azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0b98f769ea97f103e85d48e3fa3fa42e45f577d
claudetools/.claude/memory/project_cascades_ca_phased_rollout.md
Howard Enos 18e5a467d2 Session log: Cascades CA bypass phased rollout + pilot user + phone re-enroll 
Cascades caregiver shared-phone bypass pilot — 2026-04-29 evening into
2026-04-30 early morning continuation.

Major work:
- Adopted phased per-group CA rollout (corrects original tenant-wide §5
  design that would have blocked off-site office users)
- Step A: backfilled admin@ into excludeUsers on all 8 existing Cascades
  CA policies (mirrors sysadmin@ exclusion posture; Option 1 break-glass)
- Outlook + Helpany + LinkRx assigned to Cascades - Shared Phones group
  and added to MHS kiosk app list (final dashboard: 5 caregiver apps)
- Created cloud-only pilot user pilot.test@cascadestucson.com,
  SG-Caregivers-Pilot group, Business Premium license, vault entry
  pushed to Gitea vault repo
- Built 4 CA changes: PATCH legacy all-users-MFA to exclude pilot group,
  CREATE 3 new Report-only policies (block off-network, block
  non-compliant, 8h sign-in frequency) with both admins excluded
- Pilot phone wipe + re-enroll after first attempt stuck; PIN set,
  awaiting MHS to take over launcher and SDM sign-in prompt

6 new project/feedback memories. Resume point at top of new session log.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 10:57:28 -07:00

3.1 KiB
Raw Blame History

name, description, type
name description type
Cascades CA bypass — phased per-group rollout, NOT tenant-wide Caregiver bypass CA policies are scoped to SG-Caregivers-Pilot only at start, then expanded one department at a time. Legacy all-users-MFA stays in place; we PATCH excludeGroups, never delete it during rollout. project

The Cascades caregiver bypass CA work is a phased rollout, not a tenant-wide policy swap. This corrects the original §5 design in clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md and the resume-point in 2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md, which both implied a tenant-wide cutover.

What this means concretely:

  • New CA policies target SG-Caregivers-Pilot only (then SG-Caregivers after Entra Connect exits staging). They do NOT use includeUsers: All.
  • The legacy Require multifactor authentication for all users policy stays in place. We PATCH its excludeGroups to add the pilot group, so existing office-staff behavior is unchanged.
  • Expansion to additional populations (front desk, clinical, admin staff) happens one group at a time post-pilot — each with its own scoped policy set, each by editing excludeGroups on the legacy policy and adding includeGroups to the relevant new policies.
  • The legacy all-users-MFA policy is ONLY deleted at the very end, when every population is governed by a phased policy.

Why: Howard pulled the brakes on 2026-04-29 after spotting that policies #1, #2, #3 in the original design hit all users — would have blocked any office user signing in off-site who wasn't in SG-External-Signin-Allowed. The btw replay he pasted contained the correct rescoping: "Re-scope the new policies so they only target the pilot group initially, and roll out to other groups one at a time later." Phased preserves today's behavior for everyone except the pilot group while we validate the bypass mechanics.

How to apply: When building or modifying Cascades CA policies, default to group-scoped (includeGroups), never includeUsers: All. When expanding to a new department, the steps are: (1) create the department's group, (2) PATCH legacy all-users-MFA to add it to excludeGroups, (3) add it to includeGroups on the relevant new policies. Treat any "let's just push it tenant-wide now that the pilot worked" suggestion as a regression of this decision and flag it.

Caregiver set (the only set in scope today):

  • PATCH Require multifactor authentication for all users: add SG-Caregivers-Pilot to excludeGroups.
  • CREATE CSC - Block caregivers off Cascades network (includeGroups: pilot, locations: not Cascades, grant: BLOCK).
  • CREATE CSC - Block caregivers on non-compliant device (includeGroups: pilot, device filter isCompliant -eq False, grant: BLOCK).
  • CREATE CSC - Caregiver sign-in frequency 8h (includeGroups: pilot, session control: 8h re-auth).

Note: for caregivers we use Block directly on non-compliant + off-network, not "Require MFA" — caregivers can't satisfy MFA (no personal device), so block is the cleaner UX. For non-caregiver populations later, MFA grants will likely be appropriate since office staff have MFA capability.

Reference in New Issue View Git Blame Copy Permalink