azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e0a120b74e6ffe358ca5f14793bf2fdfe5b20cba
claudetools/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md
Howard Enos e0a120b74e sync: auto-sync from HOWARD-HOME at 2026-04-22 15:36:21 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-22 15:36:21
2026-04-22 15:36:22 -07:00

16 KiB
Raw Blame History

User Account Rollout Plan — Cascades of Tucson

Status: Planning — no account creation or license assignment yet. Created: 2026-04-22 (Howard) Inputs:

  • reports/cascades-staff-2026-04-22.csv — returned staff-editor questionnaire, 70 rows (source of truth for who should exist and what access posture)
  • docs/servers/active-directory.md — current AD state (42 accounts, 40 enabled)
  • docs/cloud/caregiver-m365-p2-rollout.md — caregiver identity/phone plan (39 caregivers)
  • docs/cloud/p2-staff-candidates.md — P2 license sizing for the office-staff side
  • docs/cloud/m365.md — current M365 tenant state

1. Scope

Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, licensed and policy-covered according to the Access / Outside Access / ALIS posture columns they returned. This plan covers the identity layer only — device/MDM work is already tracked in caregiver-m365-p2-rollout.md and the Intune rollout, and folder redirection continues under the existing GPO workstream.

Explicitly out of scope here:

  • Device enrollment (Intune flow already designed)
  • Folder redirection GPO edits (separate workstream, already validated on DLTAGOI)
  • M365 tenant licensing purchase decision (decision gated — see §10)

2. Personas (derived from CSV access matrix)

Persona Access Outside ALIS Count Examples
Office-PHI (external-OK) D+P Y Y 19 Meredith, Megan, Lois, Susan, JD, John Trozzi, Lupe
Office-PHI (in-building) D+P N Y 2 Allison Reibschied, Sharon Edwards
Office non-PHI (in-building) D+P N N 1 Ramon Castaneda
Courtesy Patrol D+P N N 3 Sebastian Leon, Sheldon Gardfrey, Ray Rai
Shared-PC Reception D N N 4 Cathy, Shontiel, Kyla, Michelle
Driver (phone-only) P N N 3 Richard Adams, Julian Crim, Christopher Holick
Caregiver (shared-phone) D+P N Y 37 See caregiver-m365-p2-rollout.md
Agency placeholder D+P N Y 2 "Reliable Agency 1/2"

(Totals: 71 including agency placeholders. Office: 29, Reception: 4, Drivers: 3, Caregivers: 37 + 2 agency = 39. One person — Christine Nyanzunda — sits in two personas: MC Admin + part-time MedTech, one account, caregiver-tier controls apply when on shift.)

3. License mapping per persona

Guiding principles:

  1. Default to Business Premium tenant-wide (already the recommendation in p2-staff-candidates.md — bundles Intune + P2 + Defender + DLP).
  2. Use F3 only for phone-only users (drivers) where Premium is overkill and F3 covers Exchange/Teams needs.
  3. Reception shared PCs get shared mailboxes for Frontdesk@, but each named receptionist gets her own licensed account so audits attribute individual actions.
Persona License Notes
Office-PHI (external-OK) Business Premium CA: compliant device OR trusted location
Office-PHI (in-building) Business Premium CA: trusted location only
Office non-PHI (in-building) Business Standard (or Premium if tenant-wide) CA: trusted location only if we go that route
Courtesy Patrol Business Standard Could be F3 if they don't need full desktop Office; confirm with Meredith
Shared-PC Reception Business Standard Frontdesk@ stays as shared mailbox, named accounts read it
Driver (phone-only) F3 Phone-tier, no desktop install, Transportation@ shared mailbox
Caregiver Business Premium Per caregiver-m365-p2-rollout.md — P2 is load-bearing for shared-phone CA
Agency placeholder Do not license Create AD-only accounts if they need ALIS web login; otherwise omit

Expected license count at full rollout:

  • Business Premium: 19 (office PHI ext) + 2 (office PHI int) + 37 caregivers = 58
  • Business Standard: 1 + 3 courtesy + 4 reception = 8
  • F3: 3 drivers = 3

Totals bracket the p2-staff-candidates.md estimate of ~61 Premium.

