azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1534a2f9a08462a4e01d17cb08d68131c22801fd
claudetools/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md
Howard Enos 1534a2f9a0 sync: auto-sync from HOWARD-HOME at 2026-04-22 19:47:23 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-22 19:47:23
2026-04-22 19:47:24 -07:00

26 KiB
Raw Blame History

User Account Rollout Plan — Cascades of Tucson

Status: Planning — no account creation or license assignment yet. Created: 2026-04-22 (Howard) Inputs:

  • reports/cascades-staff-2026-04-22.csv — returned staff-editor questionnaire, 70 rows (source of truth for who should exist and what access posture)
  • docs/servers/active-directory.md — current AD state (42 accounts, 40 enabled)
  • docs/cloud/caregiver-m365-p2-rollout.md — caregiver identity/phone plan (39 caregivers)
  • docs/cloud/p2-staff-candidates.md — P2 license sizing for the office-staff side
  • docs/cloud/m365.md — current M365 tenant state

1. Scope

Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, licensed and policy-covered according to the Access / Outside Access / ALIS posture columns they returned. This plan covers the identity layer only — device/MDM work is already tracked in caregiver-m365-p2-rollout.md and the Intune rollout, and folder redirection continues under the existing GPO workstream.

Explicitly out of scope here:

  • Device enrollment (Intune flow already designed)
  • Folder redirection GPO edits (separate workstream, already validated on DLTAGOI)
  • M365 tenant licensing purchase decision (decision gated — see §10)

2. Personas (derived from CSV access matrix)

Persona Access Outside ALIS Count Examples
Office-PHI (external-OK) D+P Y Y 18 Meredith, Megan, Lois, Susan, Alma, JD, John Trozzi, Lupe
Office-PHI (in-building) D+P N Y 2 Allison Reibschied, Sharon Edwards
Office non-PHI (in-building) D+P N N 1 Ramon Castaneda
Maintenance (in-building PHI) D+P N Y 1 Matt Brooks
Courtesy Patrol D+P N N 3 Sebastian Leon, Sheldon Gardfrey, Ray Rai
Shared-PC Reception D N N 4 Cathy, Shontiel, Kyla, Michelle
Caregiver (shared-phone) D+P N Y 37 See caregiver-m365-p2-rollout.md
Agency caregivers (per-person) D+P N Y 0 None created. HIPAA-mandated per-person IDs — Reliable must supply names. No shared logins.
Driver (no IT access) 3 Richard Adams, Julian Crim, Christopher Holick — on roster for tracking, existing AD accounts to be disabled
Departed (disable/remove) 2 Britney Thompson (has AD+M365, must be disabled), Polett Pinazavala (no account, just remove from roster)

(Identities to create or keep active: 66. Roster-only-no-account: 3 drivers. Departures: Britney + Polett. No agency accounts created — per-person names required. Christine Nyanzunda sits in one persona — Office-PHI — with her caregiver-shift sign-in handled via exception group if needed.)

3. License mapping per persona

Guiding principles:

  1. Default to Business Premium tenant-wide (already the recommendation in p2-staff-candidates.md — bundles Intune + P2 + Defender + DLP).
  2. Use F3 only for phone-only users (drivers) where Premium is overkill and F3 covers Exchange/Teams needs.
  3. Reception shared PCs get shared mailboxes for Frontdesk@, but each named receptionist gets her own licensed account so audits attribute individual actions.
Persona License Notes
Office-PHI (external-OK) Business Premium CA: compliant device OR trusted location
Office-PHI (in-building) Business Premium CA: trusted location only
Office non-PHI (in-building) Business Standard (or Premium if tenant-wide) CA: trusted location only
Maintenance PHI (Matt Brooks) Business Premium MC-adjacent role, ALIS=Y
Courtesy Patrol Business Standard Could be F3 if they don't need full desktop Office; confirm with Meredith
Shared-PC Reception Business Standard Frontdesk@ stays as shared mailbox, named accounts read it
Caregiver Business Premium Per caregiver-m365-p2-rollout.md — P2 is load-bearing for shared-phone CA
Agency caregivers (per-person) Business Premium each Only provisioned when Reliable Agency provides individual names. Zero created as of 2026-04-22.
Driver None No IT access — accounts disabled. License previously used (if any) harvested.
Britney Thompson (departing) None (harvest) Disable account, free Business Standard + Exchange Online Essentials

