Files

Howard Enos 2919b3dec6 sync: auto-sync from HOWARD-HOME at 2026-05-16 13:49:46

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-16 13:49:46

2026-05-16 13:49:48 -07:00

16 KiB

Raw Permalink Blame History

Caregiver M365 + Entra P2 Rollout Plan (Cascades of Tucson)

Status: Documentation only — do NOT create accounts or assign licenses yet. Created: 2026-04-18 (Howard) Source: C:\Users\howar\OneDrive\Documents\Caregiver Scheduled shifts and phone #.xlsx (as of 2026-04-17)

Goal / why this matters

Cascades is deploying 25 shared Android phones plus 9 kitchen iPads to get caregivers off shared workstations and into their own authenticated sessions (ALIS EHR, Outlook, Edge). For that to actually improve HIPAA posture, every caregiver needs:

Their own identity (AD user + M365 mailbox) so actions are attributable per-person rather than to a shared "Caregiver" login
Entra P2 so we can apply Conditional Access policies that restrict mobile email + ALIS access to:
- Managed (Intune-enrolled) shared phones, AND
- The Cascades physical network / trusted location (IP ranges or named location)
Policy block on personal-device access to Exchange + ALIS (HIPAA §164.312 access control)

Today none of these caregivers exist in AD or M365 — they use shared workstation logins and don't have email at all. That is the gap this rollout closes.

Also noted (explicit call-out to add to the proposal): we did not previously frame the Business Premium proposal as "we're adding phones AND licenses to reach HIPAA compliance." The proposal currently lists 23 licensed users post-cleanup; with caregivers included it is closer to 62. The cost delta + HIPAA rationale should be surfaced in docs/proposals/m365-premium-upgrade.md before re-presenting to Meredith.

Caregiver roster (39 people)

Location codes: Tower = assisted living tower, MC = Memory Care. Role flags: CCG = certified caregiver, MedTech / MED TECH = medication tech, PRN = as-needed/float, NOC = overnight.

Tuesday–Saturday (14)

#	Name	Proposed UPN	Shift	Location	Role	Phone
1	Thelma Abainza	thelma.abainza@	AM	Tower	Caregiver	520-867-2579
2	Niel Castro	niel.castro@	AM	Tower	MedTech / CCG	520-697-4644
3	Espe Esperance	espe.esperance@	PM	Tower	MedTech	520-788-9558
4	Barbara Johnson	barbara.johnson@	PM	Tower	Caregiver	520-204-3449
5	Kasey Flores	kasey.flores@	AM	MC	Caregiver	520-250-1451
6	Richard Flores	richard.flores@	AM	MC	Caregiver	520-873-7727
7	Marie Kastner	marie.kastner@	PM	MC	Caregiver	714-576-9858
8	Bella Mendoza	bella.mendoza@	PM	MC	Caregiver	520-358-2000
9	Rosa Morales	rosa.morales@	PM	MC	MedTech	312-213-8780
10	Sandra Padilla	sandra.padilla@	AM	Tower	MedTech / CCG	520-585-3317
11	~~Polett Pinazavala~~ (departed 2026-04-22)	—	—	—	—	—
12	Whisper Reed	whisper.reed@	Overnight	Tower	MedTech	520-312-7575
13	Patricia Sandoval-Beck	patricia.sandoval-beck@	AM	Tower	MedTech	520-343-8093
14	Charity Sika	charity.sika@	AM	MC	Caregiver	623-251-8032
15	Ederick Yuzon	ederick.yuzon@	PM	Tower	Caregiver	520-603-8816

Sunday–Thursday (10)

