azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e18792ecf747fa5e7eda39cc4bf35b6b32a8998b
claudetools/wiki/clients/cascades-tucson.md
Howard Enos e18792ecf7 sync: auto-sync from HOWARD-HOME at 2026-06-05 10:26:08 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 10:26:08
2026-06-05 10:26:21 -07:00

41 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client cascades-tucson Cascades of Tucson 2026-06-05 GURU-BEAST-ROG/claude-main
session-logs/2026-03-24-session.md
session-logs/2026-03-31-session.md
session-logs/2026-04-01-session.md
session-logs/2026-04-16-session.md
session-logs/2026-04-16-howard-client-docs-import.md
session-logs/2026-04-17-session.md
session-logs/2026-04-17-howard-session.md
session-logs/2026-04-18-session.md
session-logs/2026-04-20-session.md
session-logs/2026-04-20-mac-session.md
session-logs/2026-04-21-mac-vault-setup.md
session-logs/2026-04-21-howard-remediation-vault-gap.md
session-logs/2026-04-28-session.md
session-logs/2026-04-29-session.md
session-logs/2026-04-30-session.md
session-logs/2026-05-01-session.md
session-logs/2026-05-01-howard-syncro-billing-batch-and-tmp-path-incident.md
session-logs/2026-05-10-session.md
session-logs/2026-05-18-session.md
session-logs/2026-05-18-howard-billing-review-and-ticket-updates.md
session-logs/2026-05-20-session.md
session-logs/2026-05-21-session.md
session-logs/2026-05-23-session.md
session-logs/2026-05-24-GURU-KALI-session.md
clients/cascades-tucson/session-logs/2026-05-22-session.md
session-logs/2026-05-26-howard-session.md
clients/cascades-tucson/session-logs/2026-06-02-howard-efax-scanner-ticket.md
clients/cascades-tucson/session-logs/2026-06-03-session.md
clients/cascades-tucson/session-logs/2026-06-04-howard-email-delivery-investigation.md
clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
clients/cascades-tucson/session-logs/2026-06-04-session.md
clients/cascades-tucson/session-logs/2026-06-05-session.md
clients/cascades-tucson/docs/overview.md
clients/cascades-tucson/docs/network/topology.md
clients/cascades-tucson/docs/network/vlans.md
clients/cascades-tucson/docs/servers/cs-server.md
clients/cascades-tucson/docs/billing-log.md
.claude/memory/project_cascades_admin_accounts.md
.claude/memory/project_cascades_ca_phased_rollout.md
.claude/memory/project_cascades_pilot_cleanup.md
.claude/memory/feedback_syncro_cascades_contact.md
.claude/memory/feedback_cascades_user_security_group.md
.claude/memory/project-cascades-migration-plan.md
.claude/memory/feedback_cascades_folder_redirect.md
projects/gururmm

Cascades of Tucson

Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-05-24.

Profile

  • Contract type: Prepaid hour block
  • Key contacts:
    • Meredith Kuhn — Assistant Manager (ASSISTMAN-PC); internal billing contact. NEVER set her as ticket contact in Syncro — she is the wrong default that keeps being selected.
    • John Trozzi — Maintenance staff, Mac at 201cascades@gmail.com (shared facility account)
    • Lauren Hasselman — Accounting
    • Zachary Nelson — Accounting Assistant
    • Lois Lane — CareTakers department head (DESKTOP-KQSL232); resistant to domain migration; John Trozzi is liaison
    • Crystal Rodriguez — staff
    • Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI)
    • Ashley Jensen — Accountant (DESKTOP-U2DHAP0)
    • Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
    • Chris Knight — staff; chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04)
  • Billing rate: $175/hr all labor (prepaid block customer)
  • Hours remaining: 15.75 hrs as of 2026-06-04 (after tickets #32381 0.5h onsite, #32382 1.5h onsite, #32383 1.5h remote billed 2026-06-04). Always live-check via GET /customers/20149445 before billing — balance is unreliable across sessions.
  • Syncro customer ID: 20149445
  • Active tickets:
    • #110680053 — Dept-by-dept domain migration (primary active project; plan: C:\Users\Howard\.claude\plans\wise-discovering-panda.md)
    • #109412123 — Entra setup project (may be invoiced as of 2026-05-18; verify status)
    • #109035475 — John Trozzi desktop WiFi upgrade (billed)
    • #32370 — eFax setup on Karen's and Christin's machines + portable scanner setup on both (Howard onsite; no appointment scheduled yet; ticket open/pending 2026-06-02)
    • #32381 — Tamra scanner onsite (0.5h onsite, billed 2026-06-04, prepaid block)
    • #32382 — Megan file access onsite (1.5h onsite, billed 2026-06-04, prepaid block)
    • #32383 — Chris Knight bill.com / BOK email delivery (1.5h remote, billed 2026-06-04, prepaid block; Syncro id 112201209)

