azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md
Howard Enos 5019db4558 sync: auto-sync from HOWARD-HOME at 2026-04-24 14:31:14 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-24 14:31:14
2026-04-24 14:31:17 -07:00

187 lines
13 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Cascades of Tucson — Master Plan v2 (phones-first)
**Built:** 2026-04-24 by Howard + Claude
**Supersedes:** `PLAN-AND-QUESTIONS-2026-04-23-archived.md`
**Target:** Pilot caregiver phone usable end-to-end by Monday 2026-04-27.
**Goal (Howard's exact words):** Authorized user + authorized device + authorized network → no 2FA → M365 sign-in (tied to domain account via PHS) → SSO into ALIS.
> This plan was rewritten after catching scope drift in the 2026-04-23 version. See Part 7 for the honest drift log. The executable path is Track A; Track B runs in parallel; Track C is later phases.
---
## Part 1 — Status as of 2026-04-24
### What's genuinely done
- **AD hygiene (G1)** — idempotent. OU=Excluded-From-Sync, 4 role accounts moved, 34 proxyAddresses populated, 16 SG-* groups created, display names normalized. `reports/2026-04-22-g1-execute.md` + `reports/2026-04-22-g1-post-verify.md`
- **M365 orphan cleanup (G2 partial)** — 7 orphan / former-employee accounts deleted; 1 Business Standard seat freed. `reports/2026-04-22-m365-orphan-deletes.md`
- **CS-SERVER preflight** — time sync, TLS 1.2, WSB installed, rebooted, post-reboot verification clean. Ready for Entra Connect. `reports/2026-04-22-cs-server-preflight-verification.md`
- **Synology discovery** — 10 shares, 35 users, 4 groups inventoried. 7 shared-credential HIPAA violations flagged. `docs/migration/synology-permission-inventory.md`
- **Intune MDM foundation** — MDMS@ service account, Apple MDM push cert, Android enrollment profile (dynamic group), Android compliance policy, config profiles, 7 required apps (incl. ALIS web app). 1 Samsung A15 enrolled compliant, 24 more in box. `PROJECT_STATE.md`
- **DMARC p=quarantine** + post-DMARC spoofing recheck clean. `reports/2026-04-21-post-dmarc-spoofing-recheck.md`
- **Staff CSV + working list** from Meredith/John. `reports/cascades-staff-2026-04-22.csv`
- **HIPAA review + risk register** drafted (with some accuracy issues flagged in Part 7). `docs/security/hipaa-review-2026-04-22.md`
### What's in flight vs not started
- **Entra Connect install** — NOT started. Prep is green.
- **Phone rollout at scale** — NOT started. Pattern validated on 1 device.
- **Role mailbox conversions (G2 remainder)** — have delegation lists for 6/11; 5 pending Meredith.
- **CA policies** — nothing live. No Named Location yet.
- **ALIS SSO** — nothing registered.
---
## Part 2 — Track A: Phone SSO Mission (pilot → caregiver rollout)
**One sentence:** one caregiver, one phone, full end-to-end flow proven by Monday — then scale.
### Phase 1 scope
- **1 pilot caregiver** (Howard picks — must be confirmed-spelling name + willing tester)
- **1 phone** (reuse current enrolled Phone 1 or fresh Samsung A15 from the 24 unopened)
- **Entra Connect sync scoped to `OU=Sync-Phase1-Caregivers` only**
- **PHS enabled** (Howard's decision 2026-04-24 — reverses prior "PHS deferred" call)
- **CA policy: MFA waived when user ∈ SG-Caregivers AND device compliant AND sign-in from Cascades WAN IP**
- **ALIS SSO live via OIDC App Registration**
Nothing else in this tenant is touched. No office staff change. No password cutover for the cloud-only population (that's Track C Phase 2).
