Microsoft 365
Tenant Info
- Tenant Name: cascadestucson.com
- Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
- Primary Domain: cascadestucson.com
- onmicrosoft Domain: NETORGFT4257522.onmicrosoft.com
- Admin Portal URL: https://admin.microsoft.com
- Global Admin: sysadmin@cascadestucson.com (Howard Enos, MSP)
- Former Admin: admin@NETORGFT4257522.onmicrosoft.com (Sandra Fish — previous director, removed 2026-04-14: global admin revoked, sign-in blocked, P2 license removed)
- DirSync / Entra Connect: Not configured (all accounts cloud-only) — PLANNED: Install Entra Connect for SSO
- HIPAA BAA: Not signed — required since email may contain PHI
- MFA: Not enabled — Security Defaults not configured
Licensing
| License Type |
Total |
Assigned |
Available |
| Microsoft 365 Business Standard |
34 |
34 |
0 |
| Microsoft Entra ID P2 |
1 |
0 |
1 (unassigned — was Sandra Fish, available for testing) |
| Microsoft Power Automate Free |
10000 |
2 |
9998 |
| Microsoft Stream Trial |
1000000 |
0 |
1000000 |
| Exchange Online Essentials |
— |
4 |
— |
Note: Business Standard is fully allocated (34/34, 0 available). Any new hires require purchasing additional licenses.
Planned expansion — caregiver rollout (not yet purchased)
Separate from the current 34 users, there are ~39 caregivers / med techs / CCGs with no current AD or M365 account who need identities + Conditional Access in order for the shared-phone + HIPAA story to actually work. Full roster, proposed UPNs, license math, and CA policy design are in docs/cloud/caregiver-m365-p2-rollout.md. Rough target: 61 total Business Premium licenses (23 existing staff post-cleanup + 38 net-new caregivers; Christine Nyanzunda overlaps and stays at one account). Do not create any of these accounts yet — documentation + proposal update first.
Staff-side P2 / anti-impersonation tracking
These are in-flight and feed the same Business Premium purchase decision:
docs/cloud/p2-staff-candidates.md — office staff who need P2 for PHI-in-email or home-access scenarios (Crystal confirmed Megan/Crystal/Tamra; John Trozzi gathering the rest)docs/cloud/m365-impersonation-protection.md — Defender anti-impersonation trusted partners + protected users (Megan's partner list captured; awaiting John's additions)
AD ↔ M365 Account Mapping
Matched Accounts (AD user → M365 mailbox)
AD Accounts with NO M365 Match
| AD SamAccountName |
Type |
Action Needed |
| Administrator |
Built-in |
None needed |
| localadmin |
Admin |
None needed |
| Sebastian.Leon |
User |
Front Desk/Courtesy Patrol — needs M365 account if they use email |
| Michelle.Shestko |
User |
MC Front Desk — keep as Shestko. Needs M365 account if they use email |
| Alyssa.Shestko (now Alyssa Brooks) |
User |
Rename to Alyssa.Brooks in AD. This is the real account. M365 already alyssa.brooks@. Duplicate lowercase alyssa.brooks in CN=Users to be deleted. |
| Guadalupe.Sanchez |
User |
Housekeeping — already has M365 as lupe.sanchez@cascadestucson.com |
| Sheldon.Gardfrey |
User |
Front Desk/Courtesy Patrol — needs M365 if they use email |
| Cathy.Kingston |
User |
Front Desk/Courtesy Patrol — needs M365 if they use email |
| Shontiel.Nunn |
User |
Transferring soon — keep for now |
| Ray.Rai |
User |
Front Desk/Courtesy Patrol — needs M365 if they use email |
| Richard.Adams |
User |
Transportation — needs M365 if they use email |
| Julian.Crim |
User |
Transportation — needs M365 if they use email |
| Christopher.Holik |
User |
Transportation — needs M365 if they use email |
| QBDataServiceUser34 |
Service |
None needed |
| Culinary |
Shared/Generic |
None needed (AD shared account) |
| Receptionist |
Shared/Generic |
Maps to frontdesk@cascadestucson.com? |
| saleshare |
Shared/Generic |
None needed |
| directoryshare |
Shared/Generic |
None needed |
M365 Accounts with NO AD Match
Real users (need AD accounts created or are new hires)
Role-Based Accounts — Convert to Shared Mailboxes (saves ~$125/mo)
All of these are currently licensed user accounts. Convert to shared mailboxes (free) and remove licenses. Then assign members from AD-synced accounts.