Post-2026-04-22 update: With the building-only-by-default CA decision confirmed, every licensed user needs Entra P1 coverage (either via Business Premium, or Business Standard + standalone Entra P1, or F3 + standalone Entra P1). Without P1, CA policies don't apply and the user sidesteps the default-deny. This effectively collapses the mixed-SKU table above into a recommendation for Business Premium tenant-wide — the Business Standard and F3 rows stay in the table only as a reference for what we'd buy if budget forces unbundling. Proceed with Premium-tenant-wide unless Meredith pushes back.

4. AD OU + group layout (proposed)

Current cascades.local OU layout is loose (see docs/servers/active-directory.md). Proposed structure to align with the persona matrix and folder-redirection GPOs already in place:

OU=Cascades Users
├── OU=Administrative
├── OU=Marketing                (new name for existing Marketing dept)
├── OU=Care-AssistedLiving
├── OU=Care-MemoryCare
├── OU=ResidentServices
│   ├── OU=FrontDesk            (reception shared-PC users)
│   └── OU=CourtesyPatrol
├── OU=LifeEnrichment
├── OU=Culinary
├── OU=Maintenance
├── OU=Housekeeping
├── OU=Transportation           (drivers)
└── OU=Caregivers               (all 37 shift staff)

Security groups (AD-synced, Entra-usable):

  • SG-Office-PHI-External — 19 people, drives CA policy + Premium license group
  • SG-Office-PHI-Internal — 2 people (Allison, Sharon)
  • SG-CourtesyPatrol — 3
  • SG-FrontDesk — 4
  • SG-Drivers — 3
  • SG-Caregivers — 37 (already exists or needs creating — check against current Cascades - Shared Phones Entra group, which may already cover this)

CA policies target groups, not OUs. OUs drive GPO inheritance (folder redirection, local policy) only.

5. Conditional Access policy set

Decision 2026-04-22 (Howard → Meredith/John): Default-deny external sign-in for all licensed users. Maintain a small allow-list group for users who legitimately work off-site.

This collapses the earlier per-persona policy matrix into two primary CA policies plus the existing caregiver shared-phone policy:

Policy Targets Grant
CSC - Building Only (Default) All licensed users except SG-External-Signin-Allowed and SG-Caregivers Block sign-in unless from the "Cascades Building" named location + MFA
CSC - External Sign-in Allowed SG-External-Signin-Allowed Require compliant Intune-enrolled device + MFA for external sign-in; trusted-location sign-in waives the compliance grant
CSC - Caregivers Shared Phone SG-Caregivers Already designed per caregiver-m365-p2-rollout.md (shared-phone Intune + named location)
CSC - Drivers Phone-Only SG-Drivers Require compliant Intune-managed phone; no web fallback. Drivers added to SG-External-Signin-Allowed as well if they need off-site phone access.

Initial SG-External-Signin-Allowed membership — seed from the CSV's Outside=Y column. All 19 office-PHI staff plus Britney Thompson (pending posture confirmation). Everyone else stays on the default building-only policy until Meredith adds them.

Named location "Cascades Building": Define once, reuse. Use the site's public IP range(s) from pfSense NAT (clients/cascades-tucson/pfsense-firewall.sops.yaml).

Exception-management process: Adding a user to SG-External-Signin-Allowed is a named-access request that should be logged (ideally in the client's Syncro ticketing or a simple note in the client folder). Removal is equally important — e.g., Tamra Matthews comes off the list on her June 2026 departure in addition to her license being deactivated.

Impact on licensing: All users covered by either CA policy need at least Entra P1 (bundled with Business Premium). This reinforces the default recommendation of Business Premium tenant-wide — Business Standard users couldn't be covered by the CA default-deny without an add-on, and a mixed tenant is harder to reason about.