### Gate-by-gate plan
| Gate | Target day | What | Blocker / input |
|---|---|---|---|
| **A1** | Fri PM | Entra Connect install on CS-SERVER, staging mode, scope = `OU=Sync-Phase1-Caregivers`, PHS on | Howard at CS-SERVER console |
| **A2** | FriSat | Pull Cascades WAN IP from pfSense; create Entra Named Location "Cascades Office"; create CA policy "Cascades - Phone MFA Exception" in Report-only | Q38 (WAN IP static? — discover from pfSense cfg, not Meredith) |
| **A3** | FriSat | Email `support@medtelligent.com` for SSO Integrations kickoff; create App Registration "Cascades of Tucson - ALIS SSO" (single-tenant, redirect `https://cascadestucson.alisonline.com/ExternalLoginCallback`, ID tokens implicit hybrid enabled); create client secret "ALIS - Single Tenant Secret"; vault creds | Howard / portal access |
| **A4** | Sat | Pilot caregiver AD account in `OU=Sync-Phase1-Caregivers`; add to `SG-Caregivers`; assign unassigned Entra ID P2 (no new spend); verify ALIS staff profile email == Entra UPN exactly | Howard picks pilot (T0-1) |
| **A5** | Sun AM | Exit Entra Connect staging; full sync; verify pilot user appears hybrid with AD password live; CA What-If check confirms MFA bypass fires for correct conditions | A1A4 green |
| **A6** | Sun PM | Enroll phone (QR from `CSC - Android Shared Phones` profile); pilot caregiver signs in via MSDM; verify zero MFA prompt on Cascades Wi-Fi; verify Teams/Authenticator/ALIS web app all SSO; verify sign-out / second sign-in works (shared-device proof) | A5 green |
| **A7** | Mon AM | CA Report-only logs reviewed (zero unexpected blocks); flip policy to On | A6 green |
### Phase 1a (post-Monday): expand to full caregiver roster
- Create remaining ~36 caregiver AD accounts in same OU
- Purchase Business Premium seats (Q21 — tenant-wide preferred)
- Add to `SG-Caregivers`
- Factory-reset and enroll remaining 24 phones
- **Blocker resolved before 1a:** Q1 Ederick spelling
### Track A blockers
- **T0-1 (Howard):** pick pilot caregiver — name + consent
- **T0-2 (Howard — discoverable):** pfSense WAN IP — confirm static by inspecting Cox circuit config. If dynamic, plan Named Location update hook.
- **T0-3 (Meredith, cheap ask):** sign Microsoft HIPAA BAA. Doesn't block phones technically — Meredith's covered entity exposure is the driver. 5 min.
- **T0-4 (ALIS, lead time):** ALIS Integrations team response to `support@medtelligent.com`. Send Friday. They may need 2448h.
---
## Part 3 — Track B: HIPAA Baseline (parallel to A, sized realistically)
**Scope:** compliant-enough-to-survive-an-audit. Not gold-standard. Each item sized honestly.
| ID | Item | Rule | Who | Effort | Cost |
|---|---|---|---|---|---|
| **B1** | Microsoft HIPAA BAA sign | §164.308(b)(1) Required | Meredith | 5 min portal click | $0 |
| **B2** | ALIS BAA confirmed | §164.308(b)(1) Required | Meredith → ALIS support | 1 email, 12wk vendor turnaround | $0 |
| **B3** | Risk Analysis document | §164.308(a)(1)(ii)(A) Required | Howard drafts → Mike/Howard sign Security Official → Meredith counter-signs CE | 34h | $0 |
| **B4** | Termination Procedures documented | §164.308(a)(3)(ii)(C) Required | Howard drafts from existing process | 12h | $0 |
| **B5** | Audit log retention decision | §164.312(b) + §164.316(b)(2) | Meredith picks option; Howard implements | 1h | $0 (option b) or ~$3/user/mo (option a) |
| **B6** | Synology shared-login risk acceptance | §164.312(a)(2)(i) interim | Meredith signs paper acknowledgment until Phase 4 cutover | Howard drafts form + route | $0 |
| **B7** | Break-glass admin **DECISION** (not the injected YubiKey spec — a decision entry only) | §164.312(a)(2)(ii) Addressable | Howard writes decision entry | 30 min | $0 |
| **B8** | Security Rule Implementation Register | §164.316(b) | Howard drafts — single doc listing every Addressable spec + decision | 2h | $0 |
### Audit retention options (B5)
- **(a)** Microsoft Purview Audit (Premium) add-on — 10yr retention — ~$3/user/mo
- **(b)** M365 Compliance retention policy at 7 years — $0 *if we're on Business Premium tenant-wide* (which we would be for Phase 1a anyway)
- **(c)** Monthly export to immutable Azure Blob — $0 but operational burden
**Recommended: (b)**, stacked on the Business Premium tenant-wide purchase we're already teeing up for Phase 1a. No additional spend.
### What Track B does NOT include (drift scrubbed)
- ~~FIDO2 YubiKey purchase~~ — was injected; Emergency Access Procedure is Addressable, not Required; documented decision (B7) suffices
- ~~Per-user DLP policies~~ — not in Security Rule Required set
- ~~Defender for Identity / SIEM~~ — nice-to-have, not baseline
---
## Part 4 — Track C: Future phases (not this week)
| Item | When | Blocker |
|---|---|---|
| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Alma, Kyla, etc.) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window |
| **C2** Phase 3 sync — remaining staff | Week-3 or later | Same mechanics as C1, larger batch |
| **C3** G2 role mailbox conversion (6 ready, 5 pending delegations) | Any time — execute the 6 with lists we have | 5 of 11 pending Meredith answers on delegates (Q8, Q11, Q14, Q15, Q16) |
| **C4** Synology → CS-SERVER file-share migration (Phase 4) | After Phase 2/3 sync | John answers on pacs/Activities/chat/Sandra Fish shares + MainOffice group membership |
| **C5** Wave 5 hardening — BitLocker fleet, LAPS, password policy, krbtgt rotation | After Phase 4 | Previous phases complete |
---
## Part 5 — Open questions (slimmed, re-tiered)
### T0 — Blocks Monday
- **T0-1 (Howard):** Pilot caregiver — who? Must be confirmed-spelling name, willing tester.
