azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9ac26b0963074bfccfa6bb2cbd3b23f5e32e9667
claudetools/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md
Howard Enos 5019db4558 sync: auto-sync from HOWARD-HOME at 2026-04-24 14:31:14 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-24 14:31:14
2026-04-24 14:31:17 -07:00

13 KiB
Raw Blame History

Cascades of Tucson — Master Plan v2 (phones-first)

Built: 2026-04-24 by Howard + Claude Supersedes: PLAN-AND-QUESTIONS-2026-04-23-archived.md Target: Pilot caregiver phone usable end-to-end by Monday 2026-04-27. Goal (Howard's exact words): Authorized user + authorized device + authorized network → no 2FA → M365 sign-in (tied to domain account via PHS) → SSO into ALIS.

This plan was rewritten after catching scope drift in the 2026-04-23 version. See Part 7 for the honest drift log. The executable path is Track A; Track B runs in parallel; Track C is later phases.

Part 1 — Status as of 2026-04-24

What's genuinely done

  • AD hygiene (G1) — idempotent. OU=Excluded-From-Sync, 4 role accounts moved, 34 proxyAddresses populated, 16 SG-* groups created, display names normalized. reports/2026-04-22-g1-execute.md + reports/2026-04-22-g1-post-verify.md
  • M365 orphan cleanup (G2 partial) — 7 orphan / former-employee accounts deleted; 1 Business Standard seat freed. reports/2026-04-22-m365-orphan-deletes.md
  • CS-SERVER preflight — time sync, TLS 1.2, WSB installed, rebooted, post-reboot verification clean. Ready for Entra Connect. reports/2026-04-22-cs-server-preflight-verification.md
  • Synology discovery — 10 shares, 35 users, 4 groups inventoried. 7 shared-credential HIPAA violations flagged. docs/migration/synology-permission-inventory.md
  • Intune MDM foundation — MDMS@ service account, Apple MDM push cert, Android enrollment profile (dynamic group), Android compliance policy, config profiles, 7 required apps (incl. ALIS web app). 1 Samsung A15 enrolled compliant, 24 more in box. PROJECT_STATE.md
  • DMARC p=quarantine + post-DMARC spoofing recheck clean. reports/2026-04-21-post-dmarc-spoofing-recheck.md
  • Staff CSV + working list from Meredith/John. reports/cascades-staff-2026-04-22.csv
  • HIPAA review + risk register drafted (with some accuracy issues flagged in Part 7). docs/security/hipaa-review-2026-04-22.md

What's in flight vs not started

  • Entra Connect install — NOT started. Prep is green.
  • Phone rollout at scale — NOT started. Pattern validated on 1 device.
  • Role mailbox conversions (G2 remainder) — have delegation lists for 6/11; 5 pending Meredith.
  • CA policies — nothing live. No Named Location yet.
  • ALIS SSO — nothing registered.

Part 2 — Track A: Phone SSO Mission (pilot → caregiver rollout)

One sentence: one caregiver, one phone, full end-to-end flow proven by Monday — then scale.

Phase 1 scope

  • 1 pilot caregiver (Howard picks — must be confirmed-spelling name + willing tester)
  • 1 phone (reuse current enrolled Phone 1 or fresh Samsung A15 from the 24 unopened)
  • Entra Connect sync scoped to OU=Sync-Phase1-Caregivers only
  • PHS enabled (Howard's decision 2026-04-24 — reverses prior "PHS deferred" call)
  • CA policy: MFA waived when user ∈ SG-Caregivers AND device compliant AND sign-in from Cascades WAN IP
  • ALIS SSO live via OIDC App Registration

Nothing else in this tenant is touched. No office staff change. No password cutover for the cloud-only population (that's Track C Phase 2).

Gate-by-gate plan

Gate Target day What Blocker / input
A1 Fri PM Entra Connect install on CS-SERVER, staging mode, scope = OU=Sync-Phase1-Caregivers, PHS on Howard at CS-SERVER console
A2 FriSat Pull Cascades WAN IP from pfSense; create Entra Named Location "Cascades Office"; create CA policy "Cascades - Phone MFA Exception" in Report-only Q38 (WAN IP static? — discover from pfSense cfg, not Meredith)
A3 FriSat Email support@medtelligent.com for SSO Integrations kickoff; create App Registration "Cascades of Tucson - ALIS SSO" (single-tenant, redirect https://cascadestucson.alisonline.com/ExternalLoginCallback, ID tokens implicit hybrid enabled); create client secret "ALIS - Single Tenant Secret"; vault creds Howard / portal access
A4 Sat Pilot caregiver AD account in OU=Sync-Phase1-Caregivers; add to SG-Caregivers; assign unassigned Entra ID P2 (no new spend); verify ALIS staff profile email == Entra UPN exactly Howard picks pilot (T0-1)
A5 Sun AM Exit Entra Connect staging; full sync; verify pilot user appears hybrid with AD password live; CA What-If check confirms MFA bypass fires for correct conditions A1A4 green
A6 Sun PM Enroll phone (QR from CSC - Android Shared Phones profile); pilot caregiver signs in via MSDM; verify zero MFA prompt on Cascades Wi-Fi; verify Teams/Authenticator/ALIS web app all SSO; verify sign-out / second sign-in works (shared-device proof) A5 green
A7 Mon AM CA Report-only logs reviewed (zero unexpected blocks); flip policy to On A6 green