6. Pre-flight reconciliation (CSV vs current AD)

These must be resolved before creating or converting accounts. See also cascades-staff-followup-2026-04-22.md.

Discrepancy Status Action
Britney Thompson — in AD (enabled, Memory Care Nurse), NOT on returned CSV Resolved 2026-04-22 (Howard) — still employed. Desktop + maybe Phone. Keep existing AD account. Treat as Office-PHI / clinical (D+P, ALIS=Y). Confirm phone tier and Outside posture with Meredith.
Polett Pinazavala — on 2026-04-18 caregiver roster, NOT on returned CSV Resolved 2026-04-22 (Howard) — still employed. Desktop + maybe Phone. Keep on caregiver roster. Include in Wave 3 caregiver account creation. Confirm phone tier with Meredith.
Christine Nyanzunda — one person, MC Admin + part-time Sun/Mon MedTech Resolved 2026-04-22 (Howard) — one account covers both roles. Single account in OU=Care-MemoryCare. Default building-only CA policy. When she's covering a MedTech shift she logs into the shared MC phone with her own account. If that sign-in gets blocked by the shared-phone CA, add her to a specific exception group rather than splitting into two accounts.
Alma R Montt — on CSV (Life Enrichment), NOT in AD, title blank Username assigned 2026-04-22 (Howard): Alma.Montt. Title still pending Meredith. Create AD account at Alma.Montt (UPN alma.montt@cascadestucson.com). Populate title once Meredith answers.
Kyla Quick Tiffany — on CSV and in AD "needs account" list Username assigned 2026-04-22 (Howard, per Kyla's preference): Kyla.QuickTiffany — last name treated as a single word. Create AD account at Kyla.QuickTiffany (UPN kyla.quicktiffany@cascadestucson.com). Persona: Shared-PC Reception.
Ederick Yuzon — spelling not confirmed Still pending Meredith. Block on creation; use Ederick.Yuzon tentatively if Meredith confirms.
Matt Brooks — AD dept = Maintenance, CSV note "works in both departments" Confirmed (CSV-inline). Keep in Maintenance OU; add to secondary MC group for access overlap.
37 caregivers — on CSV, none in AD Unchanged. Create all 37 AD accounts (+ M365) in Wave 3.
2 agency placeholders — on CSV, not in AD Unchanged. Decide with Meredith: real accounts or ALIS-only?
Generic AD accounts (Culinary, RECEPTIONIST, saleshare, directoryshare) Unchanged. Phase 5 cleanup after named-account coverage.

Username convention for new accounts: TitleCase First.Last (e.g., Alma.Montt, Kyla.QuickTiffany). Existing lowercase exceptions in AD (britney.thompson, karen.rossini, lauren.hasselman) are the known legacy cases — leave as-is, don't rename. All net-new accounts follow TitleCase.

7. Rollout sequence

Wave 0 — Pre-flight (blocks waves 1+)

  • Get answers to the 5 follow-up questions (Kyla/Ederick/Christine/Alma/Britney) + the "restrict-everyone or selective" policy decision from Meredith
  • Close Polett Pinazavala discrepancy
  • Final license decision (Business Premium tenant-wide vs. mixed)
  • Purchase license count locked in

Wave 1 — New office accounts (low blast radius)

  • Create AD + M365 for Alma R Montt and Kyla Quick Tiffany (the only new office/reception accounts the CSV produces)
  • Validate group membership + CA policy assignment on these two before touching anyone else
  • Pilot the CSC - FrontDesk Building-Only policy with Kyla

Wave 2 — Existing office accounts, reassignment only

  • Move existing users into new OU layout (no identity changes, just OU move + group membership)
  • Attach each to the correct SG-* group based on CSV persona
  • CA policies begin applying; watch for sign-in failures

