azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95ad40bdbec4d1240b794464bb2536a338c785cb
claudetools/clients/cascades-tucson/docs/cloud/m365.md
Howard Enos 95ad40bdbe cascades: document Teams rollout + HIPAA test plan 
Lauren Hasselman could not create a Teams group on 2026-05-05.
Diagnostic confirmed the block is at the Teams Admin policy layer
(intentional, gated on HIPAA prerequisites in m365.md issues #12-#14),
not an Entra/M365-Group permissions defect. New teams-rollout.md
captures prerequisites, HIPAA config checklist, canary test plan
(Lauren as primary canary), and exit criteria. Linked from m365.md
issue #14.
2026-05-05 22:01:28 -07:00

20 KiB
Raw Blame History

Microsoft 365

Tenant Info

  • Tenant Name: cascadestucson.com
  • Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
  • Primary Domain: cascadestucson.com
  • onmicrosoft Domain: NETORGFT4257522.onmicrosoft.com
  • Admin Portal URL: https://admin.microsoft.com
  • Global Admin: sysadmin@cascadestucson.com (Howard Enos, MSP)
  • Former Admin: admin@NETORGFT4257522.onmicrosoft.com (Sandra Fish — previous director, removed 2026-04-14: global admin revoked, sign-in blocked, P2 license removed)
  • DirSync / Entra Connect: Not configured (all accounts cloud-only) — PLANNED: Install Entra Connect for SSO
  • HIPAA BAA: Not signed — required since email may contain PHI
  • MFA: Not enabled — Security Defaults not configured

Licensing

License Type Total Assigned Available
Microsoft 365 Business Standard 34 34 0
Microsoft Entra ID P2 1 0 1 (unassigned — was Sandra Fish, available for testing)
Microsoft Power Automate Free 10000 2 9998
Microsoft Stream Trial 1000000 0 1000000
Exchange Online Essentials 4

Note: Business Standard is fully allocated (34/34, 0 available). Any new hires require purchasing additional licenses.

Planned expansion — caregiver rollout (not yet purchased)

Separate from the current 34 users, there are ~39 caregivers / med techs / CCGs with no current AD or M365 account who need identities + Conditional Access in order for the shared-phone + HIPAA story to actually work. Full roster, proposed UPNs, license math, and CA policy design are in docs/cloud/caregiver-m365-p2-rollout.md. Rough target: 61 total Business Premium licenses (23 existing staff post-cleanup + 38 net-new caregivers; Christine Nyanzunda overlaps and stays at one account). Do not create any of these accounts yet — documentation + proposal update first.

Staff-side P2 / anti-impersonation tracking

These are in-flight and feed the same Business Premium purchase decision:

  • docs/cloud/p2-staff-candidates.md — office staff who need P2 for PHI-in-email or home-access scenarios (Crystal confirmed Megan/Crystal/Tamra; John Trozzi gathering the rest)
  • docs/cloud/m365-impersonation-protection.md — Defender anti-impersonation trusted partners + protected users (Megan's partner list captured; awaiting John's additions)

AD ↔ M365 Account Mapping

Matched Accounts (AD user → M365 mailbox)