Infrastructure

Servers & Services

Host IP Role OS Notes
CS-SERVER 192.168.2.254 DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server Windows Server 2019 Standard Dell PowerEdge R610 (~2009 hardware, 16+ years old). Single DC — CRITICAL risk. No backup. GuruRMM agent ID: 6766e973-e703-47c1-be56-76950290f87c
CS-SERVER iDRAC 192.168.2.65 Out-of-band management Dell OOB interface
CS-QB (Hyper-V VM on CS-SERVER) 192.168.2.228 VoIP server [REVIEW — transitioning away from traditional landlines to wireless phones; revisit this entry]
cascadesDS (Synology NAS) 192.168.0.120 NAS / legacy file storage DSM Port 5000 HTTP. Workgroup name is "CASCADES" — same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only.
pfSense Firewall 192.168.0.1 Perimeter firewall, inter-VLAN routing pfSense 24.0 Dual-WAN. All DHCP served here (CS-SERVER DHCP role has no scopes). MAC: 00:f1:f5:34:b3:4a

[WARNING] CS-SERVER hardware: Dell R610 with mixed SATA laptop drives (OS array, no hot spare) and enterprise SAS drives from 2015-2016. No backup exists. No second DC. Hardware will fail — DC migration is urgent.

[WARNING] HIPAA violation: No backup for CS-SERVER (§164.308(a)(7)). Synology Active Backup for Business is blocked (ext4 filesystem, not Btrfs).