Expected license count at full rollout:

  • Business Premium: 18 (office PHI ext) + 2 (office PHI int) + 1 (Matt) + 37 caregivers = 58
  • Business Standard: 1 (Ramon) + 3 courtesy + 4 reception = 8
  • F3: 0 (drivers no longer need accounts)
  • Per-person agency: +1 each if/when Reliable Agency provides names

Post-2026-04-22 update: With the building-only-by-default CA decision confirmed, every licensed user needs Entra P1 coverage (either via Business Premium, or Business Standard + standalone Entra P1). Without P1, CA policies don't apply and the user sidesteps the default-deny. This effectively collapses the mixed-SKU table above into a recommendation for Business Premium tenant-wide (~68 seats) — the Business Standard rows stay in the table only as a reference for what we'd buy if budget forces unbundling. Proceed with Premium-tenant-wide unless Meredith pushes back. Britney's harvested Business Standard + Exchange Online Essentials license plus any freed driver licenses go back into the pool to offset the Premium purchase.

4. AD OU + group layout (proposed)

Current cascades.local OU layout is loose (see docs/servers/active-directory.md). Proposed structure to align with the persona matrix and folder-redirection GPOs already in place:

OU=Cascades Users
├── OU=Administrative
├── OU=Marketing                (new name for existing Marketing dept)
├── OU=Care-AssistedLiving
├── OU=Care-MemoryCare
├── OU=ResidentServices
│   ├── OU=FrontDesk            (reception shared-PC users)
│   └── OU=CourtesyPatrol
├── OU=LifeEnrichment
├── OU=Culinary
├── OU=Maintenance
├── OU=Housekeeping
├── OU=Transportation           (drivers)
└── OU=Caregivers               (all 37 shift staff)

Security groups (AD-synced, Entra-usable):

  • SG-Office-PHI-External — 19 people, drives CA policy + Premium license group
  • SG-Office-PHI-Internal — 2 people (Allison, Sharon)
  • SG-CourtesyPatrol — 3
  • SG-FrontDesk — 4
  • SG-Drivers — 3
  • SG-Caregivers — 37 (already exists or needs creating — check against current Cascades - Shared Phones Entra group, which may already cover this)

CA policies target groups, not OUs. OUs drive GPO inheritance (folder redirection, local policy) only.

5. Conditional Access policy set

Decision 2026-04-22 (Howard → Meredith/John): Default-deny external sign-in for all licensed users. Maintain a small allow-list group for users who legitimately work off-site.

This collapses the earlier per-persona policy matrix into two primary CA policies plus the existing caregiver shared-phone policy:

Policy Targets Grant
CSC - Building Only (Default) All licensed users except SG-External-Signin-Allowed and SG-Caregivers Block sign-in unless from the "Cascades Building" named location + MFA
CSC - External Sign-in Allowed SG-External-Signin-Allowed Require compliant Intune-enrolled device + MFA for external sign-in; trusted-location sign-in waives the compliance grant
CSC - Caregivers Shared Phone SG-Caregivers Already designed per caregiver-m365-p2-rollout.md (shared-phone Intune + named location)
CSC - Drivers Phone-Only SG-Drivers Require compliant Intune-managed phone; no web fallback. Drivers added to SG-External-Signin-Allowed as well if they need off-site phone access.

Initial SG-External-Signin-Allowed membership — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 18 office-PHI staff (including Alma R Montt). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22.

Named location "Cascades Building": Define once, reuse. Use the site's public IP range(s) from pfSense NAT (clients/cascades-tucson/pfsense-firewall.sops.yaml).

Exception-management process: Adding a user to SG-External-Signin-Allowed is a named-access request that should be logged (ideally in the client's Syncro ticketing or a simple note in the client folder). Removal is equally important — e.g., Tamra Matthews comes off the list on her June 2026 departure in addition to her license being deactivated.

