Howard Enos
56f7a53bf4
Gap #13 in hipaa.md marked resolved. Same update in hipaa-caregiver-controls.md and m365.md. Confirmed 2026-05-14: no separate HIPAA BAA acceptance exists or is required for M365 Business plan tenants under the Microsoft Customer Agreement. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
20 KiB
20 KiB
Microsoft 365
Tenant Info
- Tenant Name: cascadestucson.com
- Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
- Primary Domain: cascadestucson.com
- onmicrosoft Domain: NETORGFT4257522.onmicrosoft.com
- Admin Portal URL: https://admin.microsoft.com
- Global Admin: sysadmin@cascadestucson.com (Howard Enos, MSP)
- Former Admin: admin@NETORGFT4257522.onmicrosoft.com (Sandra Fish — previous director, removed 2026-04-14: global admin revoked, sign-in blocked, P2 license removed)
- DirSync / Entra Connect: Not configured (all accounts cloud-only) — PLANNED: Install Entra Connect for SSO
- HIPAA BAA: Covered by MCA — Microsoft Customer Agreement automatically includes the HIPAA BAA for Business plan subscribers (confirmed 2026-05-14, no separate acceptance needed)
- MFA: Not enabled — Security Defaults not configured
Licensing
| License Type | Total | Assigned | Available |
|---|---|---|---|
| Microsoft 365 Business Standard | 34 | 34 | 0 |
| Microsoft Entra ID P2 | 1 | 0 | 1 (unassigned — was Sandra Fish, available for testing) |
| Microsoft Power Automate Free | 10000 | 2 | 9998 |
| Microsoft Stream Trial | 1000000 | 0 | 1000000 |
| Exchange Online Essentials | — | 4 | — |
Note: Business Standard is fully allocated (34/34, 0 available). Any new hires require purchasing additional licenses.
Planned expansion — caregiver rollout (not yet purchased)
Separate from the current 34 users, there are ~39 caregivers / med techs / CCGs with no current AD or M365 account who need identities + Conditional Access in order for the shared-phone + HIPAA story to actually work. Full roster, proposed UPNs, license math, and CA policy design are in docs/cloud/caregiver-m365-p2-rollout.md. Rough target: 61 total Business Premium licenses (23 existing staff post-cleanup + 38 net-new caregivers; Christine Nyanzunda overlaps and stays at one account). Do not create any of these accounts yet — documentation + proposal update first.
Staff-side P2 / anti-impersonation tracking
These are in-flight and feed the same Business Premium purchase decision:
docs/cloud/p2-staff-candidates.md— office staff who need P2 for PHI-in-email or home-access scenarios (Crystal confirmed Megan/Crystal/Tamra; John Trozzi gathering the rest)docs/cloud/m365-impersonation-protection.md— Defender anti-impersonation trusted partners + protected users (Megan's partner list captured; awaiting John's additions)
AD ↔ M365 Account Mapping
Matched Accounts (AD user → M365 mailbox)
| AD SamAccountName | M365 UPN | License | Notes |
|---|---|---|---|
(formerly AD howard) |
dax.howard@cascadestucson.com | Business Standard | Corrected 2026-04-22: the AD howard account was NOT Dax Howard — it was an orphan MSP-created account (display "howard", desc "Home Offie" typo) that was mistakenly mapped to Dax Howard's mailbox. AD account deleted 2026-04-22 (recoverable from AD Recycle Bin 180 days — ObjectGUID 2050d21f-7649-4033-b1fd-83cfc286b056). Dax Howard's M365 account has no AD counterpart and is cloud-only. cara.lespron@ alias is leftover from the former-employee Cara Lespron whose mailbox was repurposed to Dax Howard — strip this alias unless Dax confirms he still uses it. |
| sysadmin | sysadmin@cascadestucson.com | Power Automate Free | Display: "Computer Guru Support" — no mailbox license |
| Meredith.Kuhn | meredith.kuhn@cascadestucson.com | Business Standard | |
| John.Trozzi | john.trozzi@cascadestucson.com | Business Standard | |
| Lupe.Sanchez | lupe.sanchez@cascadestucson.com | Business Standard | |
| Megan.Hiatt | megan.hiatt@cascadestucson.com | Business Standard | |
| Crystal.Rodriguez | crystal.rodriguez@cascadestucson.com | Business Standard | Alias: crystal.suszek@ |
