# Microsoft 365

## Tenant Info
- Tenant Name: cascadestucson.com
- Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
- Primary Domain: cascadestucson.com
- onmicrosoft Domain: NETORGFT4257522.onmicrosoft.com
- Admin Portal URL: https://admin.microsoft.com
- Global Admin: sysadmin@cascadestucson.com (Howard Enos, MSP)
- Former Admin: admin@NETORGFT4257522.onmicrosoft.com (Sandra Fish — previous director, removed 2026-04-14: global admin revoked, sign-in blocked, P2 license removed)
- DirSync / Entra Connect: **Not configured** (all accounts cloud-only) — **PLANNED: Install Entra Connect for SSO**
- HIPAA BAA: **Not signed** — required since email may contain PHI
- MFA: **Not enabled** — Security Defaults not configured

## Licensing

| License Type | Total | Assigned | Available |
|---|---|---|---|
| Microsoft 365 Business Standard | 34 | 34 | 0 |
| Microsoft Entra ID P2 | 1 | 0 | 1 (unassigned — was Sandra Fish, available for testing) |
| Microsoft Power Automate Free | 10000 | 2 | 9998 |
| Microsoft Stream Trial | 1000000 | 0 | 1000000 |
| Exchange Online Essentials | — | 4 | — |

**Note:** Business Standard is fully allocated (34/34, 0 available). Any new hires require purchasing additional licenses.

### Planned expansion — caregiver rollout (not yet purchased)

Separate from the current 34 users, there are **~39 caregivers / med techs / CCGs** with no current AD or M365 account who need identities + Conditional Access in order for the shared-phone + HIPAA story to actually work. Full roster, proposed UPNs, license math, and CA policy design are in `docs/cloud/caregiver-m365-p2-rollout.md`. Rough target: 61 total Business Premium licenses (23 existing staff post-cleanup + 38 net-new caregivers; Christine Nyanzunda overlaps and stays at one account). **Do not create any of these accounts yet** — documentation + proposal update first.

### Staff-side P2 / anti-impersonation tracking

These are in-flight and feed the same Business Premium purchase decision:
- `docs/cloud/p2-staff-candidates.md` — office staff who need P2 for PHI-in-email or home-access scenarios (Crystal confirmed Megan/Crystal/Tamra; John Trozzi gathering the rest)
- `docs/cloud/m365-impersonation-protection.md` — Defender anti-impersonation trusted partners + protected users (Megan's partner list captured; awaiting John's additions)