Impact on licensing: All users covered by either CA policy need at least Entra P1 (bundled with Business Premium). This reinforces the default recommendation of Business Premium tenant-wide — Business Standard users couldn't be covered by the CA default-deny without an add-on, and a mixed tenant is harder to reason about.

6. Pre-flight reconciliation (CSV vs current AD)

These must be resolved before creating or converting accounts. See also cascades-staff-followup-2026-04-22.md.

Discrepancy Status Action
Britney Thompson — in AD (enabled, Memory Care Nurse) RESOLVED 2026-04-22 (John's reply) — DEPARTED. Disable AD account britney.thompson. Convert mailbox to shared (or archive + delete). Remove Business Standard + Exchange Online Essentials license (harvested). Remove from any security groups.
Polett Pinazavala — was on 2026-04-18 caregiver roster RESOLVED 2026-04-22 (John's reply) — DEPARTED. Remove from roster. No existing account — no AD/M365 action needed.
Drivers (Richard Adams, Julian Crim, Christopher Holick) — all have AD accounts + Transportation@ shared mailbox Decision 2026-04-22 (Howard) — drivers no longer get IT access. Disable the 3 AD accounts. Keep them on the working roster for employee tracking. Separate decision: keep or retire Transportation@ shared mailbox — ask Meredith.
Christine Nyanzunda — one person, MC Admin + part-time Sun/Mon MedTech Resolved 2026-04-22 (Howard) — one account covers both roles. Single account in OU=Care-MemoryCare. Default building-only CA policy. When she's covering a MedTech shift she logs into the shared MC phone with her own account. If that sign-in gets blocked by the shared-phone CA, add her to a specific exception group rather than splitting into two accounts.
Alma R Montt — on CSV (Life Enrichment), NOT in AD RESOLVED 2026-04-22 (John's reply). Username Alma.Montt, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y. LE staff assigned to Memory Care residents — stays in OU=Life Enrichment. Create AD account Alma.Montt (UPN alma.montt@cascadestucson.com). Add to SG-External-Signin-Allowed (Outside=Y).
Kyla QuickTiffany — on CSV and in AD "needs account" list Resolved 2026-04-22 (Howard, per Kyla's preference): Kyla.QuickTiffany — last name treated as a single word. Create AD account Kyla.QuickTiffany (UPN kyla.quicktiffany@cascadestucson.com). Persona: Shared-PC Reception. Building-only, no outside sign-in.
Ederick Yuzon — spelling not confirmed Still pending Meredith/John. Block on creation of his caregiver account only. Everyone else proceeds. Tentative: Ederick.Yuzon if needed to unblock Wave 3.
Matt Brooks — AD dept = Maintenance, CSV note "works in both departments" Confirmed (CSV-inline). Keep in Maintenance OU; add to secondary MC group for access overlap.
37 caregivers — on CSV, none in AD Unchanged. Create all 37 AD accounts (+ M365) in Wave 3.
2 agency placeholders — on CSV, not in AD RESOLVED 2026-04-22 (Howard, post-HIPAA-review) — NO shared logins. Per-person accounts only. Do NOT create reliable1/reliable2. Reliable Agency must supply individual names before any caregiver can access PHI. Until then, agency staff work under direct supervision of a Cascades-employed caregiver who is signed in. Rationale documented in docs/security/hipaa-review-2026-04-22.md.
Generic AD accounts (Culinary, RECEPTIONIST, saleshare, directoryshare) Unchanged. Phase 5 cleanup after named-account coverage.

Username convention for new accounts: TitleCase First.Last (e.g., Alma.Montt, Kyla.QuickTiffany). Existing lowercase exceptions in AD (britney.thompson, karen.rossini, lauren.hasselman) are the known legacy cases — leave as-is, don't rename. All net-new accounts follow TitleCase.

7. Rollout sequence

Wave 0 — HIPAA pre-flight (must complete before any account changes)

Per docs/security/hipaa-review-2026-04-22.md. These are compliance blockers, not operational blockers — fix before touching accounts.