Phase 1a (post-Monday): expand to full caregiver roster

  • Create remaining ~36 caregiver AD accounts in same OU
  • Purchase Business Premium seats (Q21 — tenant-wide preferred)
  • Add to SG-Caregivers
  • Factory-reset and enroll remaining 24 phones
  • Blocker resolved before 1a: Q1 Ederick spelling

Track A blockers

  • T0-1 (Howard): pick pilot caregiver — name + consent
  • T0-2 (Howard — discoverable): pfSense WAN IP — confirm static by inspecting Cox circuit config. If dynamic, plan Named Location update hook.
  • T0-3 (Meredith, cheap ask): sign Microsoft HIPAA BAA. Doesn't block phones technically — Meredith's covered entity exposure is the driver. 5 min.
  • T0-4 (ALIS, lead time): ALIS Integrations team response to support@medtelligent.com. Send Friday. They may need 2448h.

Part 3 — Track B: HIPAA Baseline (parallel to A, sized realistically)

Scope: compliant-enough-to-survive-an-audit. Not gold-standard. Each item sized honestly.

ID Item Rule Who Effort Cost
B1 Microsoft HIPAA BAA sign §164.308(b)(1) Required Meredith 5 min portal click $0
B2 ALIS BAA confirmed §164.308(b)(1) Required Meredith → ALIS support 1 email, 12wk vendor turnaround $0
B3 Risk Analysis document §164.308(a)(1)(ii)(A) Required Howard drafts → Mike/Howard sign Security Official → Meredith counter-signs CE 34h $0
B4 Termination Procedures documented §164.308(a)(3)(ii)(C) Required Howard drafts from existing process 12h $0
B5 Audit log retention decision §164.312(b) + §164.316(b)(2) Meredith picks option; Howard implements 1h $0 (option b) or ~$3/user/mo (option a)
B6 Synology shared-login risk acceptance §164.312(a)(2)(i) interim Meredith signs paper acknowledgment until Phase 4 cutover Howard drafts form + route $0
B7 Break-glass admin DECISION (not the injected YubiKey spec — a decision entry only) §164.312(a)(2)(ii) Addressable Howard writes decision entry 30 min $0
B8 Security Rule Implementation Register §164.316(b) Howard drafts — single doc listing every Addressable spec + decision 2h $0

Audit retention options (B5)

  • (a) Microsoft Purview Audit (Premium) add-on — 10yr retention — ~$3/user/mo
  • (b) M365 Compliance retention policy at 7 years — $0 if we're on Business Premium tenant-wide (which we would be for Phase 1a anyway)
  • (c) Monthly export to immutable Azure Blob — $0 but operational burden

Recommended: (b), stacked on the Business Premium tenant-wide purchase we're already teeing up for Phase 1a. No additional spend.

What Track B does NOT include (drift scrubbed)

  • FIDO2 YubiKey purchase — was injected; Emergency Access Procedure is Addressable, not Required; documented decision (B7) suffices
  • Per-user DLP policies — not in Security Rule Required set
  • Defender for Identity / SIEM — nice-to-have, not baseline

Part 4 — Track C: Future phases (not this week)

Item When Blocker
C1 Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Alma, Kyla, etc.) Week-2 or later Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window
C2 Phase 3 sync — remaining staff Week-3 or later Same mechanics as C1, larger batch
C3 G2 role mailbox conversion (6 ready, 5 pending delegations) Any time — execute the 6 with lists we have 5 of 11 pending Meredith answers on delegates (Q8, Q11, Q14, Q15, Q16)
C4 Synology → CS-SERVER file-share migration (Phase 4) After Phase 2/3 sync John answers on pacs/Activities/chat/Sandra Fish shares + MainOffice group membership
C5 Wave 5 hardening — BitLocker fleet, LAPS, password policy, krbtgt rotation After Phase 4 Previous phases complete

Part 5 — Open questions (slimmed, re-tiered)

T0 — Blocks Monday

  • T0-1 (Howard): Pilot caregiver — who? Must be confirmed-spelling name, willing tester.
  • T0-2 (Howard, discoverable): pfSense WAN IP — static? Query the appliance.
  • T0-3 (Meredith, Friday ask): sign Microsoft HIPAA BAA.
  • T0-4 (ALIS, send Friday): kick off SSO Integrations engagement via support@medtelligent.com.

