announce + enable Password Hash Sync** | AD password hash pushes to Entra. Next Outlook / Teams / Edge launch, prompts once for password. Users enter AD password. | **ONE password prompt, once.** After that: one password for everything. | Zero unresolved helpdesk tickets; test user confirms PC + Outlook + OWA work on same password | | **G6. Conditional Access policies go live in REPORT-ONLY mode** | CA evaluates every sign-in and records what WOULD have been blocked, but doesn't actually block. | None | 7–14 days of logs reviewed — zero "would have been blocked" events for legitimate users. Fix trusted-location / compliance gaps as needed. | | **G7. CA enforcement flip** | Policy blocks out-of-scope sign-ins for real. | Off-site users unexpectedly on the allow-list see no change; users NOT on allow-list get blocked from outside the building as intended. | Break-glass account confirmed working. Meredith notified. | | **G8 (separate project). ALIS SSO Enterprise App registration** | "Sign in with Microsoft" option appears on ALIS login. Existing ALIS username/password keeps working during transition. | Optional new sign-in button. | N/A — rollout when ALIS support has provided federation metadata. | **Rollback points:** G3 through G5 all have clean reverse paths (remove from staging, disable PHS, reset individual passwords). G6/G7 CA policies can be disabled with one click. Only hard-to-reverse step is G1's AD renames — mitigated by the pre-change reg-exports/backups already in the `D:\Backups\pre-entra-connect-*` folder from the 2026-04-22 preflight remediation. **Original install-order prerequisites (covered by G1):** 1. **AD prereq cleanup** (no user impact — all reversible): - Rename `Tamra.Johnson` → `Tamra.Matthews` - Rename `strozzi` → `Shelby.Trozzi` - Rename `Alyssa.Shestko` → `Alyssa.Brooks` + delete lowercase duplicate `alyssa.brooks` - Fix `Christopher.Holik` → `Christopher.Holick` - Fix `Matt.Brooks` UPN to `matthew.brooks@` OR update M365 side to `matt.brooks@` - Delete confirmed former employees (Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez) - Disable + remove legacy accounts (Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery) 2. **Add UPN suffix** `cascadestucson.com` in AD Domains and Trusts 3. **Update all synced users' UPN** to `firstname.lastname@cascadestucson.com` 4. **Convert M365 role-based accounts to shared mailboxes** FIRST (accounting@, frontdesk@, hr@, etc. — listed in `docs/cloud/m365.md`) — frees 11 licenses 5. **Delete** `Kristiana Dowse` and `howaed` typo accounts from M365 6. **Reconcile** `nick pavloff` (M365-only) — create AD account if still employed, or delete 7. **CS-SERVER readiness check** (separate task — OS version, .NET, disk, FSMO, conflict with QuickBooks DB listener) 8. **Install Entra Connect in staging mode** on CS-SERVER → Password Hash Sync → Seamless SSO → scope to `OU=Departments` 9. **Review planned sync output** for unexpected matches/duplicates 10. **Take out of staging**, verify users see their cloud mailboxes working on the same password 11. **Communicate to users:** Outlook will prompt once for password; enter your Windows password User-visible impact: one Outlook password prompt on day-of-cutover. **No impact on AD domain logon.** ### Wave 1 — Departures + new office accounts (ready after Waves 0 and 0.5) - Disable `britney.thompson` AD account — AFTER Litigation Hold is confirmed, mailbox converted to shared with designated custodian (likely Meredith or Lois), Business Standard + Exchange Online Essentials license harvested - Disable 3 driver AD accounts (`Richard.Adams`, `Julian.Crim`, `Christopher.Holick`) - Ask Meredith whether to keep or retire `Transportation@` shared mailbox - Create AD accounts (and let Entra Connect sync to M365) for: - Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y) - Kyla QuickTiffany (`Kyla.QuickTiffany` — Shared-PC Reception, D only, building-only) - Validate group membership + CA policy assignment on the new accounts before moving to Wave 2 - Pilot the `CSC - Building Only (Default)` policy with Kyla (Report-only mode first) ### Wave 1 — DO NOT DO - Do NOT create `reliable1@` or `reliable2@` shared agency accounts (HIPAA review 2026-04-22). See §6 reconciliation + `docs/security/hipaa-review-2026-04-22.md`. ### Wave 2 — Existing office accounts, reassignment only - Move existing users into new OU layout (no identity changes, just OU move + group membership) - Attach each to the correct `SG-*` group based on CSV persona - CA policies begin applying; watch for sign-in failures ### Wave 3 — Caregiver bulk creation - Execute `caregiver-m365-p2-rollout.md` rollout — 37 AD + M365 accounts, SG-Caregivers, shared-phone CA - Already designed; this plan just sequences it after office wave ### Wave 4 — Cleanup - Disable/remove `Culinary`, `RECEPTIONIST`, `saleshare`, `directoryshare` generics once their functions are covered by named accounts + shared mailboxes - Disable Tamra's account on her June 2026 departure (other known departures: none as of 2026-04-22) - Rotate `krbtgt` password (noted stale in AD doc — overdue) ## 8. Account creation template (per new user) Applies to Wave 1 + Wave 3 (and any