AD SamAccountName M365 UPN License Notes
(formerly AD howard) dax.howard@cascadestucson.com Business Standard Corrected 2026-04-22: the AD howard account was NOT Dax Howard — it was an orphan MSP-created account (display "howard", desc "Home Offie" typo) that was mistakenly mapped to Dax Howard's mailbox. AD account deleted 2026-04-22 (recoverable from AD Recycle Bin 180 days — ObjectGUID 2050d21f-7649-4033-b1fd-83cfc286b056). Dax Howard's M365 account has no AD counterpart and is cloud-only. cara.lespron@ alias is leftover from the former-employee Cara Lespron whose mailbox was repurposed to Dax Howard — strip this alias unless Dax confirms he still uses it.
sysadmin sysadmin@cascadestucson.com Power Automate Free Display: "Computer Guru Support" — no mailbox license
Meredith.Kuhn meredith.kuhn@cascadestucson.com Business Standard
John.Trozzi john.trozzi@cascadestucson.com Business Standard
Lupe.Sanchez lupe.sanchez@cascadestucson.com Business Standard
Megan.Hiatt megan.hiatt@cascadestucson.com Business Standard
Crystal.Rodriguez crystal.rodriguez@cascadestucson.com Business Standard Alias: crystal.suszek@
Tamra.Johnson tamra.matthews@cascadestucson.com Business Standard Rename AD to Tamra.Matthews — M365 already correct. Alias: tamra.johnson@ still works
Lois.Lane lois.lane@cascadestucson.com Business Standard
Christina.DuPras christina.dupras@cascadestucson.com Business Standard
Christine.Nyanzunda christine.nyanzunda@cascadestucson.com Business Standard M365 last name: "Nyanzuda" (typo — AD has Nyanzunda)
Susan.Hicks susan.hicks@cascadestucson.com Business Standard
Ashley.Jensen ashley.jensen@cascadestucson.com Business Standard + Power Automate Free Alias: ashley.jenson@
Veronica.Feller veronica.feller@cascadestucson.com Business Standard
JD.Martin jd.martin@cascadestucson.com Business Standard
alyssa.brooks alyssa.brooks@cascadestucson.com Business Standard
Matt.Brooks matthew.brooks@cascadestucson.com Business Standard AD: Matt, M365: Matthew
Ramon.Castaneda ramon.castaneda@cascadestucson.com Business Standard Aliases: ramon.castanada@, ramon.casteneda@ (typos kept as aliases)
Sharon.Edwards sharon.edwards@cascadestucson.com Business Standard
britney.thompson Britney.Thompson@cascadestucson.com Business Standard + Exchange Online Essentials
ann.dery ann.dery@cascadestucson.com Business Standard
strozzi (Shelby Trozzi) Shelby.Trozzi@cascadestucson.com Business Standard + Exchange Online Essentials AD username doesn't match M365 format
karen.rossini karen.rossini@cascadestucson.com Business Standard
lauren.hasselman lauren.hasselman@cascadestucson.com Business Standard Created 2026-02-26 (recent hire, replaced Jeff Bristol)
Allison.Reibschied Allison.Reibschied@cascadestucson.com Business Standard Accounting Assistant (new hire 2026-03)

AD Accounts with NO M365 Match

AD SamAccountName Type Action Needed
Administrator Built-in None needed
localadmin Admin None needed
Sebastian.Leon User Front Desk/Courtesy Patrol — needs M365 account if they use email
Michelle.Shestko User MC Front Desk — keep as Shestko. Needs M365 account if they use email
Alyssa.Shestko (now Alyssa Brooks) User Rename to Alyssa.Brooks in AD. This is the real account. M365 already alyssa.brooks@. Duplicate lowercase alyssa.brooks in CN=Users to be deleted.
Guadalupe.Sanchez User Housekeeping — already has M365 as lupe.sanchez@cascadestucson.com
Sheldon.Gardfrey User Front Desk/Courtesy Patrol — needs M365 if they use email
Cathy.Kingston User Front Desk/Courtesy Patrol — needs M365 if they use email
Shontiel.Nunn User Transferring soon — keep for now
Ray.Rai User Front Desk/Courtesy Patrol — needs M365 if they use email
Richard.Adams User Transportation — needs M365 if they use email
Julian.Crim User Transportation — needs M365 if they use email
Christopher.Holik User Transportation — needs M365 if they use email
QBDataServiceUser34 Service None needed
Culinary Shared/Generic None needed (AD shared account)
Receptionist Shared/Generic Maps to frontdesk@cascadestucson.com?
saleshare Shared/Generic None needed
directoryshare Shared/Generic None needed

M365 Accounts with NO AD Match

Real users (need AD accounts created or are new hires)

M365 Display Name UPN License Notes
Kristiana Dowse kristiana.dowse@cascadestucson.com Business Standard DELETE — HR confirmed not current employee. Remove license + delete account
nick pavloff nick.pavloff@cascadestucson.com Business Standard Created 2026-03-07 — new hire, needs AD account

Role-Based Accounts — Convert to Shared Mailboxes (saves ~$125/mo)

All of these are currently licensed user accounts. Convert to shared mailboxes (free) and remove licenses. Then assign members from AD-synced accounts.