## AD ↔ M365 Account Mapping

### Matched Accounts (AD user → M365 mailbox)

| AD SamAccountName | M365 UPN | License | Notes |
|---|---|---|---|
| *(formerly AD `howard`)* | dax.howard@cascadestucson.com | Business Standard | **Corrected 2026-04-22:** the AD `howard` account was NOT Dax Howard — it was an orphan MSP-created account (display "howard", desc "Home Offie" typo) that was mistakenly mapped to Dax Howard's mailbox. AD account deleted 2026-04-22 (recoverable from AD Recycle Bin 180 days — ObjectGUID 2050d21f-7649-4033-b1fd-83cfc286b056). Dax Howard's M365 account has no AD counterpart and is cloud-only. `cara.lespron@` alias is leftover from the former-employee Cara Lespron whose mailbox was repurposed to Dax Howard — strip this alias unless Dax confirms he still uses it. |
| sysadmin | sysadmin@cascadestucson.com | Power Automate Free | Display: "Computer Guru Support" — no mailbox license |
| Meredith.Kuhn | meredith.kuhn@cascadestucson.com | Business Standard | |
| John.Trozzi | john.trozzi@cascadestucson.com | Business Standard | |
| Lupe.Sanchez | lupe.sanchez@cascadestucson.com | Business Standard | |
| Megan.Hiatt | megan.hiatt@cascadestucson.com | Business Standard | |
| Crystal.Rodriguez | crystal.rodriguez@cascadestucson.com | Business Standard | Alias: crystal.suszek@ |
| Tamra.Johnson | tamra.matthews@cascadestucson.com | Business Standard | **Rename AD to Tamra.Matthews** — M365 already correct. Alias: tamra.johnson@ still works |
| Lois.Lane | lois.lane@cascadestucson.com | Business Standard | |
| Christina.DuPras | christina.dupras@cascadestucson.com | Business Standard | |
| Christine.Nyanzunda | christine.nyanzunda@cascadestucson.com | Business Standard | M365 last name: "Nyanzuda" (typo — AD has Nyanzunda) |
| Susan.Hicks | susan.hicks@cascadestucson.com | Business Standard | |
| Ashley.Jensen | ashley.jensen@cascadestucson.com | Business Standard + Power Automate Free | Alias: ashley.jenson@ |
| Veronica.Feller | veronica.feller@cascadestucson.com | Business Standard | |
| JD.Martin | jd.martin@cascadestucson.com | Business Standard | |
| alyssa.brooks | alyssa.brooks@cascadestucson.com | Business Standard | |
| Matt.Brooks | matthew.brooks@cascadestucson.com | Business Standard | AD: Matt, M365: Matthew |
| Ramon.Castaneda | ramon.castaneda@cascadestucson.com | Business Standard | Aliases: ramon.castanada@, ramon.casteneda@ (typos kept as aliases) |
| Sharon.Edwards | sharon.edwards@cascadestucson.com | Business Standard | |
| britney.thompson | Britney.Thompson@cascadestucson.com | Business Standard + Exchange Online Essentials | |
| ann.dery | ann.dery@cascadestucson.com | Business Standard | |
| strozzi (Shelby Trozzi) | Shelby.Trozzi@cascadestucson.com | Business Standard + Exchange Online Essentials | AD username doesn't match M365 format |
| karen.rossini | karen.rossini@cascadestucson.com | Business Standard | |
| lauren.hasselman | lauren.hasselman@cascadestucson.com | Business Standard | Created 2026-02-26 (recent hire, replaced Jeff Bristol) |
| Allison.Reibschied | Allison.Reibschied@cascadestucson.com | Business Standard | Accounting Assistant (new hire 2026-03) |

### AD Accounts with NO M365 Match

| AD SamAccountName | Type | Action Needed |
|---|---|---|
| Administrator | Built-in | None needed |
| localadmin | Admin | None needed |
| Sebastian.Leon | User | Front Desk/Courtesy Patrol — needs M365 account if they use email |
| Michelle.Shestko | User | MC Front Desk — keep as Shestko. Needs M365 account if they use email |
| Alyssa.Shestko (now Alyssa Brooks) | User | **Rename to Alyssa.Brooks in AD.** This is the real account. M365 already alyssa.brooks@. Duplicate lowercase `alyssa.brooks` in CN=Users to be deleted. |
| Guadalupe.Sanchez | User | Housekeeping — already has M365 as lupe.sanchez@cascadestucson.com |
| Sheldon.Gardfrey | User | Front Desk/Courtesy Patrol — needs M365 if they use email |
| Cathy.Kingston | User | Front Desk/Courtesy Patrol — needs M365 if they use email |
| Shontiel.Nunn | User | Transferring soon — keep for now |
| Ray.Rai | User | Front Desk/Courtesy Patrol — needs M365 if they use email |
| Richard.Adams | User | Transportation — needs M365 if they use email |
| Julian.Crim | User | Transportation — needs M365 if they use email |
| Christopher.Holik | User | Transportation — needs M365 if they use email |
| QBDataServiceUser34 | Service | None needed |
| Culinary | Shared/Generic | None needed (AD shared account) |
| Receptionist | Shared/Generic | Maps to frontdesk@cascadestucson.com? |
| saleshare | Shared/Generic | None needed |
| directoryshare | Shared/Generic | None needed |

### M365 Accounts with NO AD Match

#### Real users (need AD accounts created or are new hires)

| M365 Display Name | UPN | License | Notes |
|---|---|---|---|
| Kristiana Dowse | kristiana.dowse@cascadestucson.com | Business Standard | **DELETE** — HR confirmed not current employee. Remove license + delete account |
| nick pavloff | nick.pavloff@cascadestucson.com | Business Standard | Created 2026-03-07 — **new hire**, needs AD account |

#### Role-Based Accounts — Convert to Shared Mailboxes (saves ~$125/mo)

All of these are currently licensed user accounts. Convert to **shared mailboxes** (free) and remove licenses. Then assign members from AD-synced accounts.