future hire). Precise script will be built later; plan-level checklist: 1. AD account: `First.Last` (consistent with existing convention; note lowercase exceptions for Britney, Karen, Lauren — new accounts use TitleCase) 2. UPN: `first.last@cascadestucson.com` 3. Password: auto-generated, stored in vault (`clients/cascades-tucson/new-user-.sops.yaml`), delivered to Meredith via 1Password share 4. OU placement per persona 5. Group membership: department-appropriate `SG-*` 6. M365 license assignment (group-based if feasible) 7. Mailbox creation (Exchange Online) 8. ALIS account provisioning (separate system — Meredith/Lois handle) 9. MFA registration — push to user first login 10. Confirmation email to Meredith with username + password-share link ## 9. Dependencies on other workstreams - **Folder redirection GPO rollout** (`CONTEXT.md` §48) — when we move users to new OUs, make sure the FR GPOs are re-linked to the new OU or stay linked to parent `OU=Cascades Users`. Test on one mover before batch. - **Intune phone rollout** (`PROJECT_STATE.md`) — caregiver accounts must exist before Wave 3 of phone deployment (24 remaining Samsung A15s). Identity-first, device-second. - **Business Premium purchase proposal** (`docs/proposals/m365-premium-upgrade.md`) — blocks wave 1 if Meredith hasn't approved license spend. - **File-share migration: Synology → CS-SERVER** (`docs/migration/phase2-server-prep.md` §4c–4d + `docs/migration/phase4-synology.md`) — Synology Drive Client is live-syncing `\\cascadesds\*` → `D:\Shares\Main` on CS-SERVER (confirmed 2026-03-07). Before users are cut over to CS-SERVER-sourced mapped drives, the AD security groups used for NTFS ACLs on CS-SERVER (`SG-Management-RW`, `SG-Sales-RW`, `SG-Culinary-RW`, `SG-Directory-RW`, `SG-IT-RW`, `SG-Receptionist-RW`, `SG-Chat-RW`, `SG-Server-RW`) must: 1. Exist in AD (created by `scripts/phase2-ad-setup.ps1`) 2. Have membership that matches the current per-user access on Synology — a **permission-inventory** step (see below) must produce this mapping before `scripts/phase2-file-shares.ps1` runs 3. Populate from the user rollout waves — the 22 office-PHI users, 4 receptionists, 3 courtesy patrol, 1 Matt Brooks (dual-dept), 1 Ramon Castaneda, plus caregivers as needed all land in the right `SG-*` groups at account creation - Additional HIPAA additions to the phase2 script (per `docs/security/hipaa-review-2026-04-22.md`): enable SMB3 encryption (`Set-SmbShare -EncryptData $true` on every share) and enable Object Access auditing for §164.312(b) Audit Controls - Drivers off the SG-* lists entirely — they lose file-share access along with their AD accounts ### Permission-inventory prerequisite A one-time non-destructive read of the live Synology is needed to produce the mapping from Synology local users/groups → AD security groups. Commands (run via SSH to `admin@192.168.0.120`, creds at `clients/cascades-tucson/synology-cascadesds.sops.yaml`): ```bash sudo synogroup --list # Synology local groups sudo synouser --list # Synology local users sudo cat /etc/synoinfo.conf | grep -i share # share definitions for share in homes Management SalesDept Server chat Public Culinary IT Receptionist directoryshare; do sudo synoacltool -get /volume1/$share # ACLs per share done sudo synoshare --get homes # per-share config incl. SMB encryption state ``` Output goes to `docs/migration/synology-permission-inventory.md`, which is then the reference for populating AD groups and building `phase2-file-shares.ps1` inputs. Discovery is non-destructive and can run any time the Synology is up — does not require a maintenance window. ## 10. Open decisions blocking the rollout 1. **Business Premium tenant-wide vs. mixed SKUs** — Meredith, tied to the upgrade proposal. Building-only-by-default decision reinforces Premium tenant-wide (see §5). **Only remaining BIG decision.** 2. **Ederick Yuzon spelling** — Meredith/John, asked in the 2026-04-22 email and not yet answered. Only blocks Ederick's own account creation, not the rest of Wave 3. 3. **Transportation@ shared mailbox** — keep for dispatch/scheduling emails or retire once driver AD accounts are disabled? **Resolved 2026-04-22:** - Restrict-everyone default vs. selective → **building-only by default, allow-list for exceptions** (§5). - Christine Nyanzunda → one account covers both roles. - Kyla → `Kyla.QuickTiffany` (her preference). - Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John). - Britney Thompson → **departed (John)**. Disable AD + harvest license. - Polett Pinazavala → **departed (John)**. Remove from roster. - Agency shared logins → **NOT CREATED** (HIPAA review supersedes John's confirmation — §164.312(a)(2)(i) prohibits shared PHI-access log-ons). Per-person accounts only when Reliable Agency provides names. - Drivers → no IT access per Howard. Disable 3 AD accounts. Stay on roster for tracking. ## 11. Related docs - `reports/cascades-staff-2026-04-22.csv` - `docs/cloud/cascades-staff-followup-2026-04-22.md` - `docs/cloud/p2-staff-candidates.md` - `docs/cloud/caregiver-m365-p2-rollout.md` - `docs/cloud/m365.md` - `docs/servers/active-directory.md` - `docs/proposals/m365-premium-upgrade.md` - `docs/security/hipaa.md`