M365 Display Name UPN Current License Action Members (after conversion)
Accounting Dept. accounting@cascadestucson.com Business Standard Convert to shared Ashley.Jensen, lauren.hasselman
Accounting Assistant accountingassistant@cascadestucson.com Business Standard Convert to shared Allison.Reibschied
Bookkeeping Office boadmin@cascadestucson.com Business Standard Convert to shared TBD
Front Desk frontdesk@cascadestucson.com Business Standard Convert to shared Cathy.Kingston, Shontiel.Nunn, Kyla.QuickTiffany, Sebastian.Leon, Sheldon.Gardfrey, Ray.Rai
Human Resources hr@cascadestucson.com Business Standard Convert to shared Meredith.Kuhn
MemCare Receptionist memcarereceptionist@cascadestucson.com Business Standard Convert to shared Michelle.Shestko, Matt.Brooks
Security Cascades security@cascadestucson.com Business Standard Convert to shared TBD
Training Training@cascadestucson.com Business Standard Convert to shared TBD
Nurse nurse@cascadestucson.com Exchange Online Essentials Convert to shared Lois.Lane, Karen.Rossini, britney.thompson
medtech medtech@cascadestucson.com Exchange Online Essentials Convert to shared TBD
transportation transportation@cascadestucson.com Exchange Online Essentials Convert to shared Richard.Adams, Julian.Crim, Christopher.Holick
AppleID Kitchenipad@cascadestucson.com Unlicensed Keep as-is Device account. Alias: ipad@

Courtesy Patrol Shared Mailbox (NEW)

License Plan After Cleanup

Full Business Standard License (own mailbox + Office apps)

Staff with first.last@cascadestucson.com personal mailboxes:

Employee UPN
Howard Dax dax.howard@
Meredith Kuhn meredith.kuhn@
John Trozzi john.trozzi@
Megan Hiatt megan.hiatt@
Crystal Rodriguez crystal.rodriguez@
Tamra Matthews tamra.matthews@
Lois Lane lois.lane@
Christina DuPras christina.dupras@
Christine Nyanzunda christine.nyanzunda@
Susan Hicks susan.hicks@
Ashley Jensen ashley.jensen@
Veronica Feller veronica.feller@
JD Martin jd.martin@
Alyssa Brooks alyssa.brooks@
Matt Brooks matthew.brooks@
Ramon Castaneda ramon.castaneda@
Sharon Edwards sharon.edwards@
Britney Thompson britney.thompson@
Shelby Trozzi shelby.trozzi@
Karen Rossini karen.rossini@
Guadalupe Sanchez lupe.sanchez@
Lauren Hasselman lauren.hasselman@
Allison Reibschied allison.reibschied@
Total: 23 licenses

No License — Shared Mailbox Access Only (browser via SSO)

AD account + Entra sync, no M365 license. Access shared mailboxes via outlook.office.com.

Employee Position Shared Mailbox Access
Sebastian Leon Courtesy Patrol Frontdesk@, Courtesypatrol@
Sheldon Gardfrey Courtesy Patrol Frontdesk@, Courtesypatrol@
Cathy Kingston Receptionist Frontdesk@
Shontiel Nunn Receptionist Frontdesk@
Kyla Quick Tiffany Receptionist Frontdesk@
Ray Rai Courtesy Patrol Frontdesk@
Richard Adams Driver Transportation@
Julian Crim Driver Transportation@
Christopher Holick Driver Transportation@
Michelle Shestko MC Receptionist Memcarereceptionist@
Total: 10 users, 0 licenses