Email & Identity

  • M365 tenant: cascadestucson.com | Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
  • M365 license: Business Premium (SPB) — 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) — SUSPENDED, 31 users still assigned. Relicensing 31 users Business Standard → Business Premium is pending and time-sensitive — those users may have degraded service.
  • On-prem AD domain: cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness)
  • MX / mail flow: Exchange Online (M365). SPF: v=spf1 a mx ip4:72.194.62.5 include:spf.protection.outlook.com include:spf-0.secureserver.net -all. DKIM: both M365 selectors published. DMARC: p=quarantine;pct=100 — upgraded from p=none. Reports to info@cascadestucson.com (unmonitored). No third-party email gateway (EOP direct MX).
  • MFA: CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section. Voice-call MFA is disabled tenant-wide (SMS + Authenticator are the allowed methods). Exception: security group "MFA - Voice Call Scoped (sysadmin)" (id 304f941e-3594-4705-b8e6-ee676297df11, single member sysadmin@) has Voice method enabled — created 2026-06-05 so Howard has a code-delivery path on the shared GA without a tenant-wide change. sysadmin@ phone methods after 2026-06-05: mobile/SMS +1 520-289-1912 (Mike); alternateMobile/voice +1 520-585-1310 (Howard, was +1 520-331-5551).
  • Entra Connect: Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 — actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added.
  • Break-glass accounts: Two planned (breakglass1-csc@cascadestucson.com, breakglass2-csc@cascadestucson.com). Confirmed not yet created as of 2026-05-27 (live tenant check). FIDO2 YubiKeys ordered — arrival unconfirmed. Vault entries not yet created.
  • Admin accounts:
    • admin@cascadestucson.com — Mike's working admin (cloud-only, Connect-excluded by design)
    • sysadmin@cascadestucson.com — Howard's working admin (cloud-only, Connect-excluded by design). Object id: 471b13dc-3cf8-416b-a132-f5f3bc8d1cc8. Password rotated by Mike 2026-06-04; vaulted by Howard 2026-06-05 at clients/cascades-tucson/m365-sysadmin.sops.yaml.
  • ALIS (clinical SaaS): https://cascadestucson.alisonline.com — Entra SSO live and working; proven end-to-end with pilot.test on Galaxy A15 caregiver phones. Install key: d796539d-356b-4190-9c17-35f0f1129376. Vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml (Entra app reg + ALIS Inbound Connections Basic Auth creds + install key). ALIS application ID d5108493-cba8-4f08-90b6-1bb0bc09eb2a, client secret expires 2028-05-06 (rotation reminder — expiry breaks ALIS SSO tenant-wide). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified — confirm with Meredith.
    • Admin consent (2026-06-03): Tenant-wide admin consent (AllPrincipals User.Read) granted on ALIS Entra service principal (e1cae4ad-5beb-44ca-82d4-434c9bd835ad) via Graph API (oauth2PermissionGrant id reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds). This resolved AADSTS65001 sign-in failures that office/clinical staff (megan.hiatt, karen.rossini, memcarereceptionist) were hitting on non-phone devices. Root cause was missing admin consent — NOT Conditional Access, network, or password. Prior state: only two per-user (Principal) consent grants existed, so all other users hit 65001. CA policies had conditionalAccessStatus: success on all failing sign-ins; both WAN IPs were trusted Named Locations.
    • How to enable ALIS SSO for one user (procedure — confirmed 2026-06-03):
      1. User needs a valid Entra identity (synced or cloud-only both work).
      2. Tenant-wide admin consent for the ALIS app must exist — done globally 2026-06-03, so this is a one-time prerequisite, NOT per-user.
      3. In ALIS admin -> Staff -> the user's record, set the Email field = the user's exact Entra UPN (e.g. crystal.rodriguez@cascadestucson.com). This is the per-user SSO join key.
      4. User signs in via "Sign in with Microsoft" — not the ALIS username/password box.
      5. Turn off ALIS-native 2FA on that user's account (Entra is the second factor; native 2FA conflicts and locked out Karen Rossini on 2026-05-29).
      • Diagnostic signature: a user with zero ALIS-app sign-in events in the Entra sign-in logs is still on the old direct-login path (never reached Entra) — the fix is the ALIS Email match, not anything in Entra. Confirmed with Crystal Rodriguez (2026-06-03): identical to Megan Hiatt on identity, sync state, security group, and even held her own per-user consent grant — the ONLY difference was the missing ALIS Email match. Adding her email fixed SSO immediately. Megan worked because her ALIS record was already Email-matched and she used the Microsoft login; Crystal was falling back to direct ALIS login.
      • Sweep target: apply to all office/clinical users (Karen Rossini, MemCare reception, etc.) to standardize everyone onto SSO.
  • Caregiver phones: 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: CSC - Android Shared Phones (Entra SDM) (9a0fcc6d-0a88-466e-aa53-44401bb74fca); 25 devices enrolled per 2026-06-03 Intune pull. Dynamic group: Cascades - Shared Phones (ea96f4b7-3000-45da-ab1f-ddb28f509526). Used by caregivers for Teams, Outlook, and ALIS. CA policies: block off-network, block non-compliant device (see below re: pending replacement with allow-list), 8h sign-in frequency. Android enrollment token expires 2027-05-08 — token is a join key only; expiry does NOT unenroll existing devices.
  • Audit retention: Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription e507e953-2ce9-4887-ba96-9b654f7d3267, RG rg-audit-cascadestucson. Not yet built. Runbook: .claude/skills/remediation-tool/references/audit-retention-runbook.md.
  • Inky: No Inky deployment exists in this tenant. No connector, no transport rule, no OAuth app, no add-in. Confirmed 2026-06-04.
  • EXO MSP app auth note (2026-06-04): When the MSP app cert is not in the Windows cert store on a given machine, use client_credentials flow to obtain an EXO-scoped access token and connect via Connect-ExchangeOnline -AccessToken. This bypasses both the cert requirement and interactive MFA. App: ComputerGuru Exchange Operator (b43e7342-5b4b-492f-890f-bb5a4f7f40e9). Vault: msp-tools/computerguru-exchange-operator.sops.yaml.

Network

  • ISP / WAN: Dual-WAN Cox Fiber (primary, static 184.191.143.62/30, gateway 184.191.143.61) + Cox Coax (secondary, DHCP 72.211.21.217). Both WAN IPs added as Cascades Named Location in Entra (ID: 061c6b06-b980-40de-bff9-6a50a4071f6f).
  • Firewall: pfSense 24.0 at 192.168.0.1. All DHCP. Inter-VLAN routing. 236 resident room VLANs (per-room /28, 10.[floor].[room].0/28). Staff/infra VLAN 20 (10.0.20.0/24, gateway 10.0.20.1). Guest VLAN 50 (10.0.50.0/24, RFC1918 blocked).
  • Switching: Full UniFi. 82 APs + 5 managed switches (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). Switch hardware replacement on floors 2/3/4 complete.
  • WiFi SSIDs:
    • CSCNet — staff, VLAN 20
    • CSC ENT — legacy SSID, main LAN (192.168.0.0/22), being deprecated as migration proceeds
    • Guest — isolated, VLAN 50
  • VoIP: AudioCodes phones (8 units) on USW-16-PoE. CS-QB VM at 192.168.2.228. Not MSP-managed but infra must stay static.