| Tamra.Johnson | tamra.matthews@cascadestucson.com | Business Standard | Rename AD to Tamra.Matthews — M365 already correct. Alias: tamra.johnson@ still works |
| Lois.Lane | lois.lane@cascadestucson.com | Business Standard | |
| Christina.DuPras | christina.dupras@cascadestucson.com | Business Standard | |
| Christine.Nyanzunda | christine.nyanzunda@cascadestucson.com | Business Standard | M365 last name: "Nyanzuda" (typo — AD has Nyanzunda) |
| Susan.Hicks | susan.hicks@cascadestucson.com | Business Standard | |
| Ashley.Jensen | ashley.jensen@cascadestucson.com | Business Standard + Power Automate Free | Alias: ashley.jenson@ |
| Veronica.Feller | veronica.feller@cascadestucson.com | Business Standard | |
| JD.Martin | jd.martin@cascadestucson.com | Business Standard | |
| alyssa.brooks | alyssa.brooks@cascadestucson.com | Business Standard | |
| Matt.Brooks | matthew.brooks@cascadestucson.com | Business Standard | AD: Matt, M365: Matthew |
| Ramon.Castaneda | ramon.castaneda@cascadestucson.com | Business Standard | Aliases: ramon.castanada@, ramon.casteneda@ (typos kept as aliases) |
| Sharon.Edwards | sharon.edwards@cascadestucson.com | Business Standard | |
| britney.thompson | Britney.Thompson@cascadestucson.com | Business Standard + Exchange Online Essentials | |
| ann.dery | ann.dery@cascadestucson.com | Business Standard | |
| strozzi (Shelby Trozzi) | Shelby.Trozzi@cascadestucson.com | Business Standard + Exchange Online Essentials | AD username doesn't match M365 format |
| karen.rossini | karen.rossini@cascadestucson.com | Business Standard | |
| lauren.hasselman | lauren.hasselman@cascadestucson.com | Business Standard | Created 2026-02-26 (recent hire, replaced Jeff Bristol) |
| Allison.Reibschied | Allison.Reibschied@cascadestucson.com | Business Standard | Accounting Assistant (new hire 2026-03) |
AD Accounts with NO M365 Match
| AD SamAccountName | Type | Action Needed |
|---|---|---|
| Administrator | Built-in | None needed |
| localadmin | Admin | None needed |
| Sebastian.Leon | User | Front Desk/Courtesy Patrol — needs M365 account if they use email |
| Michelle.Shestko | User | MC Front Desk — keep as Shestko. Needs M365 account if they use email |
| Alyssa.Shestko (now Alyssa Brooks) | User | Rename to Alyssa.Brooks in AD. This is the real account. M365 already alyssa.brooks@. Duplicate lowercase alyssa.brooks in CN=Users to be deleted. |
| Guadalupe.Sanchez | User | Housekeeping — already has M365 as lupe.sanchez@cascadestucson.com |
| Sheldon.Gardfrey | User | Front Desk/Courtesy Patrol — needs M365 if they use email |
| Cathy.Kingston | User | Front Desk/Courtesy Patrol — needs M365 if they use email |
| Shontiel.Nunn | User | Transferring soon — keep for now |
| Ray.Rai | User | Front Desk/Courtesy Patrol — needs M365 if they use email |
| Richard.Adams | User | Transportation — needs M365 if they use email |
| Julian.Crim | User | Transportation — needs M365 if they use email |
| Christopher.Holik | User | Transportation — needs M365 if they use email |
| QBDataServiceUser34 | Service | None needed |
| Culinary | Shared/Generic | None needed (AD shared account) |
| Receptionist | Shared/Generic | Maps to frontdesk@cascadestucson.com? |
| saleshare | Shared/Generic | None needed |
| directoryshare | Shared/Generic | None needed |
M365 Accounts with NO AD Match
Real users (need AD accounts created or are new hires)
| M365 Display Name | UPN | License | Notes |
|---|---|---|---|
| Kristiana Dowse | kristiana.dowse@cascadestucson.com | Business Standard | DELETE — HR confirmed not current employee. Remove license + delete account |
| nick pavloff | nick.pavloff@cascadestucson.com | Business Standard | Created 2026-03-07 — new hire, needs AD account |
Role-Based Accounts — Convert to Shared Mailboxes (saves ~$125/mo)
All of these are currently licensed user accounts. Convert to shared mailboxes (free) and remove licenses. Then assign members from AD-synced accounts.
