azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
claudetools/clients/cascades-tucson/docs/cloud/teams-rollout.md
Howard Enos 95ad40bdbe cascades: document Teams rollout + HIPAA test plan 
Lauren Hasselman could not create a Teams group on 2026-05-05.
Diagnostic confirmed the block is at the Teams Admin policy layer
(intentional, gated on HIPAA prerequisites in m365.md issues #12-#14),
not an Entra/M365-Group permissions defect. New teams-rollout.md
captures prerequisites, HIPAA config checklist, canary test plan
(Lauren as primary canary), and exit criteria. Linked from m365.md
issue #14.
2026-05-05 22:01:28 -07:00

6.3 KiB
Raw Permalink Blame History

Microsoft Teams Rollout (Cascades)

Status: Not deployed. Gated on Microsoft BAA + HIPAA policy decisions (see m365.md issues #12, #13, #14). Owner: Howard (MSP) Created: 2026-05-05

Why this doc exists

On 2026-05-05, Lauren Hasselman (Business Office Director, lauren.hasselman@cascadestucson.com) reported she could not create a Teams group. Diagnostic ruled out Entra/M365-Group-layer restrictions:

  • Account enabled, Microsoft Teams service plan (57ff2da0-773e-42df-b2af-ffb7a2317929) assigned + enabled
  • Tenant groupSettings empty -> Microsoft defaults apply -> EnableGroupCreation = true for all users
  • No GroupCreationAllowedGroupId restriction set
  • No sensitivity-label-required gating
  • Lauren has no directory roles and no group memberships (normal user, no special grant needed)

Conclusion: the block is at the Teams Admin Center policy layer (CsTeamsChannelsPolicy / CsTeamsMessagingPolicy / org-wide team creation setting), not Graph/Entra. This is expected and intentional -- Teams is supposed to be off until the HIPAA gates clear. When we roll Teams out, Lauren's case is the canary test.

Prerequisites (must be true before rollout begins)

  • Microsoft BAA signed (m365.md issue #12) -- M365 Admin Center > Settings > Org Settings > Security & Privacy > HIPAA BAA
  • MFA / Security Defaults or Conditional Access enforced (m365.md issue #13)
  • Decision on caregiver M365 P2 rollout (docs/cloud/caregiver-m365-p2-rollout.md) -- determines who gets Teams, with what license
  • Decision on whether Teams replaces or complements existing comms (Synology Chat is currently used)

HIPAA-required Teams configuration (apply before unblocking creation)

Configure in Teams Admin Center (https://admin.teams.microsoft.com) and Purview compliance portal. Document each policy's Identity so future drift is detectable.

Messaging / chat

  • Retention policy for chat + channel messages + meeting recordings (Purview > Data Lifecycle Management). Default decision: 7 years for anything that could touch PHI; 90 days for general operational chat (separate policy on a sensitivity label or by team).
  • DLP policy flagging SSN, MRN, DOB+name combinations, ALIS resident IDs in chat + channel posts. Action: block + notify sender, audit log.
  • External access (federation): Disable by default. Allow specific partner domains only if a business case exists.
  • Guest access: Disable.

Meetings

  • Recording consent banner: Enabled.
  • Auto-record: OFF.
  • Recording storage: OneDrive/SharePoint of organizer (default) -- review retention against #1.
  • Anonymous join: Disabled or restricted.
  • Lobby: Everyone except org users waits in lobby.

Telephony

  • No Teams Phone / PSTN calling planned at this time. If added later, voicemail transcripts are PHI risk -- review storage location.

Team / channel creation policy

  • Global CsTeamsChannelsPolicy -- decide:
    • AllowOrgWideTeamCreation -- recommend False (only admins create org-wide teams)
    • AllowPrivateTeams / standard team creation -- recommend True for licensed staff, gated by an Entra security group via Group.Unified GroupCreationAllowedGroupId
  • If gating creation to a security group: create M365-TeamCreators security group, populate with department heads (Meredith, Lauren, John, Crystal, Megan, Tamra, Ashley), then set groupSettings EnableGroupCreation=false and GroupCreationAllowedGroupId=<group-id>. Document in m365.md.

Test plan (run when policies are in place, before announcing to staff)

For each test user, sign in to Teams web (teams.microsoft.com) in a private window with their actual credentials. Record pass/fail and exact UI text.

Canary test users

User Role Why included
Lauren Hasselman Business Office Director Original reporter (2026-05-05). Must succeed.
Meredith Kuhn Asst Manager Department head -- expected creator
John Trozzi (role) Department head -- expected creator
Ashley Jensen Accounting Same dept as Lauren -- regression check
Sebastian Leon Courtesy Patrol (unlicensed, shared-mailbox-only user) Negative test -- should NOT be able to create teams (no Teams license)

Test cases

  1. Create a private team from scratch

    • Steps: Teams left rail > Teams > Join or create a team > Create team > From scratch > Private > name "TEST--"
    • Expect (licensed users): team is created, user becomes owner.
    • Expect (Sebastian): "Create a team" option missing OR error stating creation isn't allowed.

  2. Create a team from an existing M365 group

    • Pre-req: have an existing distribution/M365 group user is owner of.
    • Expect: same as #1 for licensed users.

  3. Create a channel within an existing team

    • Confirm AllowCreateUpdateChannels matches policy decision.

  4. Add a guest (only if guest access is intentionally enabled)

    • Expect: blocked unless org explicitly allows.

  5. Send a chat with mock PHI (e.g. fake SSN 123-45-6789 and a fake MRN string)

    • Expect: DLP policy blocks or warns per configured action.

  6. Start a meeting and attempt to record

    • Expect: consent banner appears for all attendees.

Exit criteria

  • All licensed canaries pass tests 1, 2, 3 with no error.
  • Unlicensed canary (Sebastian) gets a clean "not allowed" experience -- no confusing partial UI.
  • DLP test (#5) fires the configured action and writes to audit log (verify in Purview).
  • Recording consent banner shows on test meeting.

Only after all of the above pass do we announce Teams availability to staff.

Cleanup after testing

  • Delete TEST-* teams created during canary tests.
  • Document final policy Identity values + groupSettings config in m365.md under a new "Teams Configuration" section.
  • Replace this doc's "Status: Not deployed" banner with deployment date + summary of policy decisions made.

References

  • m365.md issues #12 (BAA), #13 (MFA), #14 (Teams not deployed)
  • docs/cloud/caregiver-m365-p2-rollout.md -- license + identity rollout that determines Teams audience
  • Microsoft: https://learn.microsoft.com/microsoftteams/policy-assignment-overview
  • Microsoft: https://learn.microsoft.com/microsoft-365/solutions/groups-services-interactions (Teams + Group + SharePoint interaction)
Reference in New Issue View Git Blame Copy Permalink