#	Name	Proposed UPN	Shift	Location	Role	Phone
16	Juan Andrade	juan.andrade@	PM	MC	Caregiver	520-528-4078
17	Jahmeka Clarke	jahmeka.clarke@	PM	MC	MedTech	520-649-7034
18	Karina Aziakpo	karina.aziakpo@	Overnight	MC	MedTech / CCG	520-392-6859
19	Jinnelle Dittbenner	jinnelle.dittbenner@	PM	Tower	Caregiver	520-499-9996
20	Christine Nyanzunda	christine.nyanzunda@	AM (Sun/Mon only)	MC	MedTech	520-304-4251
21	Agnes McFerren	agnes.mcferren@	AM	Tower	Caregiver	520-406-3063
22	Samuel Ramirez	samuel.ramirez@	PM	Tower	Caregiver	520-488-5798
23	Erica Sanchez	erica.sanchez@	AM	MC	Caregiver	520-528-3387
24	Katrina Wyzykowski	katrina.wyzykowski@	AM	MC	MedTech	520-347-1448
25	Corey Tate	corey.tate@	NOC	Tower	Caregiver only (no MedTech)	520-535-7821

Friday–Monday / weekend (5)

#	Name	Proposed UPN	Shift	Location	Role	Phone
26	Ashli Atwood	ashli.atwood@	Overnight	MC	MedTech / CCG	715-200-1295
27	Cole Johnson	cole.johnson@	PM	Tower	MedTech	818-970-0890
28	Roseline Cooper	roseline.cooper@	Overnight	MC	Caregiver	520-278-6817
29	Monique Lopez	monique.lopez@	Doubles (Fri & Sat)	Tower	Caregiver	520-596-0969
30	Gloria Williford	gloria.williford@	Doubles (Fri & Sat 5:45a–10p)	MC	MedTech	928-551-1682

Thursday–Monday (3)

#	Name	Proposed UPN	Shift	Location	Role	Phone
31	Sarah Carroll	sarah.carroll@	PM	Tower	Caregiver	520-409-2341
32	Luke Hogan	luke.hogan@	AM	Tower	Caregiver	520-312-0141
33	Gina Williams	gina.williams@	AM	Tower	Caregiver	520-612-5075

Split / other patterns (3)

#	Name	Proposed UPN	Shift	Location	Role	Phone
34	Jen Higdon	jen.higdon@	Mon/Wed/Fri AM	Tower	Caregiver	520-730-3548
35	Mary Kariuki	mary.kariuki@	Sat–Mon + Wed PM	Tower	Caregiver	520-309-1247
36	CeCe Lassey	cece.lassey@	Sun/Mon doubles + Tue PM	Tower	Caregiver	520-248-5982

Sunday & Monday only (1)

#	Name	Proposed UPN	Shift	Location	Role	Phone
37	Paty Doran	paty.doran@	AM	Tower	MedTech / CCG	520-591-7368

PRN / float (2)

#	Name	Proposed UPN	Shift	Location	Role	Phone
38	Ezekiel Huerta	ezekiel.huerta@	PRN	Tower	Caregiver	520-591-6113
39	Maia Baker	maia.baker@	PRN	MC	MedTech	TBD — not on shift list, only on Sheet2

All UPNs above use the @cascadestucson.com suffix (standard).

