azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ae7d6a0accdbf2252cfb026016377ae478fcdaa
claudetools/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md
Howard Enos d2e375df8a sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-18 10:17:42
2026-04-18 10:17:45 -07:00

5.4 KiB
Raw Blame History

Staff Entra P2 Candidates — Cascades

Status: Documentation only — no license purchase or policy activation yet. Awaiting full list from John Trozzi. Last updated: 2026-04-18 (Howard) Related (different population): docs/cloud/caregiver-m365-p2-rollout.md — caregiver phone rollout.

Why this list is separate

Two different problems both use P2 features, and conflating them makes the license math fuzzy:

  • Caregiver rollout (covered elsewhere): ~39 hourly staff, shared Android phones, goal is location-locked mobile access during shifts.
  • This list — office staff whose risk is:
    • Receives / sends PHI (new resident intake forms, doctor-supplied medical info)
    • Works from home or checks email on a personal phone, which is where we need either Conditional Access compliance enforcement or just a targeted location restriction
    • Or — should be restricted to in-building sign-in only

The Conditional Access policies will likely differ between the two groups (office staff need "work from home or from trusted device with compliance", caregivers need strict "on-prem network + managed shared phone only"), so tracking them separately keeps the policy design clean.

Criteria (from Howard → leadership email, 2026-04-16)

A staff member needs P2 if they match one or more:

  1. Signs in on a phone or tablet at Cascades (skip-MFA-in-building story)
  2. Should only sign in from the building (enforce location restriction)
  3. Handles sensitive / medical information via email (PHI — need to enforce encryption + DLP policies that P2-tier features back)

Candidates confirmed so far

From Crystal Rodriguez (2026-04-16 reply)

Name Role Reason P2 is needed Notes
Megan Hiatt Sales Director Handles new-resident intake forms (PHI from doctors); works from home; email on personal cell Already a protected user for anti-impersonation
Crystal Rodriguez Sales Associate Same as Megan — intake forms, home + cell access Already a protected user
Tamra Matthews Move-In Coordinator Same — intake forms Leaving in June 2026 — license can be re-harvested on exit. Value of buying P2 for ~2 months is a call for Meredith (short-term HIPAA coverage vs. one-off cost).

Awaiting from John Trozzi

Per his 2026-04-17 email: "I will gather this information for you tomorrow." Expected additions likely include:

  • Meredith Kuhn (Executive Director — CEO-equivalent, highest impersonation / PHI risk)
  • Ashley Jensen (Assistant Executive Director)
  • John Trozzi himself (Facilities/Maintenance Director — judgment call on PHI exposure)
  • Lois Lane (Health Services Director — clinical data)
  • Karen Rossini (Health Services Manager — clinical data)
  • Britney Thompson (Memory Care Nurse — clinical data)
  • Shelby Trozzi (Memory Care Director — clinical data)
  • Christina DuPras (Resident Services Director)
  • Christine Nyanzunda (Memory Care Admin Assistant)
  • Susan Hicks (Life Enrichment Director — activity records may include PHI-adjacent data)
  • Sharon Edwards (Life Enrichment Assistant)

Don't presume — wait for John's actual reply before buying licenses.

Decision still open (from Howard's 2026-04-16 email to leadership)

"Do you want all staff restricted to signing in only from the building, or just certain roles/users (like front desk, kitchen, clinical)?"

No answer yet. This decision directly changes the license count and the CA policy design:

  • If all staff restricted to building-only → every AD-synced user needs P2 and a matching CA policy. Larger spend.
  • If only some restricted → P2 only for those users; cheaper, but requires ongoing judgment on who gets which policy.

Intersection with other rollouts

  • Anti-impersonation protection (docs/cloud/m365-impersonation-protection.md) — same top-tier users are the protected users there. Keep the lists in sync.
  • Business Premium upgrade (docs/proposals/m365-premium-upgrade.md) — Business Premium bundles P2-equivalent CA features, so if we go Premium tenant-wide, standalone P2 purchases go away. Default recommendation: bundle everything into Business Premium, only buy standalone P2 if budget forces staying on Business Standard for some users.
  • Caregiver rollout (docs/cloud/caregiver-m365-p2-rollout.md) — ~39 additional licenses. Combined target ~61 Premium licenses for the whole org.

Rough license math (staff side only)

Scenario Qty Notes
Confirmed today (Crystal, Megan, Tamra-through-June) 3 Crystal's reply
Likely additions from John + Meredith (guessed) ~58 Wait for actual reply
All staff (if "restrict everyone" decision) ~23 Equals the full post-cleanup licensed-user count from docs/cloud/m365.md

Action items

  • Follow up with John Trozzi on the gathering — he owes us the list
  • Push Meredith for the "restrict everyone or just some" decision
  • When list is final, decide: standalone P2 add-on OR move those users to Business Premium OR move the whole tenant to Business Premium (recommended)
  • Build CA policy CSC - Office Staff PHI Access separate from the caregiver mobile policy
  • Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026)

Related docs

  • docs/cloud/m365.md
  • docs/cloud/m365-impersonation-protection.md
  • docs/cloud/caregiver-m365-p2-rollout.md
  • docs/proposals/m365-premium-upgrade.md
  • docs/security/hipaa.md
Reference in New Issue View Git Blame Copy Permalink