azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0b98f769ea97f103e85d48e3fa3fa42e45f577d
claudetools/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md
Howard Enos 6bd416657c sync: auto-sync from HOWARD-HOME at 2026-04-22 17:39:56 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-22 17:39:56
2026-04-22 17:39:57 -07:00

9.3 KiB
Raw Blame History

Staff Entra P2 Candidates — Cascades

Status: List received from Meredith/John (2026-04-22) via staff-editor CSV. Ready for licensing + CA policy design. No license purchase or policy activation yet. Last updated: 2026-04-22 (Howard) Source of truth: reports/cascades-staff-2026-04-22.csv (70 people, 11 departments, access/outside/ALIS flagged per person) Related (different population): docs/cloud/caregiver-m365-p2-rollout.md — caregiver phone rollout (overlaps with the 39 shift-staff rows in the CSV).

Why this list is separate

Two different problems both use P2 features, and conflating them makes the license math fuzzy:

  • Caregiver rollout (covered elsewhere): ~39 hourly staff, shared Android phones, goal is location-locked mobile access during shifts.
  • This list — office staff whose risk is:
    • Receives / sends PHI (new resident intake forms, doctor-supplied medical info)
    • Works from home or checks email on a personal phone, which is where we need either Conditional Access compliance enforcement or just a targeted location restriction
    • Or — should be restricted to in-building sign-in only

The Conditional Access policies will likely differ between the two groups (office staff need "work from home or from trusted device with compliance", caregivers need strict "on-prem network + managed shared phone only"), so tracking them separately keeps the policy design clean.

Criteria (from Howard → leadership email, 2026-04-16)

A staff member needs P2 if they match one or more:

  1. Signs in on a phone or tablet at Cascades (skip-MFA-in-building story)
  2. Should only sign in from the building (enforce location restriction)
  3. Handles sensitive / medical information via email (PHI — need to enforce encryption + DLP policies that P2-tier features back)

Candidates confirmed so far

From Crystal Rodriguez (2026-04-16 reply)

Name Role Reason P2 is needed Notes
Megan Hiatt Sales Director Handles new-resident intake forms (PHI from doctors); works from home; email on personal cell Already a protected user for anti-impersonation
Crystal Rodriguez Sales Associate Same as Megan — intake forms, home + cell access Already a protected user
Tamra Matthews Move-In Coordinator Same — intake forms Leaving in June 2026 — license can be re-harvested on exit. Value of buying P2 for ~2 months is a call for Meredith (short-term HIPAA coverage vs. one-off cost).

Full list received 2026-04-22 (via staff-editor CSV)

The CSV encodes access posture per person with three columns: Access (D / P / D+P), Outside Access (Y/N — i.e. work from home / personal device), ALIS (Y/N — resident management system).

P2-needed office staff (D+P, Outside=Y, ALIS=Y — meets criteria 2 and/or 3 above):

Department Name Title
Administrative Meredith Kuhn Executive Director
Administrative Ashley Jensen Assistant Executive Director
Administrative Lauren Hasselman Business Office Director
Marketing / Sales Megan Hiatt Sales Director (PHI — resident intake)
Marketing / Sales Crystal Rodriguez Sales Associate (PHI — resident intake)
Marketing / Sales Tamra Matthews Move-In Coordinator (PHI — leaving June 2026, confirmed)
AL Nursing Lois Lane Health Services Director
AL Nursing Karen Rossini Health Services Manager
AL Nursing Veronica Feller Care, AL Aide
Memory Care Shelby Trozzi Memory Care Director
Memory Care Christine Nyanzunda MC Admin Assistant
Resident Services Christina DuPras Resident Services Director
Life Enrichment Susan Hicks Life Enrichment Director
Life Enrichment Alma R Montt (title blank in CSV — follow-up)
Culinary JD Martin Culinary Director
Culinary Alyssa Brooks Dining Manager
Maintenance John Trozzi Facilities Director
Maintenance Matt Brooks MC Receptionist / Maintenance (dual-department)
Housekeeping Lupe Sanchez Housekeeping Director (aka Guadalupe Sanchez)

Subtotal: 19 office-staff P2 licenses.

Outside=N, ALIS=Y staff (D+P, in-building only — criteria 1 may apply if they use a personal phone on-site):

Department Name Notes
Administrative Allison Reibschied Accounting Assistant
AL Nursing / none
Life Enrichment Sharon Edwards LE Assistant (Outside=N but ALIS=Y)
Culinary Ramon Castaneda Kitchen Manager (Outside=N, ALIS=N — actually no P2 need unless we go building-only-restrict-everyone)

Allison + Sharon are borderline — ALIS handling alone doesn't mandate P2, but if we go the "enforce building-only sign-in for anyone with ALIS access" route, they'd need P2 to carry the CA policy. Wait for the "restrict everyone or just some" decision before deciding.

