# Caregiver M365 + Entra P2 Rollout Plan (Cascades of Tucson)

**Status:** Documentation only — do NOT create accounts or assign licenses yet.
**Created:** 2026-04-18 (Howard)
**Source:** `C:\Users\howar\OneDrive\Documents\Caregiver Scheduled shifts and phone #.xlsx` (as of 2026-04-17)

## Goal / why this matters

Cascades is deploying 25 shared Android phones plus 9 kitchen iPads to get caregivers off shared workstations and into their own authenticated sessions (ALIS EHR, Outlook, Edge). For that to actually improve HIPAA posture, every caregiver needs:

1. Their own identity (AD user + M365 mailbox) so actions are attributable per-person rather than to a shared "Caregiver" login
2. **Entra P2** so we can apply Conditional Access policies that restrict mobile email + ALIS access to:
   - Managed (Intune-enrolled) shared phones, AND
   - The Cascades physical network / trusted location (IP ranges or named location)
3. Policy block on personal-device access to Exchange + ALIS (HIPAA §164.312 access control)

Today none of these caregivers exist in AD or M365 — they use shared workstation logins and don't have email at all. That is the gap this rollout closes.

**Also noted (explicit call-out to add to the proposal):** we did not previously frame the Business Premium proposal as "we're adding phones AND licenses to reach HIPAA compliance." The proposal currently lists 23 licensed users post-cleanup; with caregivers included it is closer to 62. The cost delta + HIPAA rationale should be surfaced in `docs/proposals/m365-premium-upgrade.md` before re-presenting to Meredith.

## Caregiver roster (39 people)

Location codes: **Tower** = assisted living tower, **MC** = Memory Care.
Role flags: **CCG** = certified caregiver, **MedTech / MED TECH** = medication tech, **PRN** = as-needed/float, **NOC** = overnight.

### Tuesday–Saturday (14)

| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 1 | Thelma Abainza | thelma.abainza@ | AM | Tower | Caregiver | 520-867-2579 |
| 2 | Niel Castro | niel.castro@ | AM | Tower | MedTech / CCG | 520-697-4644 |
| 3 | Espe Esperance | espe.esperance@ | PM | Tower | MedTech | 520-788-9558 |
| 4 | Barbara Johnson | barbara.johnson@ | PM | Tower | Caregiver | 520-204-3449 |
| 5 | Kasey Flores | kasey.flores@ | AM | MC | Caregiver | 520-250-1451 |
| 6 | Richard Flores | richard.flores@ | AM | MC | Caregiver | 520-873-7727 |
| 7 | Marie Kastner | marie.kastner@ | PM | MC | Caregiver | 714-576-9858 |
| 8 | Bella Mendoza | bella.mendoza@ | PM | MC | Caregiver | 520-358-2000 |
| 9 | Rosa Morales | rosa.morales@ | PM | MC | MedTech | 312-213-8780 |
| 10 | Sandra Padilla | sandra.padilla@ | AM | Tower | MedTech / CCG | 520-585-3317 |
| 11 | ~~Polett Pinazavala~~ *(departed 2026-04-22)* | — | — | — | — | — |
| 12 | Whisper Reed | whisper.reed@ | Overnight | Tower | MedTech | 520-312-7575 |
| 13 | Patricia Sandoval-Beck | patricia.sandoval-beck@ | AM | Tower | MedTech | 520-343-8093 |
| 14 | Charity Sika | charity.sika@ | AM | MC | Caregiver | 623-251-8032 |
| 15 | Ederick Yuzon | ederick.yuzon@ | PM | Tower | Caregiver | 520-603-8816 |

