# Staff Entra P2 Candidates — Cascades

**Status:** List received from Meredith/John (2026-04-22) via staff-editor CSV. Ready for licensing + CA policy design. No license purchase or policy activation yet.
**Last updated:** 2026-04-22 (Howard)
**Source of truth:** `reports/cascades-staff-2026-04-22.csv` (70 people, 11 departments, access/outside/ALIS flagged per person)
**Related (different population):** `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver phone rollout (overlaps with the 39 shift-staff rows in the CSV).

## Why this list is separate

Two different problems both use P2 features, and conflating them makes the license math fuzzy:

- **Caregiver rollout** (covered elsewhere): ~39 hourly staff, shared Android phones, goal is location-locked mobile access during shifts.
- **This list** — office staff whose risk is:
  - Receives / sends PHI (new resident intake forms, doctor-supplied medical info)
  - Works from home or checks email on a personal phone, which is where we need either Conditional Access compliance enforcement or just a targeted location restriction
  - Or — should be restricted to in-building sign-in only

The Conditional Access policies will likely differ between the two groups (office staff need "work from home or from trusted device with compliance", caregivers need strict "on-prem network + managed shared phone only"), so tracking them separately keeps the policy design clean.

## Criteria (from Howard → leadership email, 2026-04-16)

A staff member needs P2 if they match one or more:
1. Signs in on a phone or tablet at Cascades (skip-MFA-in-building story)
2. Should only sign in from the building (enforce location restriction)
3. Handles sensitive / medical information via email (PHI — need to enforce encryption + DLP policies that P2-tier features back)

## Candidates confirmed so far

### From Crystal Rodriguez (2026-04-16 reply)

| Name | Role | Reason P2 is needed | Notes |
|---|---|---|---|
| Megan Hiatt | Sales Director | Handles new-resident intake forms (PHI from doctors); works from home; email on personal cell | Already a protected user for anti-impersonation |
| Crystal Rodriguez | Sales Associate | Same as Megan — intake forms, home + cell access | Already a protected user |
| Tamra Matthews | Move-In Coordinator | Same — intake forms | **Leaving in June 2026** — license can be re-harvested on exit. Value of buying P2 for ~2 months is a call for Meredith (short-term HIPAA coverage vs. one-off cost). |

### Full list received 2026-04-22 (via staff-editor CSV)

The CSV encodes access posture per person with three columns: **Access** (D / P / D+P), **Outside Access** (Y/N — i.e. work from home / personal device), **ALIS** (Y/N — resident management system).

**P2-needed office staff** (D+P, Outside=Y, ALIS=Y — meets criteria 2 and/or 3 above):

| Department | Name | Title |
|---|---|---|
| Administrative | Meredith Kuhn | Executive Director |
| Administrative | Ashley Jensen | Assistant Executive Director |
| Administrative | Lauren Hasselman | Business Office Director |
| Marketing / Sales | Megan Hiatt | Sales Director (PHI — resident intake) |
| Marketing / Sales | Crystal Rodriguez | Sales Associate (PHI — resident intake) |
| Marketing / Sales | Tamra Matthews | Move-In Coordinator (PHI — **leaving June 2026, confirmed**) |
| AL Nursing | Lois Lane | Health Services Director |
| AL Nursing | Karen Rossini | Health Services Manager |
| AL Nursing | Veronica Feller | Care, AL Aide |
| Memory Care | Shelby Trozzi | Memory Care Director |
| Memory Care | Christine Nyanzunda | MC Admin Assistant |
| Resident Services | Christina DuPras | Resident Services Director |
| Life Enrichment | Susan Hicks | Life Enrichment Director |
| Life Enrichment | Alma R Montt | *(title blank in CSV — follow-up)* |
| Culinary | JD Martin | Culinary Director |
| Culinary | Alyssa Brooks | Dining Manager |
| Maintenance | John Trozzi | Facilities Director |
| Maintenance | Matt Brooks | MC Receptionist / Maintenance (dual-department) |
| Housekeeping | Lupe Sanchez | Housekeeping Director (aka Guadalupe Sanchez) |

**Subtotal: 19 office-staff P2 licenses.**

**Outside=N, ALIS=Y staff** (D+P, in-building only — criteria 1 may apply if they use a personal phone on-site):

| Department | Name | Notes |
|---|---|---|
| Administrative | Allison Reibschied | Accounting Assistant |
| AL Nursing / none | — | — |
| Life Enrichment | Sharon Edwards | LE Assistant (Outside=N but ALIS=Y) |
| Culinary | Ramon Castaneda | Kitchen Manager (Outside=N, ALIS=N — actually no P2 need unless we go building-only-restrict-everyone) |

Allison + Sharon are borderline — ALIS handling alone doesn't mandate P2, but if we go the "enforce building-only sign-in for anyone with ALIS access" route, they'd need P2 to carry the CA policy. Wait for the "restrict everyone or just some" decision before deciding.

