3.1 KiB
name, description, type
| name | description | type |
|---|---|---|
| Cascades CA bypass — phased per-group rollout, NOT tenant-wide | Caregiver bypass CA policies are scoped to SG-Caregivers-Pilot only at start, then expanded one department at a time. Legacy all-users-MFA stays in place; we PATCH excludeGroups, never delete it during rollout. | project |
The Cascades caregiver bypass CA work is a phased rollout, not a tenant-wide policy swap. This corrects the original §5 design in clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md and the resume-point in 2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md, which both implied a tenant-wide cutover.
What this means concretely:
- New CA policies target
SG-Caregivers-Pilotonly (thenSG-Caregiversafter Entra Connect exits staging). They do NOT useincludeUsers: All. - The legacy
Require multifactor authentication for all userspolicy stays in place. We PATCH itsexcludeGroupsto add the pilot group, so existing office-staff behavior is unchanged. - Expansion to additional populations (front desk, clinical, admin staff) happens one group at a time post-pilot — each with its own scoped policy set, each by editing
excludeGroupson the legacy policy and addingincludeGroupsto the relevant new policies. - The legacy all-users-MFA policy is ONLY deleted at the very end, when every population is governed by a phased policy.
Why: Howard pulled the brakes on 2026-04-29 after spotting that policies #1, #2, #3 in the original design hit all users — would have blocked any office user signing in off-site who wasn't in SG-External-Signin-Allowed. The btw replay he pasted contained the correct rescoping: "Re-scope the new policies so they only target the pilot group initially, and roll out to other groups one at a time later." Phased preserves today's behavior for everyone except the pilot group while we validate the bypass mechanics.
How to apply: When building or modifying Cascades CA policies, default to group-scoped (includeGroups), never includeUsers: All. When expanding to a new department, the steps are: (1) create the department's group, (2) PATCH legacy all-users-MFA to add it to excludeGroups, (3) add it to includeGroups on the relevant new policies. Treat any "let's just push it tenant-wide now that the pilot worked" suggestion as a regression of this decision and flag it.
Caregiver set (the only set in scope today):
- PATCH
Require multifactor authentication for all users: addSG-Caregivers-Pilotto excludeGroups. - CREATE
CSC - Block caregivers off Cascades network(includeGroups: pilot, locations: not Cascades, grant: BLOCK). - CREATE
CSC - Block caregivers on non-compliant device(includeGroups: pilot, device filter isCompliant -eq False, grant: BLOCK). - CREATE
CSC - Caregiver sign-in frequency 8h(includeGroups: pilot, session control: 8h re-auth).
Note: for caregivers we use Block directly on non-compliant + off-network, not "Require MFA" — caregivers can't satisfy MFA (no personal device), so block is the cleaner UX. For non-caregiver populations later, MFA grants will likely be appropriate since office staff have MFA capability.