azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d6fc1cf5be681c5bc66e3c05446a6c9e0682d38a
claudetools/clients/cascades-tucson/session-logs/2026-05-14-howard-cascades-phone-verification-closeout.md
Howard Enos d6fc1cf5be session: Cascades phone verification & closeout — Entra Connect staging exited, CA policies re-pointed to AD-synced SG-Caregivers 
- Full tenant verification sweep: all Intune/Entra objects match session logs
- Entra Connect staging mode exited; 17 AD groups synced to cloud
- CA policies (Block-off-network, Sign-in-frequency-8h, Block-non-compliant) patched from SG-Caregivers-Pilot to AD-synced SG-Caregivers
- Registration Campaign exclusion updated to SG-Caregivers
- Deleted test accounts: howard.enos (AD) and pilot.test (M365)
- Documented Christine Nyanzunda collision risk, Ederick Yuzon open item, standing security-group rule
- Session log written

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 17:45:30 -07:00

234 lines
11 KiB
Markdown
Raw Blame History

# Cascades of Tucson — Phone Project Verification & Closeout
**Date:** 2026-05-14 (continued into 2026-05-15 UTC)
**Syncro ticket:** #32214 (Entra setup — In Progress)
## User
- **User:** Howard Enos (howard)
- **Machine:** HOWARD-HOME
- **Role:** tech
## Goal
Full verification of the Cascades caregiver shared-phone project against session logs, then
close out the remaining open items so the project is ready for real caregiver rollout.
ALIS SSO and ~19 phones had been proven working (2026-05-08/11 logs). This session confirms
the backend architecture is solid before adding real caregivers.
---
## Phase 1 — Live Verification Sweep
Read-only audit of Intune/Entra against the session logs. All checks performed via
ComputerGuru Security Investigator SP (`bfbc12a4`) and Tenant Admin SP (`709e6eed`),
tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`.
| Item | Expected | Actual | Result |
|---|---|---|---|
| Intune enrolled devices | ~19 CSC-* | 22 managed + 3 ghost | DRIFTED (3 ghost) |
| Enrollment profile `9a0fcc6d` | token type=EntraSDM, valid | Confirmed | MATCHES |
| Device restrictions `070a76c2` | v15, 9 kioskModeApps | Confirmed | MATCHES |
| Compliance policy `27eeaeda` | assigned, compliant | Confirmed | MATCHES |
| Dynamic group `ea96f4b7` (Shared Phones) | rule + members | 22 members | MATCHES |
| App: Alis `8c0ae9bf` | required+published | Confirmed | MATCHES |
| App: HelpAny `cbb9404b` | required+published | Confirmed | MATCHES |
| App: LinkRx `c70f62bc` | required+published | Confirmed | MATCHES |
| CA Block-off-network `e35614e1` | enabled | enabled | MATCHES |
| CA Sign-in-frequency `7d491c7a` | enabled | enabled | MATCHES |
| CA Block-non-compliant `ede985e2` | enabled | enabled | MATCHES |
| CA Named Location `061c6b06` | trusted | Confirmed | MATCHES |
| Registration Campaign | excludes caregiver group | excludes SG-Caregivers-Pilot | MATCHES (pilot group) |
| ALIS app registration `d5108493` | secret exp 2028-05-06 | Confirmed | MATCHES |
| Entra Connect staging mode | staging (expected) | staging (onPremisesLastSyncDateTime=null) | MATCHES |
**Gap found:** All 3 CA policies and Registration Campaign exclusion targeted **SG-Caregivers-Pilot**
(cloud-only, 1 member: pilot.test). Real caregivers from AD would never get the CA policies
applied to them. Entra Connect was still in staging — the AD-backed SG-Caregivers group
had never reached the cloud.
---
## Phase 2 — LinkRx and HelpAny Auth
Both apps investigated:
- **HelpAny:** credential-only login (username + password). No SSO capability offered.
Howard confirmed independently: "helpany just uses username and passwords."
- **LinkRx:** Howard deferred: "skip the linkrx, i think its going to work the same way
helpany does." Credential-only assumed; revisit if vendor provides SSO option later.
Result: no SSO setup required for either app. Managed Play web link tiles are sufficient.
Caregivers will use credential login on phones.
