6.8 KiB
Cascades of Tucson -- Caregiver AD Account Creation
Date: 2026-05-16 Syncro ticket: #32214 (Entra setup -- In Progress)
User
- User: Howard Enos (howard)
- Machine: HOWARD-HOME
- Role: tech
Goal
Create all 37 caregiver AD accounts in OU=Caregivers and add them to SG-Caregivers. This is the identity layer prerequisite for the shared-phone rollout -- accounts must exist in AD so Entra Connect can sync them to M365 and CA policies can apply.
Espe Esperance -- identity correction
The create-caregiver-accounts.ps1 script previously treated "Niyonsaba Esperance" and "Espe Esperance" as two different people. Howard confirmed they are one person:
- Legal name: Niyonsaba Esperance (Niyonsaba = first, Esperance = last)
- Goes by Espe at work
Graph search confirmed no existing mailbox or user object for Esperance in the tenant (searched by UPN prefix and display name -- both returned empty). Net-new account.
AD account created as:
- Display name: Espe Esperance
- GivenName: Espe
- Surname: Esperance
- sAMAccountName / UPN: e.esperance@cascadestucson.com
ALIS action (Meredith): UPDATE the existing ALIS staff record for "Niyonsaba Esperance" -- set the Email field to e.esperance@cascadestucson.com. Do NOT add a new record.
Script updated in repo to reflect the correction. Script header, inline comment, and output block all corrected.
Account creation
Script: clients/cascades-tucson/scripts/create-caregiver-accounts.ps1
Run on: CS-SERVER, elevated PowerShell, sysadmin context
OU: OU=Caregivers,OU=Departments,DC=cascades,DC=local
Temp password: Cascades2026! (PasswordNeverExpires = true during rollout)
No licenses assigned. No security group memberships set at creation time.
Result: 37 created, 0 failed, 0 skipped
Accounts created:
| sAMAccountName | Display Name | Notes |
|---|---|---|
| t.abainza | Thelma Abainza | |
| n.castro | Niel Castro | |
| e.esperance | Espe Esperance | Legal: Niyonsaba Esperance |
| b.johnson | Barb Johnson | |
| k.flores | Kasey Flores | Not in ALIS -- Meredith must add |
| r.flores | Richard Flores | |
| m.kastner | Marie Kastner | |
| b.mendoza | Bella Mendoza | |
| r.morales | Rosa Morales | |
| s.padilla | Sandra Padilla | |
| w.reed | Whisper Reed | |
| p.sandoval-beck | Patricia Sandoval-Beck | |
| b.sika | Charity Sika | Legal first: Bariffa (drives initial) |
| j.andrade | Juan Andrade | |
| j.clarke | Jahmeka Clarke | Not in ALIS -- Meredith must add |
| k.aziakpo | Karina Aziakpo | |
| j.dittbenner | Jinnelle Dittbenner | |
| a.mcferren | Agnes McFerren | |
| s.ramirez | Samuel Ramirez | |
| e.sanchez | Erica Sanchez | |
| k.wyzykowski | Katrina Wyzykowski | |
| c.tate | Corey Tate | |
| a.atwood | Ashli Atwood | |
| c.johnson | Cole Johnson | |
| r.cooper | Roseline Cooper | |
| m.lopez | Monique Lopez | |
| g.williford | Gloria Williford | Not in ALIS -- Meredith must add |
| s.carroll | Sarah Carroll | |
| l.hogan | Luke Hogan | |
| g.williams | Gina Williams | |
| j.higdon | Jen Higdon | |
| m.kariuki | Mary Kariuki | |
| c.lassey | Celia Lassey | |
| p.doran | Patricia Camarena Doran | ALIS: "Camarena Doran, Patricia" |
| e.huerta | Zeke Huerta | Legal first: Ezekiel (drives initial) |
| m.baker | Maia Baker | |
| e.yuzon | Ederick Yuzon | Spelling from ALIS; email confirm still pending |
Excluded (intentional):
- Christine Nyanzunda -- already has AD + M365 accounts
- Polett Pinazavala -- departed
SG-Caregivers
Script: clients/cascades-tucson/scripts/add-caregivers-to-sg.ps1
Run on: CS-SERVER, elevated PowerShell, sysadmin context
Result: 37 added, 0 failed, 0 skipped
All 37 caregiver accounts are now members of SG-Caregivers. This is the group that controls Conditional Access policy coverage (Block-off-network, Sign-in-frequency, Block-non-compliant) and the Registration Campaign exclusion (no Authenticator nudge).