| M365 Display Name |
UPN |
Current License |
Action |
Members (after conversion) |
| Accounting Dept. |
accounting@cascadestucson.com |
Business Standard |
Convert to shared |
Ashley.Jensen, lauren.hasselman |
| Accounting Assistant |
accountingassistant@cascadestucson.com |
Business Standard |
Convert to shared |
Allison.Reibschied |
| Bookkeeping Office |
boadmin@cascadestucson.com |
Business Standard |
Convert to shared |
TBD |
| Front Desk |
frontdesk@cascadestucson.com |
Business Standard |
Convert to shared |
Cathy.Kingston, Shontiel.Nunn, Kyla.QuickTiffany, Sebastian.Leon, Sheldon.Gardfrey, Ray.Rai |
| Human Resources |
hr@cascadestucson.com |
Business Standard |
Convert to shared |
Meredith.Kuhn |
| MemCare Receptionist |
memcarereceptionist@cascadestucson.com |
Business Standard |
Convert to shared |
Michelle.Shestko, Matt.Brooks |
| Security Cascades |
security@cascadestucson.com |
Business Standard |
Convert to shared |
TBD |
| Training |
Training@cascadestucson.com |
Business Standard |
Convert to shared |
TBD |
| Nurse |
nurse@cascadestucson.com |
Exchange Online Essentials |
Convert to shared |
Lois.Lane, Karen.Rossini, britney.thompson |
| medtech |
medtech@cascadestucson.com |
Exchange Online Essentials |
Convert to shared |
TBD |
| transportation |
transportation@cascadestucson.com |
Exchange Online Essentials |
Convert to shared |
Richard.Adams, Julian.Crim, Christopher.Holick |
| AppleID |
Kitchenipad@cascadestucson.com |
Unlicensed |
Keep as-is |
Device account. Alias: ipad@ |
Courtesy Patrol Shared Mailbox (NEW)
License Plan After Cleanup
Full Business Standard License (own mailbox + Office apps)
Staff with first.last@cascadestucson.com personal mailboxes:
| Employee |
UPN |
| Howard Dax |
dax.howard@ |
| Meredith Kuhn |
meredith.kuhn@ |
| John Trozzi |
john.trozzi@ |
| Megan Hiatt |
megan.hiatt@ |
| Crystal Rodriguez |
crystal.rodriguez@ |
| Tamra Matthews |
tamra.matthews@ |
| Lois Lane |
lois.lane@ |
| Christina DuPras |
christina.dupras@ |
| Christine Nyanzunda |
christine.nyanzunda@ |
| Susan Hicks |
susan.hicks@ |
| Ashley Jensen |
ashley.jensen@ |
| Veronica Feller |
veronica.feller@ |
| JD Martin |
jd.martin@ |
| Alyssa Brooks |
alyssa.brooks@ |
| Matt Brooks |
matthew.brooks@ |
| Ramon Castaneda |
ramon.castaneda@ |
| Sharon Edwards |
sharon.edwards@ |
| Britney Thompson |
britney.thompson@ |
| Shelby Trozzi |
shelby.trozzi@ |
| Karen Rossini |
karen.rossini@ |
| Guadalupe Sanchez |
lupe.sanchez@ |
| Lauren Hasselman |
lauren.hasselman@ |
| Allison Reibschied |
allison.reibschied@ |
| Total: 23 licenses |
|
No License — Shared Mailbox Access Only (browser via SSO)
AD account + Entra sync, no M365 license. Access shared mailboxes via outlook.office.com.
| Employee |
Position |
Shared Mailbox Access |
| Sebastian Leon |
Courtesy Patrol |
Frontdesk@, Courtesypatrol@ |
| Sheldon Gardfrey |
Courtesy Patrol |
Frontdesk@, Courtesypatrol@ |
| Cathy Kingston |
Receptionist |
Frontdesk@ |
| Shontiel Nunn |
Receptionist |
Frontdesk@ |
| Kyla Quick Tiffany |
Receptionist |
Frontdesk@ |
| Ray Rai |
Courtesy Patrol |
Frontdesk@ |
| Richard Adams |
Driver |
Transportation@ |
| Julian Crim |
Driver |
Transportation@ |
| Christopher Holick |
Driver |
Transportation@ |
| Michelle Shestko |
MC Receptionist |
Memcarereceptionist@ |
| Total: 10 users, 0 licenses |
|
|
License Savings
- Current: 34 Business Standard (all allocated)
- After cleanup: 23 Business Standard needed
- 11 licenses freed (~$137.50/month saved)
External guest accounts
Blocked / former employee accounts in M365
Tenant admin
| Display Name |
UPN |
License |
Notes |
| cascadestucson.com (Sandra Fish) |
admin@NETORGFT4257522.onmicrosoft.com |
Unlicensed (P2 removed) |
BLOCKED — Former director. Global admin revoked, sign-in blocked 2026-04-14. Delete when ready. |
Shared Mailboxes
Exchange Online
- Mail Domain(s): cascadestucson.com
- MX Record Points To: TBD (check DNS)
- SPF Record: TBD
- DKIM Enabled: TBD
- DMARC Policy: TBD
- Distribution Groups: TBD (6 groups shown in tenant summary)
- Mail Flow Rules: TBD
Entra ID (Azure AD)
- Hybrid Joined: No — DirSync not enabled on any account — PLANNED: Entra Connect install on CS-SERVER
- Azure AD Connect Server: None (planned: CS-SERVER)
- MFA Enforced: TBD
- Conditional Access Policies: TBD
- Total Users: 51 (24 licensed individual, 12 generic/role, 6 external guests, 4 blocked/former, 1 admin, 4 shared mailboxes)
- Total Devices: 88
Entra Connect — SSO Setup Plan
What It Does
Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account and Office/Edge/Outlook auto-sign-in with their M365 identity. Single sign-on, one password.