**Note on Britney Thompson:** **Departed as of 2026-04-22 (per John's reply).** Disable existing `britney.thompson` AD account and harvest the Business Standard + Exchange Online Essentials license. Not in any license purchase count going forward.

**Note on Polett Pinazavala:** **Departed as of 2026-04-22 (per John's reply).** Not in AD/M365 — no disable needed, just removed from roster. Not in any license count.

**Note on drivers (Richard Adams, Julian Crim, Christopher Holick):** **No IT access per 2026-04-22 decision (Howard).** Disable the 3 existing AD accounts. Not in any license count. Stay on the working roster for employee tracking only.

**Shared-PC receptionists** (D only, no Outside, no ALIS): Cathy Kingston, Shontiel Nunn, Kyla Quick Tiffany, Michelle Shestko — four people on shared front-desk PCs. No individual P2 needed; their story is shared-account vs individual-account, not P2.

**Courtesy Patrol** (D+P, no Outside, no ALIS): Sebastian Leon, Sheldon Gardfrey, Ray Rai — in-building only, no ALIS. No P2 need.

**Drivers** (P only): Richard Adams, Julian Crim, Christopher Holick — phone-only access. Covered by the caregiver/mobile rollout if we treat them the same, otherwise simpler F-SKU / Exchange-Online-only licensing.

**Caregivers** (39 rows including 2 "Reliable Agency" placeholders): covered by `docs/cloud/caregiver-m365-p2-rollout.md`, not this list.

## Decision still open (from Howard's 2026-04-16 email to leadership)

> "Do you want all staff restricted to signing in only from the building, or just certain roles/users (like front desk, kitchen, clinical)?"

No answer yet. This decision directly changes the license count and the CA policy design:
- If **all staff restricted to building-only** → every AD-synced user needs P2 and a matching CA policy. Larger spend.
- If **only some restricted** → P2 only for those users; cheaper, but requires ongoing judgment on who gets which policy.

## Intersection with other rollouts

- **Anti-impersonation protection** (`docs/cloud/m365-impersonation-protection.md`) — same top-tier users are the protected users there. Keep the lists in sync.
- **Business Premium upgrade** (`docs/proposals/m365-premium-upgrade.md`) — Business Premium bundles P2-equivalent CA features, so if we go Premium tenant-wide, standalone P2 purchases go away. Default recommendation: **bundle everything into Business Premium**, only buy standalone P2 if budget forces staying on Business Standard for some users.
- **Caregiver rollout** (`docs/cloud/caregiver-m365-p2-rollout.md`) — ~39 additional licenses. Combined target ~61 Premium licenses for the whole org.

## Rough license math (staff side only)

| Scenario | Qty | Notes |
|---|---|---|
| Office staff with Outside=Y (Office-PHI external-OK) | **18** | Includes Alma. Britney removed (departed). |
| + Office Outside=N + ALIS=Y (Allison Reibschied, Sharon Edwards) | **20** | Need CA coverage even in building-only posture |
| + Matt Brooks (dual-dept, ALIS=Y) | **21** | Per rollout plan §3 |
| All licensed seats under building-only-default | 21 office + 3 Courtesy Patrol + 4 Reception + 37 caregivers = **65** | Plus Ramon Castaneda for office non-PHI = **66** total active identities |
| Agency caregivers (per-person, if/when names arrive) | +1 each | No accounts until Reliable Agency provides names — HIPAA §164.312(a)(2)(i) prohibits shared PHI-access logins |

## Action items

- [x] ~~Follow up with John Trozzi on the gathering — he owes us the list~~ (received 2026-04-22 via CSV)
- [ ] Push Meredith for the "restrict everyone or just some" decision — still unanswered as of 2026-04-22
- [x] ~~Britney phone+outside flags~~ (resolved 2026-04-22: departed)
- [x] ~~Alma R Montt title~~ (resolved 2026-04-22: Memory Care Life Enrichment, D+P/Y/Y)
- [x] ~~Agency shared-login username preference~~ (SUPERSEDED 2026-04-22 by HIPAA review — no shared logins; per-person only)
- [ ] **Ederick Yuzon spelling** — only remaining question from the 2026-04-22 follow-up email
- [ ] Decide: standalone P2 add-on for the 19 OR move those users to Business Premium OR move whole tenant to Business Premium (default recommendation: Premium tenant-wide)
- [ ] Build CA policy `CSC - Office Staff PHI Access` separate from the caregiver mobile policy
- [ ] Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026 — confirmed)

## Related docs

- `docs/cloud/m365.md`
- `docs/cloud/m365-impersonation-protection.md`
- `docs/cloud/caregiver-m365-p2-rollout.md`
- `docs/proposals/m365-premium-upgrade.md`
- `docs/security/hipaa.md`