External Vendors & Mail Senders

  • bill.com (BILL): Sends from inform.bill.com, hq.bill.com, hello.bill.com, mc.bill.com. MX via pphosted.com (Proofpoint). Confirmed delivering successfully to meredith.kuhn, ashley.jensen, lauren.hasselman, zachary.nelson as of 2026-06-04. Safe sender: account-services@inform.bill.com.
  • BOK Financial: Sends from bokfinancial.com. MX via pphosted.com (Proofpoint). DMARC p=reject. Zero emails to any cascadestucson.com user in 90-day history as of 2026-06-04 (likely wrong recipient address on BOK's side for the accounts in question).

Access

  • CS-SERVER: Via ScreenConnect or GuruRMM (agent ID: 6766e973-e703-47c1-be56-76950290f87c)
  • CS-SERVER iDRAC: 192.168.2.65
  • pfSense admin: https://192.168.0.1 — vault: clients/cascades-tucson/pfsense-firewall.sops.yaml
  • Synology DSM: http://192.168.0.120:5000 — vault: clients/cascades-tucson/ (existing entry)
  • M365 admin: admin@cascadestucson.com — vault: clients/cascades-tucson/m365-admin.sops.yaml
  • M365 sysadmin: sysadmin@cascadestucson.com — vault: clients/cascades-tucson/m365-sysadmin.sops.yaml
  • WiFi CSCNet: vault: clients/cascades-tucson/wifi-cscnet.sops.yaml
  • MDM service account: vault: clients/cascades-tucson/mdm-service-account.sops.yaml
  • ALIS SSO app registration: vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml
  • GuruRMM — RECEPTIONIST-PC: agent ID 9c91d324-1073-449c-8cc0-45c5bccfc218 (flaky WebSocket, may lag fleet updates)
  • Remediation tool: Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. Old app fabb3421 (ComputerGuru - AI Remediation) still present but superseded.
  • ComputerGuru Exchange Operator MSP app: b43e7342-5b4b-492f-890f-bb5a4f7f40e9 — vault: msp-tools/computerguru-exchange-operator.sops.yaml. Use access token auth when cert not in store (see Email & Identity section).
  • Vault root: clients/cascades-tucson/ in vault repo

Patterns & Known Issues

Syncro / Billing

  • Never set a contact on any Syncro ticket unless explicitly requested. This is a global rule, not Cascades-specific. At Cascades, Meredith Kuhn is the recurring wrong default that Syncro pre-selects — she is not the correct contact. Leave contact_id blank; Syncro routes to the correct distribution emails automatically. Source: feedback_syncro_blank_contact.md.
  • Billing product for prepaid block draw: Use a real labor type (Remote, Onsite, etc.) — NOT "Prepaid project labor" (exempt, won't decrement the block).
  • Always live-check hours before billing: GET /customers/20149445 in Syncro. The 2026-05-01 invoice debit may not have fired correctly — treat all cached hour counts as approximate.

Exchange Online / Message Tracing

  • Get-MessageTrace is hard-deprecated (Sept 2025). As of 2025-09-01, Get-MessageTrace returns BadRequest / ValidationException via EXO InvokeCommand. Use Get-MessageTraceV2 instead. Key parameter change: use ResultSize (not PageSize). The deprecation error may be silently swallowed by downstream jq filters — if a trace returns unexpectedly empty, check the raw response for a deprecation error string before assuming no mail. Source: 2026-06-04 Chris Knight investigation.
  • Sender-side suppression (SendGrid ESP): If a user never receives mail from a specific sender despite a healthy mailbox, and message trace shows zero records (not even bounces), consider a SendGrid suppression list. Resends will also fail silently. Fix requires contacting the sender's support to clear the suppression — there is no M365 action that can resolve this. Confirmed with bill.com / inform.bill.com. Pattern also applies to other high-volume senders using SendGrid.