Prerequisites (MUST complete before install)
- AD account cleanup — all the renames, deletions, and duplicate fixes MUST be done first. Entra Connect syncs what's in AD, so AD must be clean.
- UPN suffix — Add
cascadestucson.com as UPN suffix in AD so AD usernames match M365 emails
- M365 role-based accounts — Convert to shared mailboxes BEFORE sync to avoid sync conflicts
- Kristiana Dowse — Delete from M365 before sync
- Verify CS-SERVER meets requirements — Server 2016+, .NET 4.7.2+, SQL Express (installs with Entra Connect)
Install Steps
- Add UPN suffix
cascadestucson.com to AD (AD Domains and Trusts)
- Update all synced users' UPN to
firstname.lastname@cascadestucson.com
- Download Entra Connect from Entra admin center
- Install on CS-SERVER
- Choose Password Hash Sync (simplest, most reliable)
- Scope sync to
OU=Departments only (exclude service accounts, shared accounts, computers)
- Enable Seamless SSO
- Test with one user before full sync
What Gets Synced
- All user accounts in OU=Departments → Entra ID
- Passwords hash-synced (user keeps same password for AD + M365)
- NOT synced: computer accounts, service accounts, shared/generic accounts (Culinary, Receptionist, saleshare, directoryshare)
- All synced users get Entra ID accounts but NOT all get licenses
- Licensed users (23): personal mailbox + Office apps
- Unlicensed users (10): SSO sign-in to shared mailboxes via browser only — no Office install, no personal mailbox
What Changes for Users
- Log into Windows → Office, Outlook, Edge, OneDrive auto-sign-in
- One password for everything (change in AD, M365 follows)
- MFA can be enforced via Entra Conditional Access after sync
Risks
- If AD is dirty (duplicates, mismatches), sync will create duplicate M365 accounts or fail
- Shared/generic accounts (Culinary, Receptionist) should NOT sync — exclude from scope
- Must coordinate: once sync is on, AD becomes the source of truth for identity
Issues Found
- 0 licenses available — Business Standard is 34/34. Cannot add new users without purchasing more.
- Tamra Johnson → Matthews name mismatch — M365 updated to married name, AD still says Johnson. Update AD to match.
- 13 AD users have no M365 account — May not need email (hourly staff?) but verify onsite.
- 12 generic/role-based M365 accounts eating licenses — accounting@, frontdesk@, hr@, etc. each consume a Business Standard license ($12.50/mo). Should convert to shared mailboxes (free) if nobody logs into them directly.
- "howaed" external guest — Typo duplicate of howard. Delete.
- 3 former employee shared mailboxes — Anna Pitzlin, Jeff Bristol, Nela Durut-Azizi. Decide: keep for mail history, forward, or delete.
- Sandra Fish is global admin — Previous owner/manager. Verify she should still have admin access.
- cara.lespron@ alias on Howard's mailbox — Former employee's mailbox was repurposed. Remove alias if no longer needed.
- Kristiana Dowse — Licensed in M365 but not in AD. Verify: current employee or former?
- nick pavloff — Created 2026-03-07 (yesterday). New hire — needs AD account.
- sysadmin has no mailbox license — Only Power Automate Free. May need Exchange if used for email.
- No Microsoft BAA signed — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA.
- No MFA enabled — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
Notes
- Previous MSP/admin created many role-based accounts as regular licensed users instead of shared mailboxes. This wastes licenses.
- No Entra Connect / hybrid join — AD and M365 are completely separate identity systems. Users have different passwords for each.
- Shared workstation plan (GPO 6) needs: reception shared mailbox created, tenant domain is cascadestucson.com.