- **T0-2 (Howard, discoverable):** pfSense WAN IP — static? Query the appliance.
- **T0-3 (Meredith, Friday ask):** sign Microsoft HIPAA BAA.
- **T0-4 (ALIS, send Friday):** kick off SSO Integrations engagement via `support@medtelligent.com`.
### T1 — Blocks Phase 1a (full caregiver rollout, not pilot)
- **Q1** Ederick Yuzon spelling — Meredith
- **Q21** Business Premium tenant-wide vs mixed SKU — Meredith (approve PO)
- **Q48** Reliable Agency shift scheduling pattern — Meredith (determines per-person vs supervised model)
### T2 — Track B completion (parallel)
- **Q17** MS BAA (= T0-3)
- **Q18** ALIS BAA — Meredith
- **Q19** Synology shared-login risk posture (a/b/c) — Meredith → B6
- **Q20** Audit retention path — Meredith → B5 (recommend (b))
- **Q25** Reliable Agency contract → workforce vs BA — Meredith
- **Q2729** Training, sanctions, termination procedure docs — Meredith
### T3 — Blocks Phase 2/3 + Wave 4 (later)
- **Q2** Stephanie Devin status — Meredith
- **Q3** Dax Howard identity — Meredith
- **Q4** Tamra Matthews exit date — Meredith
- **Q616** Role mailbox delegations — Meredith (G2 remainder)
- **Q3035** Synology content + MainOffice group — John
- **Q36** John's email activity — John
- **Q37** Matt Brooks cross-role delegation — John
- **Q38** WAN IP stability — John (confirms T0-2)
- **Q39** Dell R610 replacement — John
### Dropped (drift — see Part 7)
- ~~**Q23** FIDO2 security key purchase~~
- ~~**Q24** Second break-glass holder~~
---
## Part 6 — Executable now (no client answers needed)
| Item | Agent / effort | Blocks what |
|---|---|---|
| Draft Risk Analysis (B3) | Howard, 34h | Nothing — parallel to Track A |
| Draft Termination Procedures (B4) | Howard, 12h | Nothing |
| Draft Security Rule Implementation Register (B8) | Howard, 2h | Nothing |
| Draft Synology risk-acceptance form for Meredith's signature (B6) | Howard, 30min | Nothing |
| SMB3 encryption on `\\CS-SERVER\homes` | `Set-SmbShare -Name homes -EncryptData $true` via GuruRMM | H3 HIPAA risk |
| Create `OU=Sync-Phase1-Caregivers` on CS-SERVER | Howard, 5 min | Track A Gate A1 prep |
| ALIS App Registration in Entra (A3) | Howard, 20 min | Track A Gate A5 verify |
| Email ALIS support for SSO kickoff | Howard, 10 min | Lead-time |
---
## Part 7 — Drift log (honest record)
The 2026-04-23 master plan had four accuracy/scope problems traced to doc-generation drift. Captured here so we don't repeat:
1. **FIDO2 / YubiKey recommendation appeared without user input.** First showed up in `docs/cloud/user-account-rollout-plan.md` line 160 (commit `c077d58` — a staff-CSV ingest session where the session log has zero FIDO2 mention). Escalated to Required HIPAA finding H2 in `docs/security/hipaa-review-2026-04-22.md` (commit `6bd4166`, auto-sync, no session log). Then to Q2324 T1 blocker in `PLAN-AND-QUESTIONS-2026-04-23.md` asking Meredith to buy a specific YubiKey 5C NFC (~$55). **The §164.312(a)(2)(ii) citation is Addressable, not Required, and doesn't prescribe FIDO2.** Removed.
2. **ALIS SSO marked "Optional / separate project."** Gate G8 labeled optional in the old plan. In reality ALIS SSO is the endpoint of Howard's goal. Promoted to Track A Gate A3.
3. **PHS deferred indefinitely.** Gate G5 was labeled deferred. Howard's confirmed intent 2026-04-24 is PHS enabled so M365 password == AD password. Reversed.
4. **SAML / Enterprise App vs OIDC / App Registration.** My old writeup described ALIS SSO as "Enterprise App with SAML/OIDC." The ALIS doc (https://support.alisonline.com/hc/en-us/articles/34831696021901) specifies **App Registration with OIDC implicit hybrid flow and a client secret.** Not SAML, not Enterprise Application. Corrected in Gate A3.
**Anti-drift commitment going forward:** new architectural decisions must trace back to a session log or user message, not be drafted unilaterally during document generation. When a document auto-adds a technical spec that nobody discussed, that's drift — we flag it rather than carrying it forward.
---
## Revision history
- 2026-04-23 — original plan drafted by Howard (now archived)
- 2026-04-24 — rewritten: Track A/B/C split, phased Entra Connect sync, drift log added, Monday pilot target locked in
Reference in New Issue View Git Blame Copy Permalink