claudetools/clients/cascades-tucson/session-logs/2026-04-30-howard-cascades-ca-rollout-and-phone-reenroll.md

2026-04-30 — Cascades caregiver bypass: phased CA design + admin exclusion + pilot user + 3 Report-only policies + phone wipe & re-enroll

User

• User: Howard Enos (howard)
• Machine: HOWARD-HOME
• Role: tech
• Session span: 2026-04-29 evening into 2026-04-30 early morning (continuation of 2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout)

Resume point (READ THIS FIRST when picking back up)

The pilot phone is mid-enrollment after a wipe-and-re-enroll cycle. Howard has set the device PIN; the phone is showing "Syncing policies" while CloudDPC pulls the app payload from Managed Play. Next session resumes there.

What's still to do, in order

1. Wait for MHS to take over launcher on the pilot phone. Once apps install (5-15 min from PIN-set), MHS becomes the kiosk launcher and shows the 5 caregiver apps (ALIS, Teams, Outlook, Helpany, LinkRx). One UI / Samsung default launcher should disappear.
2. SDM sign-in prompt appears. Sign in as pilot.test@cascadestucson.com with the password from clients/cascades-tucson/pilot-test-user.sops.yaml. Expected: password-only sign-in, NO MFA prompt (bypass working — pilot group is excluded from legacy all-users-MFA).
3. Compliance flips to compliant within ~5 min of sign-in (PIN check satisfied + Authenticator SDM registers pilot.test as the active shared-device user).
4. Watch sign-in logs for 24-48h to validate Report-only policies (CSC - Block caregivers off Cascades network, CSC - Block caregivers on non-compliant device, CSC - Caregiver sign-in frequency 8h) are firing as expected on the pilot user.
5. Flip Report-only → On when satisfied — three PATCHes in one batch.
6. WiFiman cleanup — Howard removing manually from tenant.

Decisions still pending

• FIDO2 enrollment timing for admin@, sysadmin@, and any future dedicated break-glass account.
• When/whether to add a dedicated breakglass@ (currently sysadmin@ + admin@ are the de-facto break-glass under Option 1).
• Audit retention 6yr — still deferred pending Azure pay-as-you-go subscription decision.

---

Session Summary

This session continued the 2026-04-29 caregiver shared-phone CA bypass pilot work after Howard interrupted with a btw replay correcting the original CA design. The original §5 design from user-account-rollout-plan.md was tenant-wide (includeUsers: All on policies 1-3) and would have blocked any office user signing in off-site who was not in SG-External-Signin-Allowed — a regression. Adopted the corrected design: phased per-group rollout scoped to SG-Caregivers-Pilot only. Legacy "Require multifactor authentication for all users" stays in place; its excludeGroups is PATCHed to remove the pilot group from scope. Office-staff posture unchanged. Saved to memory as project_cascades_ca_phased_rollout to prevent the design drifting back tenant-wide in future sessions.

After audit, both admin@ (Mike's) and sysadmin@ (Howard's) were already cloud-only Global Admins. sysadmin@ was excluded from all 8 existing CA policies; admin@ was in scope on 7 of 8. Howard chose Option 1 — mirror sysadmin@'s exclusion posture onto admin@ now, defer FIDO2 and dedicated break-glass for later. Step A executed: PATCHed admin@ into excludeUsers on all 8 existing CA policies, preserving the GuestsOrExternalUsers sentinel on policies that had it. Microsoft Graph CA policy reads have a ~5-second eventual-consistency window — initial verify-after-PATCH GETs returned stale state but the PATCHes had landed. Saved as feedback memory.

Outlook (added by Howard via Managed Play earlier in the day) was assigned to Cascades - Shared Phones group with intent required and added to the MHS kiosk app list alongside ALIS and Teams. Helpany (https://app.helpany.com/login) and LinkRx (https://pharmcare.linkrxnow.com/) were created as web apps, assigned to the same group, and added to the MHS kiosk. Final caregiver dashboard: ALIS, Microsoft Teams, Microsoft Outlook, Helpany, LinkRx. The pilot user pilot.test@cascadestucson.com was created cloud-only via the Tenant Admin SP, licensed with Business Premium (33 of 34 SPB seats free pre-pilot), and added to the new cloud-only group SG-Caregivers-Pilot. The first user creation lost the password to a script flow-control failure; an attempted PATCH-reset returned 403 because the Tenant Admin SP lacks a privileged directory role for password resets. Resolved by deleting and recreating the user with the password echoed up front. Vault entry written, encrypted, committed, and pushed end-to-end.