Active Directory / User Management

  • Security group assignment is always explicit. When creating or adding any Cascades user, always ask which security group(s). OU → group auto-mirror was explicitly declined 2026-05-14. OU placement controls Entra Connect sync scope; group membership controls CA policy — two separate deliberate decisions. Source: feedback_cascades_user_security_group.md.

  • New user mandatory order (folder redirection):

    1. Create AD user
    2. Run New-HomeFolder -Username "<sam>" on CS-SERVER (creates root + Desktop/Documents/Downloads/Music/Pictures with correct ACL)
    3. Add to SG-FolderRedirect
    4. THEN first domain logon
    • Skipping step 2 causes fdeploy to cache a failure silently and never retry. Source: feedback_cascades_folder_redirect.md.

  • Folder redirect recovery: If fdeploy cached a failure ("No changes detected"), run clients/cascades-tucson/scripts/fix-shell-redirect.ps1 via GuruRMM while user is logged in. Must set both GUID-based and legacy-name registry keys. Folders must already exist on server.

  • fdeploy1.ini flags: Changed from Flags=1211 (included Grant Exclusive Rights bit 0x400, causing WRITE_DAC failures on new subfolders) to Flags=187. File at {512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini on CS-SERVER.

  • Login-screen hide (SpecialAccounts\UserList): An enabled local admin that does not appear in the Windows sign-in picker is a SpecialAccounts\UserList suppression, not a disabled account. Registry path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, value <username>=0. Fix: delete the DWORD value (or set it to 1); account reappears after sign-out/reboot. Confirmed on NURSESTATION-PC (RMM agent f5a89784-834f-47b1-82e2-7e3e9dd337ff) 2026-06-05 — localadmin=0 removed; account was already enabled and in Administrators (unchanged).

Conditional Access / Caregiver Policies

  • Phased rollout — never tenant-wide. CA policies for caregivers now target SG-Caregivers (8b8d9222-5d71-419a-936d-56d895c6c332) (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on excludeGroups, never replace. Source: project_cascades_ca_phased_rollout.md.
  • Enforced caregiver CA policy set (unchanged as of 2026-06-03):
    • CSC - Block caregivers off Cascades network (e35614e1-e896-4a13-9407-076963af488f) — BLOCK if location not Cascades
    • CSC - Block caregivers on non-compliant device (ede985e2-ee7e-4521-88b2-34c847c3db20) — BLOCK if device non-compliant. Pending DISABLE at allow-list cutover (see below).
    • CSC - Caregiver sign-in frequency 8h (7d491c7a-ad90-4420-9990-40a1e676a76c)
  • Caregiver device allow-list (2026-06-03 — report-only): The device restriction is being changed from compliance-based to an explicit device allow-list (phones matching displayName -startsWith "CSC-" plus 5 tagged laptops/PCs with extensionAttribute1=CSCCaregiverDevice). Rationale: tenant has no Windows compliance policy and secureByDefault=false, meaning compliance-only would admit any future-enrolled machine. New CA policy created in report-only:

    • CSC - Caregivers: allow-listed devices only (REPORT-ONLY) — id 1b7fd025-1aad-47c8-9274-c32c3e0b163c; state enabledForReportingButNotEnforced

    • Target group: SG-Caregivers (8b8d9222). Excludes: sysadmin@, admin@, SG-CA-BreakGlass (131e51ac-d69b-44b8-9c81-56890537a796)

    • Device filter (mode exclude): (device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")

    • Allowed device list (target — 5 devices tagged CSCCaregiverDevice):

      Device OS GuruRMM agent
      NURSESTATION-PC Win 11 8164c6fa-62e7-4aa5-88e4-624f2f656932
      Laptop2 Win 11 dc8daf71-a2e6-4181-8cf2-c463c95dcd7d
      LAPTOP-8P7HDSEI Win 10 (EOL — upgrade) 9b74852c-623a-4d4a-bdda-1709ee75ae44
      LAPTOP-DRQ5L558 Win 11 f9e25b3b-da63-40ff-94a6-8cec3b9a19ce
      LAPTOP-E0STJJE8 Win 11 4ac00700-9a9b-4e7f-a7aa-c51857b77661

    • Join model (decided 2026-06-03): The 4 laptops are Entra-joined (cloud join), NOT domain-joined — a domain-only PC has no Entra device object, so the CA device filter cannot allow-list it. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack. NURSESTATION-PC stays domain-joined and gets Hybrid Entra Join (needs on-prem printers + ALDocs share); requires a one-time device-options config in Entra Connect on CS-SERVER, and its stale 2021 Entra record (Workplace, last seen 2021-07-03) should be cleaned. Mixed model is supported.