---
## Phase 3 — Closeout
### 3A — Ghost Intune device records
3 ghost device records identified (no corresponding managed device, stale):
- Attempted API DELETE via tenant-admin SP → 403 (DeviceManagementManagedDevices.ReadWrite.All
not in manifest)
- **Status:** pending portal delete or SP scope expansion.
- Action: delete manually in Intune portal > Devices > All devices, filter by stale/ghost.
### 3B — Deleted test accounts
Removed two test accounts that should not persist:
- **howard.enos (AD)** — test caregiver account in OU=Caregivers; disabled then deleted via
GuruRMM PowerShell on CS-SERVER. Confirmed removed from AD.
- **pilot.test (M365 cloud-only)** — deleted via Graph DELETE. Confirmed in deletedItems
with expected timestamp; no longer resolvable at primary endpoint.
### 3C — samsungSM-F731U identification
Identified owner of the incorrectly-Workplace-Joined Z Flip 5 via Entra sign-in logs:
**John Trozzi**. Device was deleted from Entra. John needs a one-tap re-Workplace-Join
on his personal device (Settings > Accounts > Access work or school > Connect).
### 3D — Entra Connect exit staging + group model (PATH A)
**The problem:** AD has `SG-Caregivers` (a real security group, members: none). The cloud
also had a cloud-only `SG-Caregivers-Pilot` (1 member: pilot.test). All CA policies and the
Registration Campaign exclusion pointed at the pilot group. Entra Connect was still in
staging — SG-Caregivers had never synced to the cloud.
**Decision — Path A:** add `OU=Groups` to Entra Connect sync scope, exit staging, re-point
all policies to the synced AD-backed `SG-Caregivers` group. This gives us the correct
long-term architecture: AD group membership drives CA policy coverage.
Path A also verified safe for existing 56 cloud users:
- Office staff are in departmental OUs (`OU=Care-Assisted Living`, `OU=Care-Memorycare`, etc.)
which are NOT in the Entra Connect sync scope — they will not be synced or duplicated.
- PHS enabled at install (2026-04-24) is inert while no users are in scope; safe.
- The 17 groups in `OU=Groups` are net-new objects — no soft-match collision risk.
**Execution:**
**Stage 1-2 (Howard, Entra Connect UI):**
- Added `OU=Groups,DC=cascades,DC=local` to the OU filtering page.
- Confirmed `OU=Caregivers` already in scope.
- All other departmental OUs correctly unchecked.
**Stage 3 (Howard, Ready to Configure page):**
- Noted Password Hash Sync checkbox (correct — was configured at install 2026-04-24).
- Unchecked "Start the synchronization process" so I could run it after staging exit.
- Clicked Configure.
**Stage 4 (Howard, exit staging):**
- Wizard step: "Configure staging mode" → unchecked "Enable staging mode."
- Left "start synchronization" checked.
- Clicked Configure. Wizard showed "staging mode disabled." Howard clicked exit.
- Sync ran automatically (wizard-triggered).
**Post-exit verification (GuruRMM + Graph):**
```
StagingModeEnabled: false [OK]
SyncCycleEnabled: true [OK]
LastSync (Entra): 2026-05-15T00:10:38Z [OK]
Groups exported: 17 [OK]
- AuditUploaders
- SG-CA-BreakGlass
- SG-Caregivers <-- target group, now cloud-synced
- SG-Chat-RW, SG-CourtesyPatrol, SG-Culinary-RW, SG-Directory-RW, SG-Drivers,
SG-External-Signin-Allowed, SG-FrontDesk, SG-IT-RW, SG-Management-RW,
SG-Office-PHI-External, SG-Office-PHI-Internal, SG-Receptionist-RW,
SG-Sales-RW, SG-Server-RW
SG-Caregivers cloud ID: 8b8d9222-5d71-419a-936d-56d895c6c332 [OK]
onPremisesSyncEnabled: true [OK]
```
**Stage 5 — CA policy re-pointing (Graph PATCH via tenant-admin SP):**
All 3 policies patched from SG-Caregivers-Pilot (`0674f0bc`) to SG-Caregivers (`8b8d9222`):
```
CA Block-off-network (e35614e1) -> SG-Caregivers [HTTP 204]
CA Sign-in-frequency (7d491c7a) -> SG-Caregivers [HTTP 204]
CA Block-non-compliant (ede985e2) -> SG-Caregivers [HTTP 204]
Registration Campaign excludeTargets -> SG-Caregivers [HTTP 204]
```
**Stage 6 — Final verification:**
```
CA Block-off-network includeGroups: [8b8d9222] [OK]
CA Sign-in-frequency includeGroups: [8b8d9222] [OK]
CA Block-non-compliant includeGroups: [8b8d9222] [OK]
Registration Campaign excludeTargets: [{id:8b8d9222}] [OK]
SG-Caregivers members: empty [OK — correct, no real caregivers created yet]
```
### 3E — Standing rule: security group on user creation
Howard explicitly declined an `OU=Caregivers → SG-Caregivers` auto-mirror script. Rule
established: when any Cascades user is created, the security group(s) they join must be
asked and decided explicitly at creation time. OU placement = mechanical sync scope;
security group = deliberate access-control decision. Two separate steps per user.