Built the four CA changes: PATCHed legacy all-users-MFA to exclude SG-Caregivers-Pilot, then created three new policies in Report-only — block caregivers off Cascades network, block caregivers on non-compliant device, and 8-hour sign-in frequency. Both admin accounts excluded from all three. Side discovery during the legacy PATCH: that policy already had excludeLocations: ['AllTrusted'] as a pre-existing tenant condition, meaning office staff already bypass MFA on Cascades trusted networks today. The pilot phone enrollment then went sideways twice — first on a saved QR (phone enrolled into a stuck partial dedicated mode, all custom policies state=unknown after hours and a reboot), and recovery required an Intune wipe + re-enroll with a fresh QR. Howard had to do normal Android setup first to update to Android 15 (Samsung FRP requirement), then factory reset, then scan from the welcome screen. Re-enrollment succeeded cleanly: new device record, all custom policies applied (compliance evaluated to nonCompliant pending PIN, restrictions and Wi-Fi compliant), device confirmed in the dynamic group. Howard set the PIN and the session ended with the phone showing "Syncing policies."

Key Decisions

• Phased per-group rollout, NOT tenant-wide cutover. Original §5 design would have collateral-damaged off-site office users. Corrected to includeGroups: SG-Caregivers-Pilot everywhere; legacy all-users-MFA stays in place via excludeGroups PATCH. Each future population gets the same per-group treatment when we expand. Memorialized in project_cascades_ca_phased_rollout to prevent regression.
• Option 1 break-glass posture: no dedicated breakglass yet. Mirror sysadmin@'s exclusion posture onto admin@ so both daily-driver Global Admins are excluded from all 8 existing CA policies and all 3 new ones. FIDO2 deferred — Howard or Mike can enroll the YubiKey later. A real dedicated breakglass@ can be added later if needed. Constraint: admin@ and sysadmin@ must always be able to sign in off-site without interference, which exclusion-everywhere guarantees.
• Block grant directly for caregivers, not Require MFA. Caregivers have no personal device for MFA, so an MFA prompt they cannot satisfy is a worse UX than a clean block message. Future expansion to office staff will likely use MFA grants since office staff have MFA capability.
• All three new caregiver policies in Report-only at creation. Logs what would have happened during the validation window without enforcing. CSC - Caregiver sign-in frequency 8h (session control) is also Report-only — flips to On together with the other two.
• Do NOT delete legacy all-users-MFA until full phased rollout completes. Each new population gets added to its excludeGroups as it's onboarded. Only at the end of phased rollout (every population covered by a phased policy) does the legacy policy get deleted. This is the explicit anti-regression rule from the corrected design.
• Delete-and-recreate the pilot user instead of granting Tenant Admin SP password-reset role. Tenant Admin SP can create users with passwords but cannot PATCH-reset existing user passwords (returns 403 — needs Authentication Administrator or User Administrator role). Granting that role broadens the SP's blast radius unnecessarily. The User Manager app (separate tier with the right scopes) is the right tool for password operations going forward.
• Wipe + re-enroll the stuck pilot phone instead of waiting longer. First enrollment attempt was stuck (all custom policies state=unknown after hours and a reboot) despite Intune metadata showing dedicated device mode. Cleanest path forward is destruction + clean enrollment, not deep diagnosis. Wipe via Graph then fresh QR scan resolved it cleanly.
• Complete vault operations end-to-end (Howard feedback). When writing a new vault entry, do the full sequence (write → encrypt → commit → push) yourself; do not stop at "encrypted on disk, you push it." LF→CRLF Git warning on Windows is benign for SOPS yaml. Saved as feedback memory.