| M365 Display Name | UPN | Current License | Action | Members (after conversion) |
|---|---|---|---|---|
| Accounting Dept. | accounting@cascadestucson.com | Business Standard | Convert to shared | Ashley.Jensen, lauren.hasselman |
| Accounting Assistant | accountingassistant@cascadestucson.com | Business Standard | Convert to shared | Allison.Reibschied |
| Bookkeeping Office | boadmin@cascadestucson.com | Business Standard | Convert to shared | TBD |
| Front Desk | frontdesk@cascadestucson.com | Business Standard | Convert to shared | Cathy.Kingston, Shontiel.Nunn, Kyla.QuickTiffany, Sebastian.Leon, Sheldon.Gardfrey, Ray.Rai |
| Human Resources | hr@cascadestucson.com | Business Standard | Convert to shared | Meredith.Kuhn |
| MemCare Receptionist | memcarereceptionist@cascadestucson.com | Business Standard | Convert to shared | Michelle.Shestko, Matt.Brooks |
| Security Cascades | security@cascadestucson.com | Business Standard | Convert to shared | TBD |
| Training | Training@cascadestucson.com | Business Standard | Convert to shared | TBD |
| Nurse | nurse@cascadestucson.com | Exchange Online Essentials | Convert to shared | Lois.Lane, Karen.Rossini, britney.thompson |
| medtech | medtech@cascadestucson.com | Exchange Online Essentials | Convert to shared | TBD |
| transportation | transportation@cascadestucson.com | Exchange Online Essentials | Convert to shared | Richard.Adams, Julian.Crim, Christopher.Holick |
| AppleID | Kitchenipad@cascadestucson.com | Unlicensed | Keep as-is | Device account. Alias: ipad@ |

#### Courtesy Patrol Shared Mailbox (NEW)
- Create: **courtesypatrol@cascadestucson.com** as shared mailbox
- Members: Sebastian.Leon, Sheldon.Gardfrey

### License Plan After Cleanup

#### Full Business Standard License (own mailbox + Office apps)
Staff with `first.last@cascadestucson.com` personal mailboxes:
| Employee | UPN |
|----------|-----|
| Howard Dax | dax.howard@ |
| Meredith Kuhn | meredith.kuhn@ |
| John Trozzi | john.trozzi@ |
| Megan Hiatt | megan.hiatt@ |
| Crystal Rodriguez | crystal.rodriguez@ |
| Tamra Matthews | tamra.matthews@ |
| Lois Lane | lois.lane@ |
| Christina DuPras | christina.dupras@ |
| Christine Nyanzunda | christine.nyanzunda@ |
| Susan Hicks | susan.hicks@ |
| Ashley Jensen | ashley.jensen@ |
| Veronica Feller | veronica.feller@ |
| JD Martin | jd.martin@ |
| Alyssa Brooks | alyssa.brooks@ |
| Matt Brooks | matthew.brooks@ |
| Ramon Castaneda | ramon.castaneda@ |
| Sharon Edwards | sharon.edwards@ |
| Britney Thompson | britney.thompson@ |
| Shelby Trozzi | shelby.trozzi@ |
| Karen Rossini | karen.rossini@ |
| Guadalupe Sanchez | lupe.sanchez@ |
| Lauren Hasselman | lauren.hasselman@ |
| Allison Reibschied | allison.reibschied@ |
**Total: 23 licenses**

#### No License — Shared Mailbox Access Only (browser via SSO)
AD account + Entra sync, no M365 license. Access shared mailboxes via outlook.office.com.
| Employee | Position | Shared Mailbox Access |
|----------|----------|----------------------|
| Sebastian Leon | Courtesy Patrol | Frontdesk@, Courtesypatrol@ |
| Sheldon Gardfrey | Courtesy Patrol | Frontdesk@, Courtesypatrol@ |
| Cathy Kingston | Receptionist | Frontdesk@ |
| Shontiel Nunn | Receptionist | Frontdesk@ |
| Kyla Quick Tiffany | Receptionist | Frontdesk@ |
| Ray Rai | Courtesy Patrol | Frontdesk@ |
| Richard Adams | Driver | Transportation@ |
| Julian Crim | Driver | Transportation@ |
| Christopher Holick | Driver | Transportation@ |
| Michelle Shestko | MC Receptionist | Memcarereceptionist@ |
**Total: 10 users, 0 licenses**