### Sunday–Thursday (10)

| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 16 | Juan Andrade | juan.andrade@ | PM | MC | Caregiver | 520-528-4078 |
| 17 | Jahmeka Clarke | jahmeka.clarke@ | PM | MC | MedTech | 520-649-7034 |
| 18 | Karina Aziakpo | karina.aziakpo@ | Overnight | MC | MedTech / CCG | 520-392-6859 |
| 19 | Jinnelle Dittbenner | jinnelle.dittbenner@ | PM | Tower | Caregiver | 520-499-9996 |
| 20 | Christine Nyanzunda | christine.nyanzunda@ | AM (Sun/Mon only) | MC | MedTech | 520-304-4251 |
| 21 | Agnes McFerren | agnes.mcferren@ | AM | Tower | Caregiver | 520-406-3063 |
| 22 | Samuel Ramirez | samuel.ramirez@ | PM | Tower | Caregiver | 520-488-5798 |
| 23 | Erica Sanchez | erica.sanchez@ | AM | MC | Caregiver | 520-528-3387 |
| 24 | Katrina Wyzykowski | katrina.wyzykowski@ | AM | MC | MedTech | 520-347-1448 |
| 25 | Corey Tate | corey.tate@ | NOC | Tower | Caregiver only (no MedTech) | 520-535-7821 |

### Friday–Monday / weekend (5)

| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 26 | Ashli Atwood | ashli.atwood@ | Overnight | MC | MedTech / CCG | 715-200-1295 |
| 27 | Cole Johnson | cole.johnson@ | PM | Tower | MedTech | 818-970-0890 |
| 28 | Roseline Cooper | roseline.cooper@ | Overnight | MC | Caregiver | 520-278-6817 |
| 29 | Monique Lopez | monique.lopez@ | Doubles (Fri & Sat) | Tower | Caregiver | 520-596-0969 |
| 30 | Gloria Williford | gloria.williford@ | Doubles (Fri & Sat 5:45a–10p) | MC | MedTech | 928-551-1682 |

### Thursday–Monday (3)

| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 31 | Sarah Carroll | sarah.carroll@ | PM | Tower | Caregiver | 520-409-2341 |
| 32 | Luke Hogan | luke.hogan@ | AM | Tower | Caregiver | 520-312-0141 |
| 33 | Gina Williams | gina.williams@ | AM | Tower | Caregiver | 520-612-5075 |

### Split / other patterns (3)

| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 34 | Jen Higdon | jen.higdon@ | Mon/Wed/Fri AM | Tower | Caregiver | 520-730-3548 |
| 35 | Mary Kariuki | mary.kariuki@ | Sat–Mon + Wed PM | Tower | Caregiver | 520-309-1247 |
| 36 | CeCe Lassey | cece.lassey@ | Sun/Mon doubles + Tue PM | Tower | Caregiver | 520-248-5982 |

### Sunday & Monday only (1)

| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 37 | Paty Doran | paty.doran@ | AM | Tower | MedTech / CCG | 520-591-7368 |

### PRN / float (2)

| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 38 | Ezekiel Huerta | ezekiel.huerta@ | PRN | Tower | Caregiver | 520-591-6113 |
| 39 | Maia Baker | maia.baker@ | PRN | MC | MedTech | TBD — not on shift list, only on Sheet2 |

All UPNs above use the `@cascadestucson.com` suffix (standard).