Problems Encountered

• Original CA design was tenant-wide and would have broken off-site office sign-ins. Howard caught this with a btw replay before any tenant-wide policies were built. Switched to phased per-group rollout. No production impact.
• Microsoft Graph CA policy reads are eventually consistent. Verify-after-PATCH GETs returned stale state for all 7 of 8 policies despite 204 PATCHes succeeding. A 5-second sleep before re-reading made the verify pass cleanly. Saved as feedback memory feedback_graph_ca_policy_eventual_consistency so future agents don't chase the same false-positive.
• Tenant Admin SP cannot PATCH-reset existing user passwords (403 Authorization_RequestDenied). Lost a generated pilot password to script flow-control before it was echoed. Resolved by deleting + recreating the user, this time echoing the password up front. Saved as feedback memory feedback_graph_password_reset_requires_role.
• First pilot phone stuck after enrollment. All custom policies state=unknown for hours, zero apps detected, MHS not taking over launcher despite Intune showing androidEnterpriseDedicatedDevice. Likely partial dedicated mode from a stale saved QR + residual setup state. Resolved by remote wipe (POST /managedDevices/{id}/wipe) + factory reset + fresh QR from the portal.
• Samsung FRP / OS update gating dedicated re-enrollment. Phone needed Android 15 before dedicated mode would re-take cleanly. Howard had to do normal setup first to pull the OS update, then factory reset and re-scan from the literal welcome screen.
• Bash-in-PowerShell friction. Howard cannot directly run bash from PowerShell. The trivial last-mile commit step on the vault repo had been handed off to him unnecessarily. Saved feedback memory feedback_complete_vault_operations_end_to_end — write + encrypt + commit + push the vault repo end-to-end going forward.
• Ollama qwen3:14b hallucinated a different Cascades session during the /save narrative draft. Returned content about Entra Connect Sync setup, mailbox restoration, and Syncro ticket creation — none of which were in the prompt. Falled back to Claude-direct narrative writing per the skill's documented fallback. Tier 0 routing remains usable for shorter prose tasks but the qwen3 model demonstrably mixes context across prior Cascades work when the prompt is long. Worth a future test of qwen3-coder:30b or stricter prompting if /save Tier 0 routing is to be relied on.

---

Configuration Changes

Cascades tenant (207fa277-e9d8-4eb7-ada1-1064d2221498)

• All 8 existing CA policies — excludeUsers now contains both 471b13dc-3cf8-416b-a132-f5f3bc8d1cc8 (sysadmin@) and e20f7f21-757a-48cd-bb24-7bdeeb1497d0 (admin@). GuestsOrExternalUsers sentinel preserved on the 3 policies that had it. Affected policies:

  1. Microsoft-managed: Block legacy authentication (ed1fe97a-9d99-408c-ae18-139d42f41803)
  2. Microsoft-managed: Require phishing-resistant multifactor authentication for admins (1be9295c-b23b-42ac-80a3-888eeb2003de)
  3. Require MFA for admins (3154dc8f-7321-42c9-adf4-a2517944a92c)
  4. Require MFA for external and guest users (49acf60d-3159-4ac9-8d48-35aa249e3209)
  5. Block all legacy sign-ins that don't support MFA (0a16bb5c-c7d2-4942-aa2a-b0551b872933)
  6. Require MFA and a password change when high-risk users are detected (9f123001-a95f-4e50-9860-4dd2254cccad)
  7. Require MFA when risky sign-ins are detected (76f1dd72-4003-4984-bb4a-6fcead072c2c)
  8. Require multifactor authentication for all users (7e87a1c7-4836-49df-8769-c4cccadd9dbe)

• Legacy Require multifactor authentication for all users (id 7e87a1c7-4836-49df-8769-c4cccadd9dbe) — excludeGroups now contains SG-Caregivers-Pilot (0674f0bc-6ff4-49c7-802d-2abf591ba371). State remains enabled. Pre-existing excludeLocations: ['AllTrusted'] preserved.

• NEW CA policy CSC - Block caregivers off Cascades network (id e35614e1-e896-4a13-9407-076963af488f) — Report-only, includeGroups=SG-Caregivers-Pilot, excludeUsers=[admin@, sysadmin@], locations: include All exclude Cascades named loc (061c6b06-b980-40de-bff9-6a50a4071f6f), grant=BLOCK.