Conflict / verify before creating

Christine Nyanzunda — Resolved 2026-04-22: one person, one account. Existing christine.nyanzunda@ mailbox covers both MC Admin role and her part-time Sun/Mon MedTech shifts. Do not create a second account.
- SYNC WATCH-POINT (added 2026-05-14): Verified this date — she has a cloud-only M365 account christine.nyanzunda@cascadestucson.com (onPremisesSyncEnabled: null, created 2023-10-26) and an existing AD account Christine.Nyanzunda that lives in a departmental OU (not OU=Caregivers). When caregiver AD accounts are created in OU=Caregivers, do NOT create a christine.nyanzunda object there — a duplicate inside the synced OU would soft-match/collide with her existing cloud account once Entra Connect staging is exited. Her existing account stays untouched by the OU=Caregivers-only caregiver sync. Deciding whether/how to move or sync her belongs to the office-staff (Phase 2) migration, NOT the caregiver phone rollout.
Paty Doran — Resolved 2026-04-22: legal name Patricia Camarena Doran. Account will be patricia.doran@.
Polett Pinazavala — Resolved 2026-04-22 (John's reply): departed. Remove from roster. No AD/M365 account exists so no disable needed.
Patricia Sandoval-Beck — Resolved 2026-04-22 (CSV inline note from Meredith): hyphen is correct. SamAccountName may still need to be Patricia.SandovalBeck if ALIS/MDM reject hyphens — test during Wave 3.
Espe Esperance — Resolved 2026-05-15: one person. Legal name Niyonsaba Esperance (Niyonsaba = first, Esperance = last); goes by Espe at work. Account is e.esperance@cascadestucson.com, display name "Espe Esperance". She IS already in ALIS as "Niyonsaba Esperance" — Meredith must UPDATE that record's email field to e.esperance@cascadestucson.com, not add a new record.
Ederick Yuzon — Still pending: spelling asked in 2026-04-22 email.
Maia Baker — Resolved 2026-04-22 (CSV inline note): part-time, still employed.
Reliable Agency caregivers — Final decision 2026-04-22 (post-HIPAA review): NO shared logins. Originally planned reliable1@ / reliable2@; dropped because shared log-on IDs for PHI access violate 45 CFR §164.312(a)(2)(i) (Required spec, no compensating-control exception). Per-person accounts only, created when Reliable Agency supplies individual names. Rationale in docs/security/hipaa-review-2026-04-22.md.

Licensing plan (when ready — NOT now)

Current licensing (per docs/cloud/m365.md):

Business Standard: 34 purchased, all assigned (need to free via shared-mailbox conversion first)
Entra P2: 1 unassigned (was Sandra Fish)

Target for caregiver rollout:

License	Who gets it	Qty	Rationale
M365 Business Premium (replaces Standard)	All 23 existing licensed staff + 38 net-new caregivers (Christine Nyanzunda already counted as existing staff)	61	Includes Intune Shared Device Mode + Defender + DLP + the P2-equivalent Conditional Access features — this is the SKU the proposal already describes
Entra ID P2 (standalone, IF we stay on Business Standard instead)	Same 61	61	Only needed if we do NOT upgrade to Business Premium. Premium already bundles the CA features we need; avoid double-paying

Recommended: upgrade everyone to Business Premium, don't buy standalone P2. P2 is only listed here as the fallback if budget forces staying on Standard.

Quick cost math (order-of-magnitude, double-check in proposal)

Scenario	Licenses	Rate (monthly)	Monthly total
Today (actual)	34 × Standard	$12.50	$425
After shared-mailbox cleanup (no caregivers)	23 × Premium	$22.00	$506
After caregiver rollout (this doc)	61 × Premium	$22.00	$1,342
Delta vs today	+$917/mo		—

That is a meaningful jump and needs to be in the proposal conversation with Meredith explicitly — it was missing from the 2026-04-14 version.

Conditional Access policy plan (rough)

When licenses are in place and accounts exist:

Named Location in Entra = Cascades public IP(s) from pfSense WAN + VPN exit IP. Name it CascadesTrustedLocation.
Compliant Device definition in Intune = corporate-enrolled Android (the 25 shared phones) + corporate-enrolled iPad (the 9 kitchen iPads) + domain-joined Windows PCs.
CA Policy: Caregivers — Mobile Email / ALIS access
- Assignment: Entra group SG-Caregivers (populated from AD group once accounts exist)
- Cloud apps: Exchange Online, ALIS (once registered as Entra app), Outlook Mobile
- Conditions: Device Platforms = Android, iOS; Locations = Any
- Grant: Require compliant device AND require location CascadesTrustedLocation (combined grant, both required)
- Block everything else (personal phones off-network → blocked)
CA Policy: Caregivers — Web/browser block off-network
- Same group + cloud apps
- Platforms: browser (desktop)
- Conditions: not in CascadesTrustedLocation
- Grant: Block
Exclusion group SG-CA-BreakGlass for Meredith + sysadmin so we can't lock ourselves out.

CA policies should be deployed in Report-only mode for at least 7 days, reviewed against Sign-in logs, then switched to On.