## Conflict / verify before creating

- **Christine Nyanzunda** — **Resolved 2026-04-22:** one person, one account. Existing `christine.nyanzunda@` mailbox covers both MC Admin role and her part-time Sun/Mon MedTech shifts. Do not create a second account.
  - **SYNC WATCH-POINT (added 2026-05-14):** Verified this date — she has a cloud-only M365 account `christine.nyanzunda@cascadestucson.com` (`onPremisesSyncEnabled: null`, created 2023-10-26) and an existing AD account `Christine.Nyanzunda` that lives in a *departmental* OU (not `OU=Caregivers`). When caregiver AD accounts are created in `OU=Caregivers`, **do NOT create a `christine.nyanzunda` object there** — a duplicate inside the synced OU would soft-match/collide with her existing cloud account once Entra Connect staging is exited. Her existing account stays untouched by the `OU=Caregivers`-only caregiver sync. Deciding whether/how to move or sync her belongs to the office-staff (Phase 2) migration, NOT the caregiver phone rollout.
- **Paty Doran** — **Resolved 2026-04-22:** legal name `Patricia Camarena Doran`. Account will be `patricia.doran@`.
- **Polett Pinazavala** — **Resolved 2026-04-22 (John's reply): departed.** Remove from roster. No AD/M365 account exists so no disable needed.
- **Patricia Sandoval-Beck** — **Resolved 2026-04-22 (CSV inline note from Meredith):** hyphen is correct. SamAccountName may still need to be `Patricia.SandovalBeck` if ALIS/MDM reject hyphens — test during Wave 3.
- **Ederick Yuzon** — **Still pending:** spelling asked in 2026-04-22 email.
- **Maia Baker** — **Resolved 2026-04-22 (CSV inline note):** part-time, still employed.
- **Reliable Agency caregivers** — **Final decision 2026-04-22 (post-HIPAA review): NO shared logins.** Originally planned `reliable1@` / `reliable2@`; dropped because shared log-on IDs for PHI access violate 45 CFR §164.312(a)(2)(i) (Required spec, no compensating-control exception). Per-person accounts only, created when Reliable Agency supplies individual names. Rationale in `docs/security/hipaa-review-2026-04-22.md`.

## Licensing plan (when ready — NOT now)

**Current licensing (per `docs/cloud/m365.md`):**
- Business Standard: 34 purchased, all assigned (need to free via shared-mailbox conversion first)
- Entra P2: 1 unassigned (was Sandra Fish)

**Target for caregiver rollout:**

| License | Who gets it | Qty | Rationale |
|---|---|---|---|
| M365 Business Premium (replaces Standard) | All 23 existing licensed staff + 38 net-new caregivers (Christine Nyanzunda already counted as existing staff) | **61** | Includes Intune Shared Device Mode + Defender + DLP + the P2-equivalent Conditional Access features — this is the SKU the proposal already describes |
| Entra ID P2 (standalone, IF we stay on Business Standard instead) | Same 61 | 61 | Only needed if we do NOT upgrade to Business Premium. Premium already bundles the CA features we need; avoid double-paying |

**Recommended:** upgrade everyone to Business Premium, **don't** buy standalone P2. P2 is only listed here as the fallback if budget forces staying on Standard.

### Quick cost math (order-of-magnitude, double-check in proposal)

| Scenario | Licenses | Rate (monthly) | Monthly total |
|---|---|---|---|
| Today (actual) | 34 × Standard | $12.50 | $425 |
| After shared-mailbox cleanup (no caregivers) | 23 × Premium | $22.00 | $506 |
| After caregiver rollout (this doc) | 61 × Premium | $22.00 | **$1,342** |
| Delta vs today | +$917/mo | | — |

That is a meaningful jump and needs to be in the proposal conversation with Meredith explicitly — it was missing from the 2026-04-14 version.

## Conditional Access policy plan (rough)

When licenses are in place and accounts exist:

1. **Named Location** in Entra = Cascades public IP(s) from pfSense WAN + VPN exit IP. Name it `CascadesTrustedLocation`.
2. **Compliant Device** definition in Intune = corporate-enrolled Android (the 25 shared phones) + corporate-enrolled iPad (the 9 kitchen iPads) + domain-joined Windows PCs.
3. **CA Policy: Caregivers — Mobile Email / ALIS access**
   - Assignment: Entra group `SG-Caregivers` (populated from AD group once accounts exist)
   - Cloud apps: Exchange Online, `ALIS` (once registered as Entra app), Outlook Mobile
   - Conditions: Device Platforms = Android, iOS; Locations = Any
   - Grant: Require compliant device **AND** require location `CascadesTrustedLocation` (combined grant, both required)
   - Block everything else (personal phones off-network → blocked)
4. **CA Policy: Caregivers — Web/browser block off-network**
   - Same group + cloud apps
   - Platforms: browser (desktop)
   - Conditions: not in `CascadesTrustedLocation`
   - Grant: Block
5. **Exclusion group** `SG-CA-BreakGlass` for Meredith + sysadmin so we can't lock ourselves out.