  • Sign Microsoft HIPAA BAA (5 min, free) — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA
  • Verify/sign ALIS BAA (Meredith-ask)
  • Create break-glass cloud-only admin (breakglass@cascadestucson.com): excluded from all CA, FIDO2 security key, vaulted password, sign-in alerts to Howard + Meredith
  • Enable SMB3 encryption on \\CS-SERVER\homes: Set-SmbShare -Name homes -EncryptData $true
  • Extend M365 audit retention to 6+ years (Purview Audit Premium add-on or retention policy)
  • Put Britney's mailbox on Litigation Hold with verified archive license — BEFORE her account is disabled
  • Ask Meredith for the Reliable Agency staffing contract (confirm direct-control language = workforce, not BA)
  • Draft Risk Analysis docs/security/risk-analysis-2026-04.md following NIST 800-66 Rev 2 §3
  • Create Security Rule Implementation Register docs/security/implementation-register.md

Wave 0.5 — Entra Connect / AD-M365 identity tie-in (before any account creation in Wave 1)

Without Entra Connect, new accounts are cloud-only and create the same AD-vs-M365 drift the tenant already suffers from.

Staged enablement — each gate must pass before advancing to the next:

Gate What happens User-visible impact Pass criteria before advancing
G1. AD prereq hygiene Renames, UPN suffix add, proxyAddresses populate, null-password account cleanup, former-employee deletes None Get-ADUser report shows 0 UPN mismatches vs. the M365 mailbox list; 0 enabled accounts with null PasswordLastSet
G2. Role-account → shared mailbox conversions in M365 Convert accounting@, frontdesk@, hr@, transportation@, etc. to shared mailboxes per docs/cloud/m365.md Licensed-user count drops, frees ~11 seats Every role-based UPN shows as shared mailbox in Exchange Admin; members are assigned
G3. Connect install in STAGING MODE Sync engine runs, reads AD, produces preview report. No writes to Entra. None Preview shows ≥95% clean soft-matches against existing M365 users; zero unintended duplicate-creates
G4. Take out of staging, directory sync ONLY (no Password Hash Sync) Hybrid identity appears in Entra. Passwords remain separate between AD and M365. None — users sign in exactly as today 48 hours stable with no new support tickets about sign-in
G5. Announce + enable Password Hash Sync AD password hash pushes to Entra. Next Outlook / Teams / Edge launch, prompts once for password. Users enter AD password. ONE password prompt, once. After that: one password for everything. Zero unresolved helpdesk tickets; test user confirms PC + Outlook + OWA work on same password
G6. Conditional Access policies go live in REPORT-ONLY mode CA evaluates every sign-in and records what WOULD have been blocked, but doesn't actually block. None 714 days of logs reviewed — zero "would have been blocked" events for legitimate users. Fix trusted-location / compliance gaps as needed.
G7. CA enforcement flip Policy blocks out-of-scope sign-ins for real. Off-site users unexpectedly on the allow-list see no change; users NOT on allow-list get blocked from outside the building as intended. Break-glass account confirmed working. Meredith notified.
G8 (separate project). ALIS SSO Enterprise App registration "Sign in with Microsoft" option appears on ALIS login. Existing ALIS username/password keeps working during transition. Optional new sign-in button. N/A — rollout when ALIS support has provided federation metadata.

Rollback points: G3 through G5 all have clean reverse paths (remove from staging, disable PHS, reset individual passwords). G6/G7 CA policies can be disabled with one click. Only hard-to-reverse step is G1's AD renames — mitigated by the pre-change reg-exports/backups already in the D:\Backups\pre-entra-connect-* folder from the 2026-04-22 preflight remediation.

Original install-order prerequisites (covered by G1):