• NEW CA policy CSC - Block caregivers on non-compliant device (id ede985e2-ee7e-4521-88b2-34c847c3db20) — Report-only, includeGroups=SG-Caregivers-Pilot, excludeUsers=[admin@, sysadmin@], deviceFilter device.isCompliant -eq False, grant=BLOCK.

• NEW CA policy CSC - Caregiver sign-in frequency 8h (id 7d491c7a-ad90-4420-9990-40a1e676a76c) — Report-only, includeGroups=SG-Caregivers-Pilot, excludeUsers=[admin@, sysadmin@], sessionControls.signInFrequency {value: 8, type: hours, authenticationType: primaryAndSecondaryAuthentication, isEnabled: true}.

• NEW Entra group SG-Caregivers-Pilot (id 0674f0bc-6ff4-49c7-802d-2abf591ba371) — cloud-only, security-enabled, mail-disabled, mailNickname=SG-Caregivers-Pilot. One member: pilot.test@cascadestucson.com.

• NEW user pilot.test@cascadestucson.com (id 43919c7b-638c-4d38-9f94-89c1d07ce724) — cloud-only (onPremisesSyncEnabled: None), displayName "Pilot Test (Caregiver Bypass)", usageLocation US, accountEnabled true, forceChangePasswordNextSignIn false, licensed with Business Premium SPB SKU (cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46). Member of SG-Caregivers-Pilot. Cloud-only test identity for the caregiver bypass pilot. Cleanup obligation: remove at end of pilot per project_cascades_pilot_cleanup memory. Password vaulted at clients/cascades-tucson/pilot-test-user.sops.yaml.

• NEW mobileApp Microsoft Outlook (Managed Play, id 6920b747-9b07-49d2-b420-67116d38f0b8) — assigned to Cascades - Shared Phones group (id ea96f4b7-3000-45da-ab1f-ddb28f509526) with intent=required. Added to MHS kioskModeApps array.

• NEW mobileApp Helpany (webApp, id 97c294de-03ec-4053-b272-a4c956e408e9, appUrl https://app.helpany.com/login) — assigned required to shared-phones group, added to MHS kiosk.

• NEW mobileApp LinkRx (webApp, id e4157faf-c47d-443d-96b3-59d7c4ba9ac2, appUrl https://pharmcare.linkrxnow.com/) — assigned required to shared-phones group, added to MHS kiosk.

• CSC - Android Shared Phones Restrictions (id 070a76c2-a8c3-4f7f-9ba7-1f4ac5084184) — version bumped to 6. kioskModeApps array now contains 5 entries: ALIS, Microsoft Teams, Microsoft Outlook, Helpany, LinkRx. All other settings preserved from earlier session.

Pilot phone (SM-A146U serial R9TTC0JSDPJ)

• Wipe issued via POST /managedDevices/c94e8086-81b8-4a2c-a86a-6bbf677cb72a/wipe with keepEnrollmentData: false, keepUserData: false. Old Intune device record removed.
• Re-enrolled as new Intune device record (id 1207c415-5a82-41a9-9bfd-eb37c0d680eb). Now Android 15 (auto-updated during the Howard-driven OS update step), deviceEnrollmentType: androidEnterpriseDedicatedDevice, ownerType: company, enrollmentProfileName: CSC - Android Shared Phones, managementAgent: googleCloudDevicePolicyController, complianceState: noncompliant (PIN now set, will re-evaluate on next sync). Confirmed in Cascades - Shared Phones dynamic group (3 of 3 members).