    • Enrollment account: devices@cascadestucson.com (Cloud Device Administrator, aaca80c6-861b-4294-8068-1033c68d7667). Licensed Business Premium + usageLocation=US on 2026-06-04 and ready to join/auto-enroll. The license is needed only at enrollment time so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API.

    • Printing: does NOT require domain join — Entra-joined laptops print via direct IP network printers or an Intune-pushed Add-Printer config. Printers: FrontDesk Epson ET-5800 192.168.2.147, CopyRoom Canon C478iF 192.168.2.230, MCReception Epson ET-5800.

    • Enrollment progress (2026-06-04): 3 of the laptops Entra-joined + tagged CSCCaregiverDevice — Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (all Win11 26200). Pending Win11 25H2 upgrade then join+tag: LAPTOP-8P7HDSEI, ASSISTNURSE-PC. NURSESTATION-PC confirmed permanent caregiver device (hybrid-join pending). Full set = phones + those 6 machines. All joined laptops show isManaged=null (auto-MDM-enroll did not fire — MDM user scope likely not =All, and only local logins so far). Intune is OPTIONAL: the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / a Windows compliance policy. Intune/MDM decision deferred until all devices on Win11 25H2. Enrollment account devices@ (Cloud Device Admin), licensed Business Premium transiently (reclaim after batch).

    • Cutover (low-risk, can be all-at-once): verified no gap — only CSC- phones are compliant today and the allow-list also permits them, so enabling the allow-list ADDS the laptops without removing phone access; nobody on a phone gets locked out. Per-user go-live gate is the ALIS email-match + test sign-in (one at a time), not a CA change. Cutover = enable CSC - Caregivers: allow-listed devices only + disable CSC - Block caregivers on non-compliant device.

    • Restricted vs privileged classification (2026-06-04): Restricted/inside (SG-Caregivers) = the 38 + Veronica Feller (caretaker; inventory shows her remote/PA — confirm on-site) + Christine Nyanzunda (MC admin asst + PT medtech; uses ASSISTNURSE-PC; directory surname typo "Nyanzuda" to fix). Privileged/outside (NOT in SG-Caregivers; ALIS via SSO + offsite MFA) = Lois Lane, Karen Rossini, Christina DuPras, and all admins/directors/managers; nurses ruled OUTSIDE. Zachary Nelson is accounting/no-ALIS (not a caregiver). Still pending classification: Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey. Worklist: clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md.

    • User<->computer map source: Syncro kabuto_information.last_user (GuruRMM does not expose logged-in user). DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC, shared MemCare reception=MEMRECEPT-PC (excluded from caregiver allow-list, receptionist-only). CONTEXT.md GuruRMM roster stale (27->32) — refresh pending.

    • Caregiver desktop app shortcuts: ALIS (https://cascadestucson.alisonline.com), LinkRx (https://pharmcare.linkrxnow.com/), HelpAny (https://app.safe-living.com/login) — deploy via a Public-Desktop PowerShell script launching Edge --app mode (preserves SSO device-claim), pushed via GuruRMM to the 6 caregiver machines.

    • Login UX: Entra/Microsoft sign-in (and ALIS SSO) requires the full UPN — no bare-username option for cloud accounts. Minimize typing via Windows Hello PIN on laptops + silent ALIS SSO once signed in; pursue ALIS Login PINs (Medtelligent limited-release).

  • GDAP exclusion: CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + SG-External-Signin-Allowed + SG-Break-Glass, otherwise ACG partner admins lose access at CA cutover.
  • Pilot cleanup required when done: Delete pilot.test@cascadestucson.com, clean up howard.enos@cascadestucson.com, remove SG-Caregivers-Pilot from CA policy targets and delete the group. Source: project_cascades_pilot_cleanup.md.

EXO / Message Trace

  • Get-MessageTrace is deprecated. Use Get-MessageTraceV2 instead. V2 has a 10-day max window — loop 9 consecutive windows to cover 90 days. A wildcard sender with a 30-day window returns false positives due to the window-limit violation; keep windows to 10 days and use specific sender domains.
  • EXO access token auth: When Connect-ExchangeOnline -Credential fails (MFA/modern auth block) and the app cert is not in the Windows cert store, use client_credentials flow to get an EXO-scoped token and pass it via -AccessToken. See access note in the Access section above.