  1. AD prereq cleanup (no user impact — all reversible):
    • Rename Tamra.JohnsonTamra.Matthews
    • Rename strozziShelby.Trozzi
    • Rename Alyssa.ShestkoAlyssa.Brooks + delete lowercase duplicate alyssa.brooks
    • Fix Christopher.HolikChristopher.Holick
    • Fix Matt.Brooks UPN to matthew.brooks@ OR update M365 side to matt.brooks@
    • Delete confirmed former employees (Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez)
    • Disable + remove legacy accounts (Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery)
  2. Add UPN suffix cascadestucson.com in AD Domains and Trusts
  3. Update all synced users' UPN to firstname.lastname@cascadestucson.com
  4. Convert M365 role-based accounts to shared mailboxes FIRST (accounting@, frontdesk@, hr@, etc. — listed in docs/cloud/m365.md) — frees 11 licenses
  5. Delete Kristiana Dowse and howaed typo accounts from M365
  6. Reconcile nick pavloff (M365-only) — create AD account if still employed, or delete
  7. CS-SERVER readiness check (separate task — OS version, .NET, disk, FSMO, conflict with QuickBooks DB listener)
  8. Install Entra Connect in staging mode on CS-SERVER → Password Hash Sync → Seamless SSO → scope to OU=Departments
  9. Review planned sync output for unexpected matches/duplicates
  10. Take out of staging, verify users see their cloud mailboxes working on the same password
  11. Communicate to users: Outlook will prompt once for password; enter your Windows password

User-visible impact: one Outlook password prompt on day-of-cutover. No impact on AD domain logon.

Wave 1 — Departures + new office accounts (ready after Waves 0 and 0.5)

  • Disable britney.thompson AD account — AFTER Litigation Hold is confirmed, mailbox converted to shared with designated custodian (likely Meredith or Lois), Business Standard + Exchange Online Essentials license harvested
  • Disable 3 driver AD accounts (Richard.Adams, Julian.Crim, Christopher.Holick)
  • Ask Meredith whether to keep or retire Transportation@ shared mailbox
  • Create AD accounts (and let Entra Connect sync to M365) for:
    • Alma R Montt (Alma.Montt — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)
    • Kyla QuickTiffany (Kyla.QuickTiffany — Shared-PC Reception, D only, building-only)
  • Validate group membership + CA policy assignment on the new accounts before moving to Wave 2
  • Pilot the CSC - Building Only (Default) policy with Kyla (Report-only mode first)

Wave 1 — DO NOT DO

  • Do NOT create reliable1@ or reliable2@ shared agency accounts (HIPAA review 2026-04-22). See §6 reconciliation + docs/security/hipaa-review-2026-04-22.md.

Wave 2 — Existing office accounts, reassignment only

  • Move existing users into new OU layout (no identity changes, just OU move + group membership)
  • Attach each to the correct SG-* group based on CSV persona
  • CA policies begin applying; watch for sign-in failures

Wave 3 — Caregiver bulk creation

  • Execute caregiver-m365-p2-rollout.md rollout — 37 AD + M365 accounts, SG-Caregivers, shared-phone CA
  • Already designed; this plan just sequences it after office wave

Wave 4 — Cleanup

  • Disable/remove Culinary, RECEPTIONIST, saleshare, directoryshare generics once their functions are covered by named accounts + shared mailboxes
  • Disable Tamra's account on her June 2026 departure (other known departures: none as of 2026-04-22)
  • Rotate krbtgt password (noted stale in AD doc — overdue)

8. Account creation template (per new user)

Applies to Wave 1 + Wave 3 (and any future hire). Precise script will be built later; plan-level checklist:

  1. AD account: First.Last (consistent with existing convention; note lowercase exceptions for Britney, Karen, Lauren — new accounts use TitleCase)
  2. UPN: first.last@cascadestucson.com
  3. Password: auto-generated, stored in vault (clients/cascades-tucson/new-user-<name>.sops.yaml), delivered to Meredith via 1Password share
  4. OU placement per persona
  5. Group membership: department-appropriate SG-*
  6. M365 license assignment (group-based if feasible)
  7. Mailbox creation (Exchange Online)
  8. ALIS account provisioning (separate system — Meredith/Lois handle)
  9. MFA registration — push to user first login
  10. Confirmation email to Meredith with username + password-share link