Documented in:
- `clients/cascades-tucson/CONTEXT.md` — "User onboarding — security group is a deliberate decision"
- `clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md` — AD placement section + open items
- `.claude/memory/feedback_cascades_user_security_group.md` — persistent memory
### 3F — Christine Nyanzunda collision risk documented
Christine has both a cloud-only M365 account AND an AD account (in a departmental OU, not
in OU=Caregivers). When caregiver AD accounts are created in OU=Caregivers, do NOT create
a `christine.nyanzunda` object there — duplicate in the synced OU would soft-match/collide
with her existing cloud account. Handled in Phase 2 of office-staff migration, not the
caregiver phone rollout.
Documented in `docs/cloud/caregiver-m365-p2-rollout.md`.
---
## What's Architecturally Complete
The caregiver phone infrastructure is now correctly wired end-to-end:
1. **Identity sync path:** AD `OU=Caregivers` → Entra Connect (live, not staging) → cloud
2. **Group model:** AD `SG-Caregivers` is the source of truth; cloud group is synced
3. **CA policies:** all 3 enforce against the synced AD-backed group
4. **Registration Campaign:** excludes synced SG-Caregivers (no Authenticator nudge for caregivers)
5. **Enrollment:** 22 phones enrolled in SDM, all compliant
6. **ALIS SSO:** proven end-to-end with pilot.test
---
## Remaining Open Items (pre-rollout blockers)
| Item | Owner | Notes |
|---|---|---|
| Create real caregiver AD accounts | Howard + Meredith | In `OU=Caregivers`; ask security group(s) at creation |
| Add each caregiver to SG-Caregivers (deliberate) | Howard | Separate from OU placement |
| ALIS staff-record Email = Entra UPN per caregiver | Meredith / ALIS admin | Required for ALIS SSO |
| SSPR scope = SG-SSPR-Eligible (not All) | Howard (portal) | Verify in Entra > Password reset > Properties |
| Delete 3 ghost Intune device records | Howard (portal) | Intune > Devices > All devices |
| John Trozzi one-tap re-Workplace-Join | Howard / John | Settings > Accounts > Access work or school |
| Microsoft BAA + ALIS (Medtelligent) BAA | Meredith | HIPAA compliance carryover |
| Reliable Agency per-person accounts | Howard (when names provided) | No shared logins per HIPAA |
| Ederick Yuzon first-name spelling | Meredith (email) | Still outstanding |
| Stale vault entries cleanup | Howard | `howard-enos-pilot.sops.yaml`, `pilot-test-user.sops.yaml` |
## Deferred
| Item | Notes |
|---|---|
| Knox OEMConfig (MHS half-screen) | Separate follow-up |
| MHS welcome-screen branding | Post-rollout |
| Portrait wallpaper upload | Post-rollout |
| Disable devices@cascadestucson.com | Post-rollout |
| SG-MedTech / SG-CCG groups | Create when ALIS licensing tiers confirmed |
| LinkRx SSO | Revisit only if vendor offers SSO capability |
## Related Docs
- `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver roster, AD placement, licensing
- `docs/migration/phone-sso-pilot-runbook-2026-04-24.md` — original runbook
- `docs/security/hipaa-caregiver-controls.md` — no-MFA compensating controls
- `CONTEXT.md` — user-onboarding security-group rule
- `session-logs/2026-05-08-howard-cascades-sdm-token-success-and-alis-sso.md` — SDM + ALIS SSO
- `session-logs/2026-05-11-howard-cascades-mhs-web-link-tiles-fix.md` — MHS tiles + kiosk fix
Reference in New Issue View Git Blame Copy Permalink