License Savings

  • Current: 34 Business Standard (all allocated)
  • After cleanup: 23 Business Standard needed
  • 11 licenses freed (~$137.50/month saved)

External guest accounts

Display Name Source Notes
a.r.jensen018 a.r.jensen018@gmail.com Ashley Jensen's personal?
Debora Morris deboram@teepasnow.com External partner
duprasc2002 duprasc2002@yahoo.com Christina DuPras personal? Created 2026-03-04
howaed howaed@azcomputerguru.com Typo of howard — already deleted (not present in tenant as of 2026-04-22)
howard howard@azcomputerguru.com DELETED 2026-04-22 — external guest for Howard Enos (MSP). Removed per Howard's decision; MSP admin access preserved via sysadmin@cascadestucson.com (has Global Admin).
karenrossini7 karenrossini7@gmail.com Karen Rossini's personal?

Blocked / former employee accounts in M365

Display Name UPN Sign-in Blocked Notes
Jeff Bristol jeff.bristol@cascadestucson.com Yes DELETED 2026-04-22 — orphan cleanup. Soft-delete recoverable 30 days (id 8ec8248a-46e8-4771-9220-047887928777).
Nela Durut-Azizi nela.durut-azizi@cascadestucson.com Yes DELETED 2026-04-22 — orphan cleanup. Soft-delete recoverable 30 days (id 84cef8a2-6988-44ea-bf20-a72fe622750d).
Stephanie Devin Stephanie.Devin@cascadestucson.com Yes Former? Unlicensed, blocked. Ask Meredith before deleting.

Tenant admin

Display Name UPN License Notes
cascadestucson.com (Sandra Fish) admin@NETORGFT4257522.onmicrosoft.com Confirmed absent 2026-04-22 — already deleted at some point. No further action.

Shared Mailboxes

Name Email Notes
Anna Pitzlin anna.pitzlin@cascadestucson.com DELETED 2026-04-22 — orphan cleanup. Soft-delete recoverable 30 days (id 06aa2955-f124-447d-8a16-cc7779aaf28f).
Fax Cascades fax@cascadestucson.com Fax-to-email service
Jeff Bristol jeff.bristol@cascadestucson.com (see Blocked section — deleted 2026-04-22)
Nela Durut-Azizi nela.durut-azizi@cascadestucson.com (see Blocked section — deleted 2026-04-22)

Exchange Online

  • Mail Domain(s): cascadestucson.com
  • MX Record Points To: TBD (check DNS)
  • SPF Record: TBD
  • DKIM Enabled: TBD
  • DMARC Policy: TBD
  • Distribution Groups: TBD (6 groups shown in tenant summary)
  • Mail Flow Rules: TBD

Entra ID (Azure AD)

  • Hybrid Joined: No — DirSync not enabled on any account — PLANNED: Entra Connect install on CS-SERVER
  • Azure AD Connect Server: None (planned: CS-SERVER)
  • MFA Enforced: TBD
  • Conditional Access Policies: TBD
  • Total Users: 51 (24 licensed individual, 12 generic/role, 6 external guests, 4 blocked/former, 1 admin, 4 shared mailboxes)
  • Total Devices: 88

Entra Connect — SSO Setup Plan

What It Does

Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account and Office/Edge/Outlook auto-sign-in with their M365 identity. Single sign-on, one password.

Prerequisites (MUST complete before install)

  1. AD account cleanup — all the renames, deletions, and duplicate fixes MUST be done first. Entra Connect syncs what's in AD, so AD must be clean.
    • Rename Tamra.Johnson → Tamra.Matthews
    • Rename Alyssa.Shestko → Alyssa.Brooks + delete lowercase duplicate alyssa.brooks
    • Rename strozzi → Shelby.Trozzi (match M365 UPN)
    • Fix Christopher.Holik → Christopher.Holick (HR spelling)
    • Create account for Kyla Quick Tiffany (Resident Services Receptionist)
    • Delete confirmed former employees (Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez)
    • Disable/delete non-current accounts (Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks lowercase)
    • Fix Matt.Brooks vs matthew.brooks@ UPN mismatch
  2. UPN suffix — Add cascadestucson.com as UPN suffix in AD so AD usernames match M365 emails
  3. M365 role-based accounts — Convert to shared mailboxes BEFORE sync to avoid sync conflicts
  4. Kristiana Dowse — Delete from M365 before sync
  5. Verify CS-SERVER meets requirements — Server 2016+, .NET 4.7.2+, SQL Express (installs with Entra Connect)