CA policies should be deployed in **Report-only** mode for at least 7 days, reviewed against Sign-in logs, then switched to On.

## AD placement (when accounts are created)

**All caregiver accounts go in `OU=Caregivers,OU=Departments,DC=cascades,DC=local`** — this is the OU in the Entra Connect sync scope (confirmed 2026-05-14). Do NOT place caregivers in `OU=Care-Assisted Living` / `OU=Care-Memorycare` — those hold office/clinical staff and are NOT in the sync scope; putting caregivers there means they either don't sync or you'd have to widen scope and drag office staff in. If Tower vs MC organization is wanted, use sub-OUs *under* `OU=Caregivers` (e.g. `OU=Tower,OU=Caregivers`) — the sync scope includes everything beneath `OU=Caregivers`.

**Two separate, deliberate steps per caregiver:**
1. Create the account in `OU=Caregivers` — controls whether it syncs to the cloud.
2. Add the account to `SG-Caregivers` — controls whether the Conditional Access policies apply. This is a deliberate decision asked at creation time; an OU->group auto-mirror was considered and explicitly declined 2026-05-14.

- MedTech-flagged staff → also deliberately add to `SG-MedTech` (controls ALIS licensing tier) once that group exists.
- CCG-flagged staff → also deliberately add to `SG-CCG` (higher-privilege ALIS rights, if any) once that group exists.

Group-policy impact: the `CSC - Folder Redirection (LE)` work done for Life Enrichment does NOT apply here. Care-Assisted Living GPO pattern needs to be cloned from the finalized LE GPO once that's proven on Susan Hicks' machine (DESKTOP-ROK7VNM).

## Open items / decisions needed from client

- [x] ~~Confirm Christine Nyanzunda is one person, not two~~ (resolved 2026-04-22 — one person, one account)
- [x] ~~HR spelling confirmation on Paty Doran, Polett Pinazavala, Patricia Sandoval-Beck, Maia Baker~~ (all resolved 2026-04-22)
- [ ] **Ederick Yuzon first-name spelling** — asked in 2026-04-22 email, still outstanding
- [ ] **Christine Nyanzunda — Phase 2 handling (added 2026-05-14):** exclude her from caregiver AD account creation (she already has accounts). Her existing cloud-only M365 account must be moved/synced as part of the office-staff migration, not the caregiver rollout. See the SYNC WATCH-POINT under "Conflict / verify before creating" above.
- [x] ~~Reliable Agency shared-login short usernames~~ (SUPERSEDED 2026-04-22 by HIPAA review — no shared logins, per-person only)
- [ ] **Reliable Agency contract review** — confirm staffing contract says caregivers work under Cascades direct clinical control (workforce) vs. agency-supervised (BA). Get individual caregiver names before any PHI access.
- [ ] Will caregivers use ALIS on the shared phones (need ALIS accounts + Entra SSO) or only email?
- [ ] Does Cascades want to purchase 39 additional Business Premium licenses up-front, or roll out in waves (e.g., MedTechs first, then CCGs, then Caregivers)?
- [ ] Confirm pfSense WAN IP(s) are static enough to rely on in a CA Named Location policy
- [ ] Timeline expectations — tying this to the phone deployment, the MDM rollout (7-phase plan in `docs/security/mdm.md`), and the Business Premium purchase

## Related docs

- Proposal: `docs/proposals/m365-premium-upgrade.md` — currently sized for 23 users; needs updating
- MDM plan: `docs/security/mdm.md` — 25 phones + 9 iPads, ManageEngine; Intune Shared Device Mode is flagged as future
- M365 current state: `docs/cloud/m365.md`
- AD roster: `docs/servers/active-directory.md`
- HIPAA program: `docs/security/hipaa.md`