| M365 Display Name | UPN | Current License | Action | Members (after conversion) |
|---|---|---|---|---|
| Accounting Dept. | accounting@cascadestucson.com | Business Standard | Convert to shared | Ashley.Jensen, lauren.hasselman |
| Accounting Assistant | accountingassistant@cascadestucson.com | Business Standard | Convert to shared | Allison.Reibschied |
| Bookkeeping Office | boadmin@cascadestucson.com | Business Standard | Convert to shared | TBD |
| Front Desk | frontdesk@cascadestucson.com | Business Standard | Convert to shared | Cathy.Kingston, Shontiel.Nunn, Kyla.QuickTiffany, Sebastian.Leon, Sheldon.Gardfrey, Ray.Rai |
| Human Resources | hr@cascadestucson.com | Business Standard | Convert to shared | Meredith.Kuhn |
| MemCare Receptionist | memcarereceptionist@cascadestucson.com | Business Standard | Convert to shared | Michelle.Shestko, Matt.Brooks |
| Security Cascades | security@cascadestucson.com | Business Standard | Convert to shared | TBD |
| Training | Training@cascadestucson.com | Business Standard | Convert to shared | TBD |
| Nurse | nurse@cascadestucson.com | Exchange Online Essentials | Convert to shared | Lois.Lane, Karen.Rossini, britney.thompson |
| medtech | medtech@cascadestucson.com | Exchange Online Essentials | Convert to shared | TBD |
| transportation | transportation@cascadestucson.com | Exchange Online Essentials | Convert to shared | Richard.Adams, Julian.Crim, Christopher.Holick |
| AppleID | Kitchenipad@cascadestucson.com | Unlicensed | Keep as-is | Device account. Alias: ipad@ |
Courtesy Patrol Shared Mailbox (NEW)
- Create: courtesypatrol@cascadestucson.com as shared mailbox
- Members: Sebastian.Leon, Sheldon.Gardfrey
License Plan After Cleanup
Full Business Standard License (own mailbox + Office apps)
Staff with first.last@cascadestucson.com personal mailboxes:
| Employee | UPN |
|---|---|
| Howard Dax | dax.howard@ |
| Meredith Kuhn | meredith.kuhn@ |
| John Trozzi | john.trozzi@ |
| Megan Hiatt | megan.hiatt@ |
| Crystal Rodriguez | crystal.rodriguez@ |
| Tamra Matthews | tamra.matthews@ |
| Lois Lane | lois.lane@ |
| Christina DuPras | christina.dupras@ |
| Christine Nyanzunda | christine.nyanzunda@ |
| Susan Hicks | susan.hicks@ |
| Ashley Jensen | ashley.jensen@ |
| Veronica Feller | veronica.feller@ |
| JD Martin | jd.martin@ |
| Alyssa Brooks | alyssa.brooks@ |
| Matt Brooks | matthew.brooks@ |
| Ramon Castaneda | ramon.castaneda@ |
| Sharon Edwards | sharon.edwards@ |
| Britney Thompson | britney.thompson@ |
| Shelby Trozzi | shelby.trozzi@ |
| Karen Rossini | karen.rossini@ |
| Guadalupe Sanchez | lupe.sanchez@ |
| Lauren Hasselman | lauren.hasselman@ |
| Allison Reibschied | allison.reibschied@ |
| Total: 23 licenses |
No License — Shared Mailbox Access Only (browser via SSO)
AD account + Entra sync, no M365 license. Access shared mailboxes via outlook.office.com.