Vault (D:/vault, repo azcomputerguru/vault)

• NEW clients/cascades-tucson/pilot-test-user.sops.yaml — pilot.test credential entry. Encrypted with both age recipients per .sops.yaml. Committed and pushed (commit b987410, range 73de020..b987410).

claudetools repo (memory + session log additions)

Memory files added (will land in this session's commit):

• .claude/memory/project_cascades_admin_accounts.md
• .claude/memory/project_cascades_pilot_cleanup.md
• .claude/memory/project_cascades_ca_phased_rollout.md
• .claude/memory/feedback_graph_ca_policy_eventual_consistency.md
• .claude/memory/feedback_graph_password_reset_requires_role.md
• .claude/memory/feedback_complete_vault_operations_end_to_end.md

Session log updates:

• clients/cascades-tucson/session-logs/2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md — UPDATE block at top of resume-point + [SUPERSEDED] marker on the original CA design correction table.
• clients/cascades-tucson/session-logs/2026-04-30-howard-cascades-ca-rollout-and-phone-reenroll.md — this file.

---

Commands & Outputs

admin@ exclusion backfill on 8 CA policies

# Pseudocode of the loop (full script ran via py heredoc)
for policy in graph_get('/v1.0/identity/conditionalAccess/policies').value:
    users = policy.conditions.users
    if ADMIN_ID not in users.excludeUsers:
        users.excludeUsers.append(ADMIN_ID)
        graph_patch(f'/v1.0/identity/conditionalAccess/policies/{policy.id}',
                    {'conditions': {'users': users}})
# Then sleep 5 and verify each — initial verify race-condition is expected.

Result: all 8 policies returned 204 on PATCH, all 8 verified post-sleep.

Outlook + Helpany + LinkRx kiosk update (PATCH on device restrictions)

curl -X PATCH ... \
  https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/070a76c2-a8c3-4f7f-9ba7-1f4ac5084184 \
  -d '{
    "@odata.type": "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration",
    "kioskModeApps": [
      {"@odata.type":"#microsoft.graph.appListItem","name":"ALIS","appId":"fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3"},
      {"@odata.type":"#microsoft.graph.appListItem","name":"Microsoft Teams","appId":"0eb81676-299b-4eb2-bfd9-8be914a82f91"},
      {"@odata.type":"#microsoft.graph.appListItem","name":"Microsoft Outlook","appId":"6920b747-9b07-49d2-b420-67116d38f0b8"},
      {"@odata.type":"#microsoft.graph.appListItem","name":"Helpany","appId":"97c294de-03ec-4053-b272-a4c956e408e9"},
      {"@odata.type":"#microsoft.graph.appListItem","name":"LinkRx","appId":"e4157faf-c47d-443d-96b3-59d7c4ba9ac2"}
    ]
  }'
# HTTP 204

Pilot user create + license + group add

# Create group
POST /v1.0/groups { displayName: SG-Caregivers-Pilot, mailEnabled: false, securityEnabled: true, mailNickname: SG-Caregivers-Pilot }

# Create user
POST /v1.0/users {
  accountEnabled: true,
  displayName: "Pilot Test (Caregiver Bypass)",
  mailNickname: pilot.test,
  userPrincipalName: pilot.test@cascadestucson.com,
  usageLocation: US,
  passwordProfile: { password: <vaulted>, forceChangePasswordNextSignIn: false }
}

# License
POST /v1.0/users/{id}/assignLicense { addLicenses: [{ skuId: cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46, disabledPlans: [] }], removeLicenses: [] }

# Add to group
POST /v1.0/groups/{group_id}/members/$ref { @odata.id: https://graph.microsoft.com/v1.0/directoryObjects/{user_id} }
# Note: needed sleep ~10s after group create before add-member would succeed (eventual consistency)

Phone wipe + re-enroll

# Wipe
POST /beta/deviceManagement/managedDevices/c94e8086-81b8-4a2c-a86a-6bbf677cb72a/wipe \
  -d '{"keepEnrollmentData": false, "keepUserData": false, "useProtectedWipe": false, "persistEsimDataPlan": false}'
# HTTP 204; managementState immediately became "wipeIssued"

# After Howard's factory reset + OS update + fresh QR scan, new device record:
# id 1207c415-5a82-41a9-9bfd-eb37c0d680eb, serial R9TTC0JSDPJ, Android 15

---

Reference Information

Cascades tenant

• Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
• Tenant Admin SP appId: 709e6eed-0711-4875-9c44-2d3518c47063
• Cascades named location: 061c6b06-b980-40de-bff9-6a50a4071f6f (both WANs trusted)
• Default domain: cascadestucson.com

