azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0b98f769ea97f103e85d48e3fa3fa42e45f577d
claudetools/clients/cascades-tucson/docs/proposals/m365-premium-upgrade.md
Howard Enos d2e375df8a sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-18 10:17:42
2026-04-18 10:17:45 -07:00

7.1 KiB
Raw Blame History

Proposal: Microsoft 365 Business Premium Upgrade

Cascades Tucson — Shared Phone Deployment & Security Upgrade

Prepared by: Howard Enos, MSP Date: April 14, 2026 Revision needed (flagged 2026-04-18): this proposal sizes Premium at 23 users, but the caregiver roster (docs/cloud/caregiver-m365-p2-rollout.md) lists 39 caregivers / MedTechs / CCGs with no current M365 identity who actually USE the 25 shared phones. Without their accounts + Conditional Access, the phones don't deliver per-person HIPAA auditability. Updated target is closer to **61 Premium licenses ($1,342/mo)**, not 23 (~$506/mo). The "saves $56.50/mo" narrative below is true of the staff-only cleanup but must be re-framed as "licensing the people who will use the phones is new spend driven by HIPAA compliance, not a cost-saving move." Leave this document as the starting point; re-present to Meredith with the updated math before purchasing.

The Problem

Cascades is deploying 25 shared phones so employees can access ALIS (medical records) and email without relying on shared computers. This improves HIPAA compliance by giving each employee their own login.

However, the current Microsoft 365 plan creates several challenges:

  1. Every time an employee picks up a phone, they must manually log into ALIS, Outlook, and other apps — each with separate MFA prompts
  2. No way to automatically clear data when one employee hands a phone to another — risk of PHI exposure
  3. No way to skip MFA on trusted devices — employees get frustrated, find workarounds, or share logins (HIPAA violation)
  4. No centralized phone management — no remote wipe, no app enforcement, no compliance monitoring

The Solution: Microsoft 365 Business Premium

Upgrading from Business Standard to Business Premium unlocks:

1. Shared Phone Mode (Microsoft Intune)

  • Employee picks up any phone and taps Sign In
  • Enters their username and password (same as their PC login)
  • ALIS, Outlook, and Edge auto-sign-in — no separate logins needed
  • When done, employee taps Sign Out — phone wipes all data automatically
  • Next employee gets a clean phone. User switch takes ~30 seconds.

2. Skip MFA on Company Devices (Conditional Access)

  • Managed phones on the Cascades network are automatically trusted
  • No MFA prompts for employees using company phones at work
  • MFA still required if someone tries to log in from an unknown device or location
  • ALIS uses Microsoft Entra as its identity provider — one sign-in covers everything

3. Full HIPAA Audit Trail

  • Every sign-in logged: who, which device, when, where
  • Compliance dashboard shows which devices meet security requirements
  • Automatic alerts for non-compliant devices

4. Additional Security (included at no extra cost)

Feature What it does
Microsoft Defender for Business Advanced threat protection on all PCs and phones
Data Loss Prevention (DLP) Prevents PHI from being emailed or shared outside the organization
Remote Wipe Instantly wipe a lost or stolen phone from the admin portal
App Management Push required apps, block unauthorized apps, force updates
Conditional Access Location and device-based security policies

What Changes for Employees

Today After Upgrade
Pick up phone, manually log into each app Pick up phone, sign in once — everything works
MFA prompt every time (SMS code from personal phone) No MFA on company phones at work
Previous user's data may still be on the phone Auto-wipe on sign out — clean phone every time
Log into ALIS separately with username + password + MFA ALIS auto-signs in via SSO — no extra steps
2-5 minutes to get working on a phone ~30 seconds

Cost Breakdown

Current Monthly Cost

Item Users Rate Monthly
M365 Business Standard 34 $12.50 $425.00
Total $425.00

Proposed Monthly Cost

Item Users Rate Monthly
M365 Business Premium 23 $22.00 $506.00
Unlicensed users (shared mailbox only) 10 $0.00 $0.00
Total $506.00

Savings from Cleanup (already planned)

Item Monthly Savings
Convert 11 role-based accounts to free shared mailboxes -$137.50
(accounting@, frontdesk@, hr@, security@, transportation@, etc.)

Net Impact

Monthly
New cost $506.00
Current cost $425.00
Difference +$81.00
Shared mailbox savings -$137.50
Net change -$56.50 (savings)

The upgrade actually saves $56.50/month after the shared mailbox cleanup.

What's Included vs. What's Replaced

Current (separate cost) Premium (included)
ManageEngine MDM (phone management) Microsoft Intune (replaces ManageEngine)
No email security Microsoft Defender for Business
No data loss prevention DLP policies
No conditional access Conditional Access
Manual MFA every login Smart MFA (skip on trusted devices)
No device compliance Compliance dashboard + auto-remediation

Implementation Timeline

Phase Task Timeframe
1 Upgrade licenses in M365 admin center 1 day
2 Convert role-based accounts to shared mailboxes 1 day
3 Install Entra Connect on server (SSO) 1 day
4 Configure Conditional Access policies 1 day
5 Set up Intune + Shared Device Mode 1-2 days
6 Enroll 2 test phones 1 day
7 Roll out remaining 23 phones 2-3 days
8 Enroll 9 kitchen iPads 1 day
Total ~2 weeks

HIPAA Compliance Improvements

HIPAA Requirement Current State After Upgrade
§164.312(a)(2)(i) — Unique User ID Shared accounts on PCs, no phone identity Every employee signs in with their own account on every device
§164.312(d) — Person Authentication Basic MFA, employees share logins to avoid it SSO + Conditional Access — easy to use, hard to bypass
§164.312(b) — Audit Controls Minimal logging Full sign-in logs: who, when, which device, what was accessed
§164.310(d)(1) — Device and Media Controls No phone management Remote wipe, encryption enforcement, compliance monitoring
§164.312(e)(1) — Transmission Security No DLP DLP prevents PHI from leaving the organization via email
§164.312(a)(2)(iv) — Encryption Not enforced on phones Intune enforces device encryption on all managed phones

Recommendation

Upgrade to Microsoft 365 Business Premium. It solves the shared phone problem, simplifies employee experience, strengthens HIPAA compliance, and actually saves money after the planned shared mailbox cleanup.

The alternative — keeping Business Standard with a separate MDM product — costs more in admin time, provides a worse employee experience, and leaves security gaps that Business Premium closes out of the box.

Prepared by Howard Enos — MSP IT Services

Reference in New Issue View Git Blame Copy Permalink