| Employee | Position | Shared Mailbox Access |
|---|---|---|
| Sebastian Leon | Courtesy Patrol | Frontdesk@, Courtesypatrol@ |
| Sheldon Gardfrey | Courtesy Patrol | Frontdesk@, Courtesypatrol@ |
| Cathy Kingston | Receptionist | Frontdesk@ |
| Shontiel Nunn | Receptionist | Frontdesk@ |
| Kyla Quick Tiffany | Receptionist | Frontdesk@ |
| Ray Rai | Courtesy Patrol | Frontdesk@ |
| Richard Adams | Driver | Transportation@ |
| Julian Crim | Driver | Transportation@ |
| Christopher Holick | Driver | Transportation@ |
| Michelle Shestko | MC Receptionist | Memcarereceptionist@ |
| Total: 10 users, 0 licenses |
License Savings
- Current: 34 Business Standard (all allocated)
- After cleanup: 23 Business Standard needed
- 11 licenses freed (~$137.50/month saved)
External guest accounts
| Display Name | Source | Notes |
|---|---|---|
| a.r.jensen018 | a.r.jensen018@gmail.com | Ashley Jensen's personal? |
| Debora Morris | deboram@teepasnow.com | External partner |
| duprasc2002 | duprasc2002@yahoo.com | Christina DuPras personal? Created 2026-03-04 |
| Typo of howard — already deleted (not present in tenant as of 2026-04-22) | ||
DELETED 2026-04-22 — external guest for Howard Enos (MSP). Removed per Howard's decision; MSP admin access preserved via sysadmin@cascadestucson.com (has Global Admin). |
||
| karenrossini7 | karenrossini7@gmail.com | Karen Rossini's personal? |
Blocked / former employee accounts in M365
| Display Name | UPN | Sign-in Blocked | Notes |
|---|---|---|---|
DELETED 2026-04-22 — orphan cleanup. Soft-delete recoverable 30 days (id 8ec8248a-46e8-4771-9220-047887928777). |
|||
DELETED 2026-04-22 — orphan cleanup. Soft-delete recoverable 30 days (id 84cef8a2-6988-44ea-bf20-a72fe622750d). |
|||
| Stephanie Devin | Stephanie.Devin@cascadestucson.com | Yes | Former? Unlicensed, blocked. Ask Meredith before deleting. |
Tenant admin
| Display Name | UPN | License | Notes |
|---|---|---|---|
| — | Confirmed absent 2026-04-22 — already deleted at some point. No further action. |
Shared Mailboxes
| Name | Notes | |
|---|---|---|
DELETED 2026-04-22 — orphan cleanup. Soft-delete recoverable 30 days (id 06aa2955-f124-447d-8a16-cc7779aaf28f). |
||
| Fax Cascades | fax@cascadestucson.com | Fax-to-email service |
| (see Blocked section — deleted 2026-04-22) | ||
| (see Blocked section — deleted 2026-04-22) |
Exchange Online
- Mail Domain(s): cascadestucson.com
- MX Record Points To: TBD (check DNS)
- SPF Record: TBD
- DKIM Enabled: TBD
- DMARC Policy: TBD
- Distribution Groups: TBD (6 groups shown in tenant summary)
- Mail Flow Rules: TBD
Entra ID (Azure AD)
- Hybrid Joined: No — DirSync not enabled on any account — PLANNED: Entra Connect install on CS-SERVER
- Azure AD Connect Server: None (planned: CS-SERVER)
- MFA Enforced: TBD
- Conditional Access Policies: TBD
- Total Users: 51 (24 licensed individual, 12 generic/role, 6 external guests, 4 blocked/former, 1 admin, 4 shared mailboxes)
- Total Devices: 88
Entra Connect — SSO Setup Plan
What It Does
Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account and Office/Edge/Outlook auto-sign-in with their M365 identity. Single sign-on, one password.
Prerequisites (MUST complete before install)
- AD account cleanup — all the renames, deletions, and duplicate fixes MUST be done first. Entra Connect syncs what's in AD, so AD must be clean.
