Files
claudetools/clients/cascades-tucson/docs/proposals/m365-premium-upgrade.md
Howard Enos 121ba75fda import: ingested 160 files from C:\Users\howar\Clients
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

6.4 KiB

Proposal: Microsoft 365 Business Premium Upgrade

Cascades Tucson — Shared Phone Deployment & Security Upgrade

Prepared by: Howard Enos, MSP Date: April 14, 2026


The Problem

Cascades is deploying 25 shared phones so employees can access ALIS (medical records) and email without relying on shared computers. This improves HIPAA compliance by giving each employee their own login.

However, the current Microsoft 365 plan creates several challenges:

  1. Every time an employee picks up a phone, they must manually log into ALIS, Outlook, and other apps — each with separate MFA prompts
  2. No way to automatically clear data when one employee hands a phone to another — risk of PHI exposure
  3. No way to skip MFA on trusted devices — employees get frustrated, find workarounds, or share logins (HIPAA violation)
  4. No centralized phone management — no remote wipe, no app enforcement, no compliance monitoring

The Solution: Microsoft 365 Business Premium

Upgrading from Business Standard to Business Premium unlocks:

1. Shared Phone Mode (Microsoft Intune)

  • Employee picks up any phone and taps Sign In
  • Enters their username and password (same as their PC login)
  • ALIS, Outlook, and Edge auto-sign-in — no separate logins needed
  • When done, employee taps Sign Out — phone wipes all data automatically
  • Next employee gets a clean phone. User switch takes ~30 seconds.

2. Skip MFA on Company Devices (Conditional Access)

  • Managed phones on the Cascades network are automatically trusted
  • No MFA prompts for employees using company phones at work
  • MFA still required if someone tries to log in from an unknown device or location
  • ALIS uses Microsoft Entra as its identity provider — one sign-in covers everything

3. Full HIPAA Audit Trail

  • Every sign-in logged: who, which device, when, where
  • Compliance dashboard shows which devices meet security requirements
  • Automatic alerts for non-compliant devices

4. Additional Security (included at no extra cost)

Feature What it does
Microsoft Defender for Business Advanced threat protection on all PCs and phones
Data Loss Prevention (DLP) Prevents PHI from being emailed or shared outside the organization
Remote Wipe Instantly wipe a lost or stolen phone from the admin portal
App Management Push required apps, block unauthorized apps, force updates
Conditional Access Location and device-based security policies

What Changes for Employees

Today After Upgrade
Pick up phone, manually log into each app Pick up phone, sign in once — everything works
MFA prompt every time (SMS code from personal phone) No MFA on company phones at work
Previous user's data may still be on the phone Auto-wipe on sign out — clean phone every time
Log into ALIS separately with username + password + MFA ALIS auto-signs in via SSO — no extra steps
2-5 minutes to get working on a phone ~30 seconds

Cost Breakdown

Current Monthly Cost

Item Users Rate Monthly
M365 Business Standard 34 $12.50 $425.00
Total $425.00

Proposed Monthly Cost

Item Users Rate Monthly
M365 Business Premium 23 $22.00 $506.00
Unlicensed users (shared mailbox only) 10 $0.00 $0.00
Total $506.00

Savings from Cleanup (already planned)

Item Monthly Savings
Convert 11 role-based accounts to free shared mailboxes -$137.50
(accounting@, frontdesk@, hr@, security@, transportation@, etc.)

Net Impact

Monthly
New cost $506.00
Current cost $425.00
Difference +$81.00
Shared mailbox savings -$137.50
Net change -$56.50 (savings)

The upgrade actually saves $56.50/month after the shared mailbox cleanup.


What's Included vs. What's Replaced

Current (separate cost) Premium (included)
ManageEngine MDM (phone management) Microsoft Intune (replaces ManageEngine)
No email security Microsoft Defender for Business
No data loss prevention DLP policies
No conditional access Conditional Access
Manual MFA every login Smart MFA (skip on trusted devices)
No device compliance Compliance dashboard + auto-remediation

Implementation Timeline

Phase Task Timeframe
1 Upgrade licenses in M365 admin center 1 day
2 Convert role-based accounts to shared mailboxes 1 day
3 Install Entra Connect on server (SSO) 1 day
4 Configure Conditional Access policies 1 day
5 Set up Intune + Shared Device Mode 1-2 days
6 Enroll 2 test phones 1 day
7 Roll out remaining 23 phones 2-3 days
8 Enroll 9 kitchen iPads 1 day
Total ~2 weeks

HIPAA Compliance Improvements

HIPAA Requirement Current State After Upgrade
§164.312(a)(2)(i) — Unique User ID Shared accounts on PCs, no phone identity Every employee signs in with their own account on every device
§164.312(d) — Person Authentication Basic MFA, employees share logins to avoid it SSO + Conditional Access — easy to use, hard to bypass
§164.312(b) — Audit Controls Minimal logging Full sign-in logs: who, when, which device, what was accessed
§164.310(d)(1) — Device and Media Controls No phone management Remote wipe, encryption enforcement, compliance monitoring
§164.312(e)(1) — Transmission Security No DLP DLP prevents PHI from leaving the organization via email
§164.312(a)(2)(iv) — Encryption Not enforced on phones Intune enforces device encryption on all managed phones

Recommendation

Upgrade to Microsoft 365 Business Premium. It solves the shared phone problem, simplifies employee experience, strengthens HIPAA compliance, and actually saves money after the planned shared mailbox cleanup.

The alternative — keeping Business Standard with a separate MDM product — costs more in admin time, provides a worse employee experience, and leaves security gaps that Business Premium closes out of the box.


Prepared by Howard Enos — MSP IT Services