#### License Savings
- Current: 34 Business Standard (all allocated)
- After cleanup: 23 Business Standard needed
- **11 licenses freed** (~$137.50/month saved)

#### External guest accounts

| Display Name | Source | Notes |
|---|---|---|
| a.r.jensen018 | a.r.jensen018@gmail.com | Ashley Jensen's personal? |
| Debora Morris | deboram@teepasnow.com | External partner |
| duprasc2002 | duprasc2002@yahoo.com | Christina DuPras personal? Created 2026-03-04 |
| ~~howaed~~ | ~~howaed@azcomputerguru.com~~ | Typo of howard — already deleted (not present in tenant as of 2026-04-22) |
| ~~howard~~ | ~~howard@azcomputerguru.com~~ | **DELETED 2026-04-22** — external guest for Howard Enos (MSP). Removed per Howard's decision; MSP admin access preserved via `sysadmin@cascadestucson.com` (has Global Admin). |
| karenrossini7 | karenrossini7@gmail.com | Karen Rossini's personal? |

#### Blocked / former employee accounts in M365

| Display Name | UPN | Sign-in Blocked | Notes |
|---|---|---|---|
| ~~Jeff Bristol~~ | ~~jeff.bristol@cascadestucson.com~~ | ~~Yes~~ | **DELETED 2026-04-22** — orphan cleanup. Soft-delete recoverable 30 days (id `8ec8248a-46e8-4771-9220-047887928777`). |
| ~~Nela Durut-Azizi~~ | ~~nela.durut-azizi@cascadestucson.com~~ | ~~Yes~~ | **DELETED 2026-04-22** — orphan cleanup. Soft-delete recoverable 30 days (id `84cef8a2-6988-44ea-bf20-a72fe622750d`). |
| Stephanie Devin | Stephanie.Devin@cascadestucson.com | Yes | Former? Unlicensed, blocked. Ask Meredith before deleting. |

#### Tenant admin

| Display Name | UPN | License | Notes |
|---|---|---|---|
| ~~cascadestucson.com (Sandra Fish)~~ | ~~admin@NETORGFT4257522.onmicrosoft.com~~ | — | **Confirmed absent 2026-04-22** — already deleted at some point. No further action. |

## Shared Mailboxes

| Name | Email | Notes |
|---|---|---|
| ~~Anna Pitzlin~~ | ~~anna.pitzlin@cascadestucson.com~~ | **DELETED 2026-04-22** — orphan cleanup. Soft-delete recoverable 30 days (id `06aa2955-f124-447d-8a16-cc7779aaf28f`). |
| Fax Cascades | fax@cascadestucson.com | Fax-to-email service |
| ~~Jeff Bristol~~ | ~~jeff.bristol@cascadestucson.com~~ | (see Blocked section — deleted 2026-04-22) |
| ~~Nela Durut-Azizi~~ | ~~nela.durut-azizi@cascadestucson.com~~ | (see Blocked section — deleted 2026-04-22) |

## Exchange Online
- Mail Domain(s): cascadestucson.com
- MX Record Points To: TBD (check DNS)
- SPF Record: TBD
- DKIM Enabled: TBD
- DMARC Policy: TBD
- Distribution Groups: TBD (6 groups shown in tenant summary)
- Mail Flow Rules: TBD

## Entra ID (Azure AD)
- Hybrid Joined: **No** — DirSync not enabled on any account — **PLANNED: Entra Connect install on CS-SERVER**
- Azure AD Connect Server: None (planned: CS-SERVER)
- MFA Enforced: TBD
- Conditional Access Policies: TBD
- Total Users: 51 (24 licensed individual, 12 generic/role, 6 external guests, 4 blocked/former, 1 admin, 4 shared mailboxes)
- Total Devices: 88

## Entra Connect — SSO Setup Plan

### What It Does
Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account and Office/Edge/Outlook auto-sign-in with their M365 identity. Single sign-on, one password.