- Rename Tamra.Johnson → Tamra.Matthews
- Rename Alyssa.Shestko → Alyssa.Brooks + delete lowercase duplicate
alyssa.brooks - Rename strozzi → Shelby.Trozzi (match M365 UPN)
- Fix Christopher.Holik → Christopher.Holick (HR spelling)
- Create account for Kyla Quick Tiffany (Resident Services Receptionist)
- Delete confirmed former employees (Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez)
- Disable/delete non-current accounts (Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks lowercase)
- Fix Matt.Brooks vs matthew.brooks@ UPN mismatch
- UPN suffix — Add
cascadestucson.comas UPN suffix in AD so AD usernames match M365 emails - M365 role-based accounts — Convert to shared mailboxes BEFORE sync to avoid sync conflicts
- Kristiana Dowse — Delete from M365 before sync
- Verify CS-SERVER meets requirements — Server 2016+, .NET 4.7.2+, SQL Express (installs with Entra Connect)
Install Steps
- Add UPN suffix
cascadestucson.comto AD (AD Domains and Trusts) - Update all synced users' UPN to
firstname.lastname@cascadestucson.com - Download Entra Connect from Entra admin center
- Install on CS-SERVER
- Choose Password Hash Sync (simplest, most reliable)
- Scope sync to
OU=Departmentsonly (exclude service accounts, shared accounts, computers) - Enable Seamless SSO
- Test with one user before full sync
What Gets Synced
- All user accounts in OU=Departments → Entra ID
- Passwords hash-synced (user keeps same password for AD + M365)
- NOT synced: computer accounts, service accounts, shared/generic accounts (Culinary, Receptionist, saleshare, directoryshare)
- All synced users get Entra ID accounts but NOT all get licenses
- Licensed users (23): personal mailbox + Office apps
- Unlicensed users (10): SSO sign-in to shared mailboxes via browser only — no Office install, no personal mailbox
What Changes for Users
- Log into Windows → Office, Outlook, Edge, OneDrive auto-sign-in
- One password for everything (change in AD, M365 follows)
- MFA can be enforced via Entra Conditional Access after sync
Risks
- If AD is dirty (duplicates, mismatches), sync will create duplicate M365 accounts or fail
- Shared/generic accounts (Culinary, Receptionist) should NOT sync — exclude from scope
- Must coordinate: once sync is on, AD becomes the source of truth for identity
Issues Found
- 0 licenses available — Business Standard is 34/34. Cannot add new users without purchasing more.
- Tamra Johnson → Matthews name mismatch — M365 updated to married name, AD still says Johnson. Update AD to match.
- 13 AD users have no M365 account — May not need email (hourly staff?) but verify onsite.
- 12 generic/role-based M365 accounts eating licenses — accounting@, frontdesk@, hr@, etc. each consume a Business Standard license ($12.50/mo). Should convert to shared mailboxes (free) if nobody logs into them directly.
- "howaed" external guest — Typo duplicate of howard. Delete.
- 3 former employee shared mailboxes — Anna Pitzlin, Jeff Bristol, Nela Durut-Azizi. Decide: keep for mail history, forward, or delete.
- Sandra Fish is global admin — Previous owner/manager. Verify she should still have admin access.
- cara.lespron@ alias on Howard's mailbox — Former employee's mailbox was repurposed. Remove alias if no longer needed.
- Kristiana Dowse — Licensed in M365 but not in AD. Verify: current employee or former?
- nick pavloff — Created 2026-03-07 (yesterday). New hire — needs AD account.
- sysadmin has no mailbox license — Only Power Automate Free. May need Exchange if used for email.
- Microsoft BAA — covered by MCA (resolved 2026-05-14) — Microsoft HIPAA BAA is automatically included in the Microsoft Customer Agreement for Business plan subscribers. No separate acceptance step is available or required for this subscription type.
- No MFA enabled — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
- Microsoft Teams not deployed or HIPAA-configured — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. Rollout plan + test plan:
docs/cloud/teams-rollout.md(Lauren Hasselman 2026-05-05 inability-to-create-team report is the canary test).
Notes
- Previous MSP/admin created many role-based accounts as regular licensed users instead of shared mailboxes. This wastes licenses.
- No Entra Connect / hybrid join — AD and M365 are completely separate identity systems. Users have different passwords for each.
- Shared workstation plan (GPO 6) needs: reception shared mailbox created, tenant domain is cascadestucson.com.