Pilot resources

• User: pilot.test@cascadestucson.com id 43919c7b-638c-4d38-9f94-89c1d07ce724
• Group: SG-Caregivers-Pilot id 0674f0bc-6ff4-49c7-802d-2abf591ba371
• Vault: clients/cascades-tucson/pilot-test-user.sops.yaml
• License: Microsoft 365 Business Premium SPB SKU cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46

Admin accounts (Cascades)

• admin@cascadestucson.com (Mike) — id e20f7f21-757a-48cd-bb24-7bdeeb1497d0 — cloud-only Global Admin, excluded from all 8 existing CA policies + all 3 new ones, no FIDO2 yet
• sysadmin@cascadestucson.com (Howard) — id 471b13dc-3cf8-416b-a132-f5f3bc8d1cc8 — cloud-only Global Admin, excluded from all 8 existing CA policies + all 3 new ones, no FIDO2 yet

CA policy IDs (new)

• CSC - Block caregivers off Cascades network — e35614e1-e896-4a13-9407-076963af488f — Report-only
• CSC - Block caregivers on non-compliant device — ede985e2-ee7e-4521-88b2-34c847c3db20 — Report-only
• CSC - Caregiver sign-in frequency 8h — 7d491c7a-ad90-4420-9990-40a1e676a76c — Report-only

Mobile app IDs (Cascades, beta endpoint — v1.0 hides Managed Play)

• ALIS (webApp) — fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3
• Microsoft Teams — 0eb81676-299b-4eb2-bfd9-8be914a82f91
• Microsoft Outlook (NEW) — 6920b747-9b07-49d2-b420-67116d38f0b8
• Helpany (NEW, webApp) — 97c294de-03ec-4053-b272-a4c956e408e9
• LinkRx (NEW, webApp) — e4157faf-c47d-443d-96b3-59d7c4ba9ac2

Pilot phone state at session end

• Intune device id: 1207c415-5a82-41a9-9bfd-eb37c0d680eb
• Old (wiped) device id: c94e8086-81b8-4a2c-a86a-6bbf677cb72a — removed
• Serial: R9TTC0JSDPJ
• Model: SM-A146U Samsung Galaxy A14 5G
• OS: Android 15
• Last sync: 2026-04-30T04:25:14Z
• Compliance: nonCompliant (re-evaluation pending after PIN set; will flip)
• Phone status when session ended: showing "Syncing policies"

---

Note for Mike

Two things to flag:

1. CA design change. The original §5 design in user-account-rollout-plan.md (and the corresponding Track A item from earlier) was tenant-wide and would have blocked off-site office users — including yours — by policy 3 (the "block off-network unless allow-listed" one). I caught that with a btw replay before any of those tenant-wide policies were built. We're now on a phased per-group rollout: only SG-Caregivers-Pilot is in scope today, legacy all-users-MFA still applies to everyone else exactly as before. When we expand to a new department, we add it to legacy's excludeGroups and add it to the new policies' includeGroups one population at a time. The corrected design is in .claude/memory/project_cascades_ca_phased_rollout.md — treat any "let's just push tenant-wide now that the pilot worked" suggestion as a regression of this decision and ping me.

2. Your admin@cascadestucson.com posture changed. It's now excluded from all 8 existing CA policies + all 3 new ones, mirroring sysadmin@'s posture. Howard's call (Option 1). Net effect: your account no longer hits the admin-MFA policies — it's a CA-clean Global Admin. No FIDO2 enrolled yet. When you have time, enroll the YubiKey on admin@ (and ideally sit down and decide whether you want a dedicated breakglass@ or to keep this Option 1 posture). Until then, your account's only protections are password + per-user Authenticator (no CA enforcement, no FIDO2). Not blocking, just noting the trade.

---

Session duration: ~7 hours (2026-04-29 ~21:00 PT through 2026-04-30 ~04:30 PT, with breaks while Howard drove the phone enrollment) Pilot status at session end: phone in "Syncing policies" state, pilot user vaulted, all CA changes live (legacy PATCH enforced, 3 new in Report-only)