Wave 3 — Caregiver bulk creation

  • Execute caregiver-m365-p2-rollout.md rollout — 37 AD + M365 accounts, SG-Caregivers, shared-phone CA
  • Already designed; this plan just sequences it after office wave

Wave 4 — Cleanup

  • Disable/remove Culinary, RECEPTIONIST, saleshare, directoryshare generics once their functions are covered by named accounts + shared mailboxes
  • Disable departed accounts (Britney pending answer, Tamra on departure June 2026)
  • Rotate krbtgt password (noted stale in AD doc — overdue)

8. Account creation template (per new user)

Applies to Wave 1 + Wave 3 (and any future hire). Precise script will be built later; plan-level checklist:

  1. AD account: First.Last (consistent with existing convention; note lowercase exceptions for Britney, Karen, Lauren — new accounts use TitleCase)
  2. UPN: first.last@cascadestucson.com
  3. Password: auto-generated, stored in vault (clients/cascades-tucson/new-user-<name>.sops.yaml), delivered to Meredith via 1Password share
  4. OU placement per persona
  5. Group membership: department-appropriate SG-*
  6. M365 license assignment (group-based if feasible)
  7. Mailbox creation (Exchange Online)
  8. ALIS account provisioning (separate system — Meredith/Lois handle)
  9. MFA registration — push to user first login
  10. Confirmation email to Meredith with username + password-share link

9. Dependencies on other workstreams

  • Folder redirection GPO rollout (CONTEXT.md §48) — when we move users to new OUs, make sure the FR GPOs are re-linked to the new OU or stay linked to parent OU=Cascades Users. Test on one mover before batch.
  • Intune phone rollout (PROJECT_STATE.md) — caregiver accounts must exist before Wave 3 of phone deployment (24 remaining Samsung A15s). Identity-first, device-second.
  • Business Premium purchase proposal (docs/proposals/m365-premium-upgrade.md) — blocks wave 1 if Meredith hasn't approved license spend.

10. Open decisions blocking the rollout

  1. Business Premium tenant-wide vs. mixed SKUs — Meredith, tied to the upgrade proposal. Building-only-by-default decision reinforces Premium tenant-wide (see §5).
  2. Ederick Yuzon spelling — Meredith/John, in the 2026-04-22 follow-up email.
  3. Alma R Montt title — Meredith/John, in the follow-up email.
  4. Britney phone + Outside posture — Meredith (employment confirmed by Howard; access tier still TBD).
  5. Polett employment confirmation — Meredith (Howard assumes still employed; formal Meredith confirmation requested in follow-up email).
  6. Agency placeholder accounts — names + ALIS-only vs. real accounts? — John added two agency rows to the CSV but left Name and Notes blank. Need the actual agency names + whether they need AD/M365 identities or just ALIS web logins.
  7. Drivers: F3 or Business Standard? — Meredith (cost vs. Office install need). Note: drivers need allow-list membership to sign in off-site, so whichever tier must include P1 for CA coverage (F3 does not; Business Premium or Business Standard + Entra P1 add-on required).

Resolved 2026-04-22 (Howard):

  • Restrict-everyone default vs. selective → building-only by default, allow-list for exceptions (§5).
  • Christine Nyanzunda → one account covers both roles.
  • Kyla Quick Tiffany username → Kyla.QuickTiffany (her preference — sign-in confirmed by Howard).
  • Alma R Montt username → Alma.Montt.
  • Britney Thompson → still employed; stays in AD.
  • Polett Pinazavala → still employed (awaiting Meredith formal confirmation via email).

11. Related docs

  • reports/cascades-staff-2026-04-22.csv
  • docs/cloud/cascades-staff-followup-2026-04-22.md
  • docs/cloud/p2-staff-candidates.md
  • docs/cloud/caregiver-m365-p2-rollout.md
  • docs/cloud/m365.md
  • docs/servers/active-directory.md
  • docs/proposals/m365-premium-upgrade.md
  • docs/security/hipaa.md
Reference in New Issue View Git Blame Copy Permalink