AD placement (when accounts are created)

All caregiver accounts go in OU=Caregivers,OU=Departments,DC=cascades,DC=local — this is the OU in the Entra Connect sync scope (confirmed 2026-05-14). Do NOT place caregivers in OU=Care-Assisted Living / OU=Care-Memorycare — those hold office/clinical staff and are NOT in the sync scope; putting caregivers there means they either don't sync or you'd have to widen scope and drag office staff in. If Tower vs MC organization is wanted, use sub-OUs under OU=Caregivers (e.g. OU=Tower,OU=Caregivers) — the sync scope includes everything beneath OU=Caregivers.

Two separate, deliberate steps per caregiver:

Create the account in OU=Caregivers — controls whether it syncs to the cloud.
Add the account to SG-Caregivers — controls whether the Conditional Access policies apply. This is a deliberate decision asked at creation time; an OU->group auto-mirror was considered and explicitly declined 2026-05-14.

MedTech-flagged staff → also deliberately add to SG-MedTech (controls ALIS licensing tier) once that group exists.
CCG-flagged staff → also deliberately add to SG-CCG (higher-privilege ALIS rights, if any) once that group exists.

Group-policy impact: the CSC - Folder Redirection (LE) work done for Life Enrichment does NOT apply here. Care-Assisted Living GPO pattern needs to be cloned from the finalized LE GPO once that's proven on Susan Hicks' machine (DESKTOP-ROK7VNM).

Open items / decisions needed from client

~~Confirm Christine Nyanzunda is one person, not two~~ (resolved 2026-04-22 — one person, one account)
~~HR spelling confirmation on Paty Doran, Polett Pinazavala, Patricia Sandoval-Beck, Maia Baker~~ (all resolved 2026-04-22)
~~Espe Esperance identity~~ (resolved 2026-05-16 — one person, legal name Niyonsaba Esperance, goes by Espe; account e.esperance@cascadestucson.com)
~~Create 37 caregiver AD accounts in OU=Caregivers~~ (done 2026-05-16 — 37 created, 0 failed; temp password Cascades2026!)
~~Add all caregivers to SG-Caregivers~~ (done 2026-05-16 — 37 added, 0 failed)
Ederick Yuzon first-name spelling — asked in 2026-04-22 email, still outstanding (created as Ederick from ALIS)
Christine Nyanzunda — Phase 2 handling (added 2026-05-14): exclude her from caregiver AD account creation (she already has accounts). Her existing cloud-only M365 account must be moved/synced as part of the office-staff migration, not the caregiver rollout. See the SYNC WATCH-POINT under "Conflict / verify before creating" above.
~~Reliable Agency shared-login short usernames~~ (SUPERSEDED 2026-04-22 by HIPAA review — no shared logins, per-person only)
Reliable Agency contract review — confirm staffing contract says caregivers work under Cascades direct clinical control (workforce) vs. agency-supervised (BA). Get individual caregiver names before any PHI access.
ALIS staff records (Meredith): UPDATE Espe Esperance record email to e.esperance@cascadestucson.com; ADD records for Kasey Flores (k.flores@), Jahmeka Clarke (j.clarke@), Gloria Williford (g.williford@)
ALIS Email = Entra UPN for all caregivers — set after accounts appear in M365 post-sync; required for ALIS SSO
M365 licensing — 38 net-new Business Premium licenses needed; Meredith purchase decision; up-front vs. waves?
ALIS BAA (Medtelligent) — Meredith to verify signed copy exists; if not, request from Medtelligent support
Reliable Agency per-person accounts — waiting on individual names; cannot create until received
Confirm pfSense WAN IP(s) are static enough to rely on in a CA Named Location policy
Timeline expectations — tying this to the phone deployment and Business Premium purchase

Proposal: docs/proposals/m365-premium-upgrade.md — currently sized for 23 users; needs updating
MDM plan: docs/security/mdm.md — 25 phones + 9 iPads, ManageEngine; Intune Shared Device Mode is flagged as future
M365 current state: docs/cloud/m365.md
AD roster: docs/servers/active-directory.md
HIPAA program: docs/security/hipaa.md

16 KiB Raw Permalink Blame History Unescape Escape