T1 — Blocks Phase 1a (full caregiver rollout, not pilot)

  • Q1 Ederick Yuzon spelling — Meredith
  • Q21 Business Premium tenant-wide vs mixed SKU — Meredith (approve PO)
  • Q48 Reliable Agency shift scheduling pattern — Meredith (determines per-person vs supervised model)

T2 — Track B completion (parallel)

  • Q17 MS BAA (= T0-3)
  • Q18 ALIS BAA — Meredith
  • Q19 Synology shared-login risk posture (a/b/c) — Meredith → B6
  • Q20 Audit retention path — Meredith → B5 (recommend (b))
  • Q25 Reliable Agency contract → workforce vs BA — Meredith
  • Q2729 Training, sanctions, termination procedure docs — Meredith

T3 — Blocks Phase 2/3 + Wave 4 (later)

  • Q2 Stephanie Devin status — Meredith
  • Q3 Dax Howard identity — Meredith
  • Q4 Tamra Matthews exit date — Meredith
  • Q616 Role mailbox delegations — Meredith (G2 remainder)
  • Q3035 Synology content + MainOffice group — John
  • Q36 John's email activity — John
  • Q37 Matt Brooks cross-role delegation — John
  • Q38 WAN IP stability — John (confirms T0-2)
  • Q39 Dell R610 replacement — John

Dropped (drift — see Part 7)

  • Q23 FIDO2 security key purchase
  • Q24 Second break-glass holder

Part 6 — Executable now (no client answers needed)

Item Agent / effort Blocks what
Draft Risk Analysis (B3) Howard, 34h Nothing — parallel to Track A
Draft Termination Procedures (B4) Howard, 12h Nothing
Draft Security Rule Implementation Register (B8) Howard, 2h Nothing
Draft Synology risk-acceptance form for Meredith's signature (B6) Howard, 30min Nothing
SMB3 encryption on \\CS-SERVER\homes Set-SmbShare -Name homes -EncryptData $true via GuruRMM H3 HIPAA risk
Create OU=Sync-Phase1-Caregivers on CS-SERVER Howard, 5 min Track A Gate A1 prep
ALIS App Registration in Entra (A3) Howard, 20 min Track A Gate A5 verify
Email ALIS support for SSO kickoff Howard, 10 min Lead-time

Part 7 — Drift log (honest record)

The 2026-04-23 master plan had four accuracy/scope problems traced to doc-generation drift. Captured here so we don't repeat:

  1. FIDO2 / YubiKey recommendation appeared without user input. First showed up in docs/cloud/user-account-rollout-plan.md line 160 (commit c077d58 — a staff-CSV ingest session where the session log has zero FIDO2 mention). Escalated to Required HIPAA finding H2 in docs/security/hipaa-review-2026-04-22.md (commit 6bd4166, auto-sync, no session log). Then to Q2324 T1 blocker in PLAN-AND-QUESTIONS-2026-04-23.md asking Meredith to buy a specific YubiKey 5C NFC (~$55). The §164.312(a)(2)(ii) citation is Addressable, not Required, and doesn't prescribe FIDO2. Removed.

  2. ALIS SSO marked "Optional / separate project." Gate G8 labeled optional in the old plan. In reality ALIS SSO is the endpoint of Howard's goal. Promoted to Track A Gate A3.

  3. PHS deferred indefinitely. Gate G5 was labeled deferred. Howard's confirmed intent 2026-04-24 is PHS enabled so M365 password == AD password. Reversed.

  4. SAML / Enterprise App vs OIDC / App Registration. My old writeup described ALIS SSO as "Enterprise App with SAML/OIDC." The ALIS doc (https://support.alisonline.com/hc/en-us/articles/34831696021901) specifies App Registration with OIDC implicit hybrid flow and a client secret. Not SAML, not Enterprise Application. Corrected in Gate A3.

Anti-drift commitment going forward: new architectural decisions must trace back to a session log or user message, not be drafted unilaterally during document generation. When a document auto-adds a technical spec that nobody discussed, that's drift — we flag it rather than carrying it forward.

Revision history

  • 2026-04-23 — original plan drafted by Howard (now archived)
  • 2026-04-24 — rewritten: Track A/B/C split, phased Entra Connect sync, drift log added, Monday pilot target locked in
Reference in New Issue View Git Blame Copy Permalink