Install Steps

  1. Add UPN suffix cascadestucson.com to AD (AD Domains and Trusts)
  2. Update all synced users' UPN to firstname.lastname@cascadestucson.com
  3. Download Entra Connect from Entra admin center
  4. Install on CS-SERVER
  5. Choose Password Hash Sync (simplest, most reliable)
  6. Scope sync to OU=Departments only (exclude service accounts, shared accounts, computers)
  7. Enable Seamless SSO
  8. Test with one user before full sync

What Gets Synced

  • All user accounts in OU=Departments → Entra ID
  • Passwords hash-synced (user keeps same password for AD + M365)
  • NOT synced: computer accounts, service accounts, shared/generic accounts (Culinary, Receptionist, saleshare, directoryshare)
  • All synced users get Entra ID accounts but NOT all get licenses
  • Licensed users (23): personal mailbox + Office apps
  • Unlicensed users (10): SSO sign-in to shared mailboxes via browser only — no Office install, no personal mailbox

What Changes for Users

  • Log into Windows → Office, Outlook, Edge, OneDrive auto-sign-in
  • One password for everything (change in AD, M365 follows)
  • MFA can be enforced via Entra Conditional Access after sync

Risks

  • If AD is dirty (duplicates, mismatches), sync will create duplicate M365 accounts or fail
  • Shared/generic accounts (Culinary, Receptionist) should NOT sync — exclude from scope
  • Must coordinate: once sync is on, AD becomes the source of truth for identity

Issues Found

  1. 0 licenses available — Business Standard is 34/34. Cannot add new users without purchasing more.
  2. Tamra Johnson → Matthews name mismatch — M365 updated to married name, AD still says Johnson. Update AD to match.
  3. 13 AD users have no M365 account — May not need email (hourly staff?) but verify onsite.
  4. 12 generic/role-based M365 accounts eating licenses — accounting@, frontdesk@, hr@, etc. each consume a Business Standard license ($12.50/mo). Should convert to shared mailboxes (free) if nobody logs into them directly.
  5. "howaed" external guest — Typo duplicate of howard. Delete.
  6. 3 former employee shared mailboxes — Anna Pitzlin, Jeff Bristol, Nela Durut-Azizi. Decide: keep for mail history, forward, or delete.
  7. Sandra Fish is global admin — Previous owner/manager. Verify she should still have admin access.
  8. cara.lespron@ alias on Howard's mailbox — Former employee's mailbox was repurposed. Remove alias if no longer needed.
  9. Kristiana Dowse — Licensed in M365 but not in AD. Verify: current employee or former?
  10. nick pavloff — Created 2026-03-07 (yesterday). New hire — needs AD account.
  11. sysadmin has no mailbox license — Only Power Automate Free. May need Exchange if used for email.
  12. No Microsoft BAA signed — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA.
  13. No MFA enabled — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
  14. Microsoft Teams not deployed or HIPAA-configured — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. Rollout plan + test plan: docs/cloud/teams-rollout.md (Lauren Hasselman 2026-05-05 inability-to-create-team report is the canary test).

Notes

  • Previous MSP/admin created many role-based accounts as regular licensed users instead of shared mailboxes. This wastes licenses.
  • No Entra Connect / hybrid join — AD and M365 are completely separate identity systems. Users have different passwords for each.
  • Shared workstation plan (GPO 6) needs: reception shared mailbox created, tenant domain is cascadestucson.com.
Reference in New Issue View Git Blame Copy Permalink