### Prerequisites (MUST complete before install)
1. **AD account cleanup** — all the renames, deletions, and duplicate fixes MUST be done first. Entra Connect syncs what's in AD, so AD must be clean.
   - [ ] Rename Tamra.Johnson → Tamra.Matthews
   - [ ] Rename Alyssa.Shestko → Alyssa.Brooks + delete lowercase duplicate `alyssa.brooks`
   - [ ] Rename strozzi → Shelby.Trozzi (match M365 UPN)
   - [ ] Fix Christopher.Holik → Christopher.Holick (HR spelling)
   - [ ] Create account for Kyla Quick Tiffany (Resident Services Receptionist)
   - [ ] Delete confirmed former employees (Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez)
   - [ ] Disable/delete non-current accounts (Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks lowercase)
   - [ ] Fix Matt.Brooks vs matthew.brooks@ UPN mismatch
2. **UPN suffix** — Add `cascadestucson.com` as UPN suffix in AD so AD usernames match M365 emails
3. **M365 role-based accounts** — Convert to shared mailboxes BEFORE sync to avoid sync conflicts
4. **Kristiana Dowse** — Delete from M365 before sync
5. **Verify CS-SERVER meets requirements** — Server 2016+, .NET 4.7.2+, SQL Express (installs with Entra Connect)

### Install Steps
1. Add UPN suffix `cascadestucson.com` to AD (AD Domains and Trusts)
2. Update all synced users' UPN to `firstname.lastname@cascadestucson.com`
3. Download Entra Connect from Entra admin center
4. Install on CS-SERVER
5. Choose **Password Hash Sync** (simplest, most reliable)
6. Scope sync to `OU=Departments` only (exclude service accounts, shared accounts, computers)
7. Enable **Seamless SSO**
8. Test with one user before full sync

### What Gets Synced
- All user accounts in OU=Departments → Entra ID
- Passwords hash-synced (user keeps same password for AD + M365)
- NOT synced: computer accounts, service accounts, shared/generic accounts (Culinary, Receptionist, saleshare, directoryshare)
- **All synced users get Entra ID accounts** but NOT all get licenses
- Licensed users (23): personal mailbox + Office apps
- Unlicensed users (10): SSO sign-in to shared mailboxes via browser only — no Office install, no personal mailbox

### What Changes for Users
- Log into Windows → Office, Outlook, Edge, OneDrive auto-sign-in
- One password for everything (change in AD, M365 follows)
- MFA can be enforced via Entra Conditional Access after sync

### Risks
- If AD is dirty (duplicates, mismatches), sync will create duplicate M365 accounts or fail
- Shared/generic accounts (Culinary, Receptionist) should NOT sync — exclude from scope
- Must coordinate: once sync is on, AD becomes the source of truth for identity

## Issues Found

1. **0 licenses available** — Business Standard is 34/34. Cannot add new users without purchasing more.
2. **Tamra Johnson → Matthews name mismatch** — M365 updated to married name, AD still says Johnson. Update AD to match.
3. **13 AD users have no M365 account** — May not need email (hourly staff?) but verify onsite.
4. **12 generic/role-based M365 accounts eating licenses** — accounting@, frontdesk@, hr@, etc. each consume a Business Standard license ($12.50/mo). Should convert to shared mailboxes (free) if nobody logs into them directly.
5. **"howaed" external guest** — Typo duplicate of howard. Delete.
6. **3 former employee shared mailboxes** — Anna Pitzlin, Jeff Bristol, Nela Durut-Azizi. Decide: keep for mail history, forward, or delete.
7. **Sandra Fish is global admin** — Previous owner/manager. Verify she should still have admin access.
8. **cara.lespron@ alias on Howard's mailbox** — Former employee's mailbox was repurposed. Remove alias if no longer needed.
9. **Kristiana Dowse** — Licensed in M365 but not in AD. Verify: current employee or former?
10. **nick pavloff** — Created 2026-03-07 (yesterday). New hire — needs AD account.
11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email.
12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA.
13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. **Rollout plan + test plan: `docs/cloud/teams-rollout.md`** (Lauren Hasselman 2026-05-05 inability-to-create-team report is the canary test).

## Notes

- Previous MSP/admin created many role-based accounts as regular licensed users instead of shared mailboxes. This wastes licenses.
- No Entra Connect / hybrid join — AD and M365 are completely separate identity systems. Users have different passwords for each.
- Shared workstation plan (GPO 6) needs: reception shared mailbox created, tenant domain is cascadestucson.com.