State after this session
The AD identity layer is complete:
- 37 caregiver accounts exist in OU=Caregivers
- All 37 in SG-Caregivers (CA coverage active on next sync)
- Entra Connect live (exited staging 2026-05-14) -- next sync cycle will push accounts to cloud
- SG-Caregivers already synced to cloud (ID: 8b8d9222-5d71-419a-936d-56d895c6c332)
- CA policies target synced SG-Caregivers
After the next Entra Connect sync cycle (~30 min or force with Start-ADSyncSyncCycle on CS-SERVER), M365 will provision Exchange mailboxes automatically for all 37 accounts.
Remaining open items before phone rollout
| Item | Owner | Notes |
|---|---|---|
| Entra Connect sync -- push new accounts to cloud | Auto (next cycle) or force on CS-SERVER | Run: Start-ADSyncSyncCycle -PolicyType Delta |
| ALIS: UPDATE Espe Esperance staff record email | Meredith | Set to e.esperance@cascadestucson.com (she is Niyonsaba Esperance in ALIS) |
| ALIS: ADD Kasey Flores staff record | Meredith | k.flores@cascadestucson.com |
| ALIS: ADD Jahmeka Clarke staff record | Meredith | j.clarke@cascadestucson.com |
| ALIS: ADD Gloria Williford staff record | Meredith | g.williford@cascadestucson.com |
| Set ALIS Email = Entra UPN for ALL caregivers | Meredith / ALIS admin | Required for ALIS SSO to link; do after accounts appear in M365 |
| M365 licensing -- Business Premium for caregivers | Meredith (purchase decision) | 38 net-new licenses needed; $22/user/mo; proposal in docs/proposals/ |
| Reliable Agency per-person accounts | Howard (when names provided) | Cannot create until Reliable supplies individual names; HIPAA -- no shared logins |
| Ederick Yuzon first-name spelling confirm | Meredith (email) | Still outstanding; created as Ederick from ALIS |
| ALIS BAA (Medtelligent) | Meredith | Check if signed BAA was provided at contract time; if not, request from Medtelligent support |
| Stale vault entries cleanup | Howard | howard-enos-pilot.sops.yaml, pilot-test-user.sops.yaml |
Deferred (not blocking rollout)
| Item | Notes |
|---|---|
| Knox OEMConfig (MHS half-screen) | Separate follow-up |
| MHS welcome-screen branding | Post-rollout |
| Portrait wallpaper upload | Post-rollout |
| Disable devices@cascadestucson.com | Post-rollout |
| SG-MedTech / SG-CCG groups | Create when ALIS licensing tiers confirmed |
| LinkRx SSO | Revisit only if vendor offers SSO |
| Folder redirection GPO rollout | Separate project track |
| Fleet hostname rename | Separate project track |
Related docs
docs/cloud/caregiver-m365-p2-rollout.md-- caregiver roster, AD placement, licensingsession-logs/2026-05-14-howard-cascades-phone-verification-closeout.md-- architecture verifiedsession-logs/2026-05-08-howard-cascades-sdm-token-success-and-alis-sso.md-- ALIS SSO provenscripts/create-caregiver-accounts.ps1-- account creation scriptscripts/add-caregivers-to-sg.ps1-- SG-Caregivers assignment scriptscripts/enable-caregiver-password-rotation.ps1-- run when ready for 30-day FGPP rotation