Note on Britney Thompson: Departed as of 2026-04-22 (per John's reply). Disable existing britney.thompson AD account and harvest the Business Standard + Exchange Online Essentials license. Not in any license purchase count going forward.

Note on Polett Pinazavala: Departed as of 2026-04-22 (per John's reply). Not in AD/M365 — no disable needed, just removed from roster. Not in any license count.

Note on drivers (Richard Adams, Julian Crim, Christopher Holick): No IT access per 2026-04-22 decision (Howard). Disable the 3 existing AD accounts. Not in any license count. Stay on the working roster for employee tracking only.

Shared-PC receptionists (D only, no Outside, no ALIS): Cathy Kingston, Shontiel Nunn, Kyla Quick Tiffany, Michelle Shestko — four people on shared front-desk PCs. No individual P2 needed; their story is shared-account vs individual-account, not P2.

Courtesy Patrol (D+P, no Outside, no ALIS): Sebastian Leon, Sheldon Gardfrey, Ray Rai — in-building only, no ALIS. No P2 need.

Drivers (P only): Richard Adams, Julian Crim, Christopher Holick — phone-only access. Covered by the caregiver/mobile rollout if we treat them the same, otherwise simpler F-SKU / Exchange-Online-only licensing.

Caregivers (39 rows including 2 "Reliable Agency" placeholders): covered by docs/cloud/caregiver-m365-p2-rollout.md, not this list.

Decision still open (from Howard's 2026-04-16 email to leadership)

"Do you want all staff restricted to signing in only from the building, or just certain roles/users (like front desk, kitchen, clinical)?"

No answer yet. This decision directly changes the license count and the CA policy design:

  • If all staff restricted to building-only → every AD-synced user needs P2 and a matching CA policy. Larger spend.
  • If only some restricted → P2 only for those users; cheaper, but requires ongoing judgment on who gets which policy.

Intersection with other rollouts

  • Anti-impersonation protection (docs/cloud/m365-impersonation-protection.md) — same top-tier users are the protected users there. Keep the lists in sync.
  • Business Premium upgrade (docs/proposals/m365-premium-upgrade.md) — Business Premium bundles P2-equivalent CA features, so if we go Premium tenant-wide, standalone P2 purchases go away. Default recommendation: bundle everything into Business Premium, only buy standalone P2 if budget forces staying on Business Standard for some users.
  • Caregiver rollout (docs/cloud/caregiver-m365-p2-rollout.md) — ~39 additional licenses. Combined target ~61 Premium licenses for the whole org.

Rough license math (staff side only)

Scenario Qty Notes
Office staff with Outside=Y (Office-PHI external-OK) 18 Includes Alma. Britney removed (departed).
+ Office Outside=N + ALIS=Y (Allison Reibschied, Sharon Edwards) 20 Need CA coverage even in building-only posture
+ Matt Brooks (dual-dept, ALIS=Y) 21 Per rollout plan §3
All licensed seats under building-only-default 21 office + 3 Courtesy Patrol + 4 Reception + 37 caregivers = 65 Plus Ramon Castaneda for office non-PHI = 66 total active identities
Agency caregivers (per-person, if/when names arrive) +1 each No accounts until Reliable Agency provides names — HIPAA §164.312(a)(2)(i) prohibits shared PHI-access logins

Action items

  • Follow up with John Trozzi on the gathering — he owes us the list (received 2026-04-22 via CSV)
  • Push Meredith for the "restrict everyone or just some" decision — still unanswered as of 2026-04-22
  • Britney phone+outside flags (resolved 2026-04-22: departed)
  • Alma R Montt title (resolved 2026-04-22: Memory Care Life Enrichment, D+P/Y/Y)
  • Agency shared-login username preference (SUPERSEDED 2026-04-22 by HIPAA review — no shared logins; per-person only)
  • Ederick Yuzon spelling — only remaining question from the 2026-04-22 follow-up email
  • Decide: standalone P2 add-on for the 19 OR move those users to Business Premium OR move whole tenant to Business Premium (default recommendation: Premium tenant-wide)
  • Build CA policy CSC - Office Staff PHI Access separate from the caregiver mobile policy
  • Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026 — confirmed)

Related docs

  • docs/cloud/m365.md
  • docs/cloud/m365-impersonation-protection.md
  • docs/cloud/caregiver-m365-p2-rollout.md
  • docs/proposals/m365-premium-upgrade.md
  • docs/security/hipaa.md
Reference in New Issue View Git Blame Copy Permalink