--- name: Cascades of Tucson — current state (migration, admin, CA rollout, billing) description: Active state of the Cascades migration — Syncro ticket #110680053, plan file (machine-specific path), admin accounts (sysadmin@ = Howard, admin@ = Mike, not break-glass), CA caregiver pilot (Phase B / SG-Caregivers-Pilot, scope group-only never tenant-wide), prepaid block ~37.5h (rate TBD). Active rules in feedback_cascades.md, incident detail in project_cascades_history.md. type: project --- Rules: [[feedback_cascades]]. Detail / decisions / pilot-cleanup checklist: [[project_cascades_history]]. ## Migration Multi-day department-by-department migration from workgroup/cloud-only to domain-integrated environment. Clean end state: everything works automatically on a fresh-machine domain join. - **Syncro ticket:** https://computerguru.syncromsp.com/tickets/110680053 — update with notes after each session. - **Plan file:** `C:\Users\Howard\.claude\plans\wise-discovering-panda.md` *(machine-specific path on Howard's box; confirm it resolves on ACG-TECH03L / Howard-Home or relocate into the synced repo)*. - **Resume:** Howard says "resume the Cascades migration plan" → read plan file, check `CURRENT SAVE POINT`, pick up at next unchecked item. At session start, read the save point BEFORE doing any work; update + `/save` at session end. ## Tenant Cascades Tucson tenant: `207fa277-e9d8-4eb7-ada1-1064d2221498`. ## Admin accounts (daily-driver, NOT break-glass) - **`sysadmin@cascadestucson.com`** — Howard's working admin (used PIM portal click 2026-04-28 for CA Admin role). - **`admin@cascadestucson.com`** — Mike's working admin. As of 2026-04-29, neither is confirmed cloud-only / FIDO2 / CA-excluded. **A break-glass admin still needs to be designed** before CA bypass policies go live. Don't assume sysadmin@ / admin@ meet break-glass criteria — verify against Graph (`onPremisesSyncEnabled`, authentication methods, CA exclusions) first. ## CA caregiver pilot — phased, group-scoped The caregiver bypass CA work is a **phased rollout**, not a tenant-wide cutover. The original §5 design in `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md` and the 2026-04-29 resume-point implied tenant-wide; that was corrected. - New CA policies target `SG-Caregivers-Pilot` only (then `SG-Caregivers` after Entra Connect exits staging). Never `includeUsers: All`. - The legacy `Require multifactor authentication for all users` policy **stays in place**. PATCH its `excludeGroups` to add the pilot group; existing office-staff behavior is unchanged. - Expansion to other populations happens one group at a time post-pilot. Legacy all-users-MFA is deleted only at the very end when every population is governed by phased policies. **Caregiver policy set (current scope):** - PATCH `Require multifactor authentication for all users`: add `SG-Caregivers-Pilot` to excludeGroups. - CREATE `CSC - Block caregivers off Cascades network` (includeGroups: pilot, locations: not Cascades, grant: BLOCK). - CREATE `CSC - Block caregivers on non-compliant device` (includeGroups: pilot, device filter `isCompliant -eq False`, grant: BLOCK). - CREATE `CSC - Caregiver sign-in frequency 8h` (includeGroups: pilot, session control: 8h re-auth). For caregivers we use **Block** directly on non-compliant + off-network — caregivers can't satisfy MFA (no personal device), so block is the cleaner UX. Future non-caregiver populations will likely use MFA grants since office staff have MFA capability. ## Billing Cascades is a **prepaid block** customer (Syncro `customer_id: 20149445`). Block had ~37.5h remaining as of 2026-05-20 (38.5h minus 1h for ticket #32304). **Block rate:** NOT yet confirmed. $175/hr is the standard non-block remote rate, NOT necessarily the Cascades block rate. **Ask Mike before billing.** Invoices post at $0.00 with hours deducted by quantity. See [[feedback_syncro_billing]] §7 for emergency-on-prepaid mechanics. ## Pilot cleanup checklist At pilot wrap (transition to production `SG-Caregivers`), the following MUST be cleaned up — surface this list when we get to "flip pilot CA policies to production": - `pilot.test@cascadestucson.com` — delete (or disable + remove license; recovers a Business Premium seat). - `howard.enos@cascadestucson.com` — if used during pilot validation, clean up (Howard's eventual synced identity won't exist as a cloud user until Entra Connect exits staging). - `SG-Caregivers-Pilot` — remove from CA policy targets when superseded by synced `SG-Caregivers`; group itself can be deleted after.