Files
claudetools/.claude/memory/project_cascades_ca_phased_rollout.md
Mike Swanson 0daa7951b3 sync: auto-sync from GURU-5070 at 2026-06-02 07:25:49
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-02 07:25:49
2026-06-02 07:25:55 -07:00

3.1 KiB

name, description, type
name description type
Cascades CA bypass — phased per-group rollout, NOT tenant-wide Caregiver bypass CA policies are scoped to SG-Caregivers-Pilot only at start, then expanded one department at a time. Legacy all-users-MFA stays in place; we PATCH excludeGroups, never delete it during rollout. project

The Cascades caregiver bypass CA work is a phased rollout, not a tenant-wide policy swap. This corrects the original §5 design in clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md and the resume-point in 2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md, which both implied a tenant-wide cutover.

What this means concretely:

  • New CA policies target SG-Caregivers-Pilot only (then SG-Caregivers after Entra Connect exits staging). They do NOT use includeUsers: All.
  • The legacy Require multifactor authentication for all users policy stays in place. We PATCH its excludeGroups to add the pilot group, so existing office-staff behavior is unchanged.
  • Expansion to additional populations (front desk, clinical, admin staff) happens one group at a time post-pilot — each with its own scoped policy set, each by editing excludeGroups on the legacy policy and adding includeGroups to the relevant new policies.
  • The legacy all-users-MFA policy is ONLY deleted at the very end, when every population is governed by a phased policy.

Why: Howard pulled the brakes on 2026-04-29 after spotting that policies #1, #2, #3 in the original design hit all users — would have blocked any office user signing in off-site who wasn't in SG-External-Signin-Allowed. The btw replay he pasted contained the correct rescoping: "Re-scope the new policies so they only target the pilot group initially, and roll out to other groups one at a time later." Phased preserves today's behavior for everyone except the pilot group while we validate the bypass mechanics.

How to apply: When building or modifying Cascades CA policies, default to group-scoped (includeGroups), never includeUsers: All. When expanding to a new department, the steps are: (1) create the department's group, (2) PATCH legacy all-users-MFA to add it to excludeGroups, (3) add it to includeGroups on the relevant new policies. Treat any "let's just push it tenant-wide now that the pilot worked" suggestion as a regression of this decision and flag it.

Caregiver set (the only set in scope today):

  • PATCH Require multifactor authentication for all users: add SG-Caregivers-Pilot to excludeGroups.
  • CREATE CSC - Block caregivers off Cascades network (includeGroups: pilot, locations: not Cascades, grant: BLOCK).
  • CREATE CSC - Block caregivers on non-compliant device (includeGroups: pilot, device filter isCompliant -eq False, grant: BLOCK).
  • CREATE CSC - Caregiver sign-in frequency 8h (includeGroups: pilot, session control: 8h re-auth).

Note: for caregivers we use Block directly on non-compliant + off-network, not "Require MFA" — caregivers can't satisfy MFA (no personal device), so block is the cleaner UX. For non-caregiver populations later, MFA grants will likely be appropriate since office staff have MFA capability.