9. Dependencies on other workstreams

  • Folder redirection GPO rollout (CONTEXT.md §48) — when we move users to new OUs, make sure the FR GPOs are re-linked to the new OU or stay linked to parent OU=Cascades Users. Test on one mover before batch.
  • Intune phone rollout (PROJECT_STATE.md) — caregiver accounts must exist before Wave 3 of phone deployment (24 remaining Samsung A15s). Identity-first, device-second.
  • Business Premium purchase proposal (docs/proposals/m365-premium-upgrade.md) — blocks wave 1 if Meredith hasn't approved license spend.
  • File-share migration: Synology → CS-SERVER (docs/migration/phase2-server-prep.md §4c4d + docs/migration/phase4-synology.md) — Synology Drive Client is live-syncing \\cascadesds\*D:\Shares\Main on CS-SERVER (confirmed 2026-03-07). Before users are cut over to CS-SERVER-sourced mapped drives, the AD security groups used for NTFS ACLs on CS-SERVER (SG-Management-RW, SG-Sales-RW, SG-Culinary-RW, SG-Directory-RW, SG-IT-RW, SG-Receptionist-RW, SG-Chat-RW, SG-Server-RW) must:
    1. Exist in AD (created by scripts/phase2-ad-setup.ps1)
    2. Have membership that matches the current per-user access on Synology — a permission-inventory step (see below) must produce this mapping before scripts/phase2-file-shares.ps1 runs
    3. Populate from the user rollout waves — the 22 office-PHI users, 4 receptionists, 3 courtesy patrol, 1 Matt Brooks (dual-dept), 1 Ramon Castaneda, plus caregivers as needed all land in the right SG-* groups at account creation
    • Additional HIPAA additions to the phase2 script (per docs/security/hipaa-review-2026-04-22.md): enable SMB3 encryption (Set-SmbShare -EncryptData $true on every share) and enable Object Access auditing for §164.312(b) Audit Controls
    • Drivers off the SG-* lists entirely — they lose file-share access along with their AD accounts

Permission-inventory prerequisite

A one-time non-destructive read of the live Synology is needed to produce the mapping from Synology local users/groups → AD security groups. Commands (run via SSH to admin@192.168.0.120, creds at clients/cascades-tucson/synology-cascadesds.sops.yaml):

sudo synogroup --list                              # Synology local groups
sudo synouser --list                               # Synology local users
sudo cat /etc/synoinfo.conf | grep -i share        # share definitions
for share in homes Management SalesDept Server chat Public Culinary IT Receptionist directoryshare; do
    sudo synoacltool -get /volume1/$share           # ACLs per share
done
sudo synoshare --get homes                         # per-share config incl. SMB encryption state

Output goes to docs/migration/synology-permission-inventory.md, which is then the reference for populating AD groups and building phase2-file-shares.ps1 inputs. Discovery is non-destructive and can run any time the Synology is up — does not require a maintenance window.

10. Open decisions blocking the rollout

  1. Business Premium tenant-wide vs. mixed SKUs — Meredith, tied to the upgrade proposal. Building-only-by-default decision reinforces Premium tenant-wide (see §5). Only remaining BIG decision.
  2. Ederick Yuzon spelling — Meredith/John, asked in the 2026-04-22 email and not yet answered. Only blocks Ederick's own account creation, not the rest of Wave 3.
  3. Transportation@ shared mailbox — keep for dispatch/scheduling emails or retire once driver AD accounts are disabled?

Resolved 2026-04-22:

  • Restrict-everyone default vs. selective → building-only by default, allow-list for exceptions (§5).
  • Christine Nyanzunda → one account covers both roles.
  • Kyla → Kyla.QuickTiffany (her preference).
  • Alma R Montt → Alma.Montt, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John).
  • Britney Thompson → departed (John). Disable AD + harvest license.
  • Polett Pinazavala → departed (John). Remove from roster.
  • Agency shared logins → NOT CREATED (HIPAA review supersedes John's confirmation — §164.312(a)(2)(i) prohibits shared PHI-access log-ons). Per-person accounts only when Reliable Agency provides names.
  • Drivers → no IT access per Howard. Disable 3 AD accounts. Stay on roster for tracking.

11. Related docs

  • reports/cascades-staff-2026-04-22.csv
  • docs/cloud/cascades-staff-followup-2026-04-22.md
  • docs/cloud/p2-staff-candidates.md
  • docs/cloud/caregiver-m365-p2-rollout.md
  • docs/cloud/m365.md
  • docs/servers/active-directory.md
  • docs/proposals/m365-premium-upgrade.md
  • docs/security/hipaa.md
Reference in New Issue View Git Blame Copy Permalink