Known Issues / Pending Hygiene (as of 2026-06-04)

  • [BUG] Stale exclude-group on MFA-all-users policy: The Require multifactor authentication for all users policy (7e87a1c7…) currently excludes SG-Caregivers-Pilot (0674f0bc…) instead of the live SG-Caregivers (8b8d9222…). Functionally harmless today (pilot group still exists), but this is a known bug that must be corrected. Fix: PATCH excludeGroups to replace SG-Caregivers-Pilot with SG-Caregivers.
  • [DESIGN] ALIS-native 2FA is not a perimeter control. The Require MFA for all users policy excludes AllTrusted locations, so Entra never prompts on the Cascades network. A non-SSO ALIS user can reach ALIS from anywhere with only ALIS credentials — Entra never sees that login. The correct permanent model: force all ALIS logins through Entra SSO (SSO-only, credential fallback disabled), so Entra enforces onsite-seamless / offsite-MFA. Office/privileged users should be standardized onto ALIS SSO as a separate workstream; ALIS-native 2FA should then be disabled per-user then globally.
  • [INFO] Android enrollment token expiry (2027-05-08) does NOT unenroll devices. The CSC - Android Shared Phones (Entra SDM) enrollment token (9a0fcc6d) is a join key only. Existing enrolled devices (25 as of 2026-06-03) are unaffected by token expiry. Renewal is needed only before enrolling new devices after that date.
  • [INFO] Chris Knight bill.com/BOK Financial emails (2026-06-04): Zero bill.com or BOK Financial emails ever delivered to chris.knight@ or c.knight@ in 90 days. bill.com confirmed delivering to other Cascades users (no tenant-wide block). Root cause: bill.com and BOK Financial backends likely still have Chris Knight's old email address. Resolved externally by Howard. No tenant config changes needed.

Security Incidents (historical)

  • Megan Hiatt (2026-04-16): Active credential-stuffing — 126 failed sign-ins, bursts from Belfast GB, Hamburg DE. Password reset and SMTP AUTH disable were action items. Mailbox was clean (not breached).
  • John Trozzi (2026-04-16, 2026-04-20): Investigated twice — both times NO BREACH. First: credential stuffing flag (clean). Second: inbound phishing email (clean). Reports in clients/cascades-tucson/reports/.
  • Crystal Rodriguez (2026-04-19): Phishing investigation. Report: clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md.
  • Canva email delivery (2026-05-20): Alma Montt not receiving Canva invites. Resolved by adding canva.com domains to AllowedSenderDomains in EOP policies.
  • ALIS AADSTS65001 (2026-06-03): megan.hiatt, karen.rossini, memcarereceptionist could not sign in to ALIS on non-phone devices. Root cause: missing tenant-wide admin consent on ALIS SP (e1cae4ad). Resolved by granting AllPrincipals User.Read via Graph API. CA was NOT the cause — all failures showed conditionalAccessStatus: success from trusted IPs.
  • dunedolly21@gmail.com: External guest invited 2026-04-14 by Lauren Hasselman from mobile. Status unknown — confirm with Lauren. [unverified]
  • Chris Knight bill.com / BOK email delivery (2026-06-04): chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com) not receiving bill.com or BOK Financial emails. M365 mailbox confirmed healthy: 24 inbound messages traced over prior 48h, no inbox rules, no forwarding, no junk/quarantine hits, no transport rules or connectors blocking. Root cause: SENDER-SIDE, not M365. bill.com sends via SendGrid (inform.bill.com); the address was on SendGrid's ESP suppression list — mail dropped before SMTP, so nothing appeared in message trace and repeated resends never arrived. BOK diagnosis confirmed: correcting the email in BOK's portal produced a "Welcome to Exchange!" delivery from alerts@exchange.bokfinancial.com within minutes. bill.com fix requires calling bill.com support — the account email cannot be changed in the web UI (it is the locked login identity); support must update it AND clear the SendGrid suppression. Ticket #32383, 1.5h remote.

HIPAA Compliance

  • Primary objective. Cascades stores PHI on CS-SERVER and uses ALIS for clinical records.
  • Critical open gaps: No backup (§164.308(a)(7)); no audit logging on D:\Homes (§164.312(b)); Object Access auditing disabled; no SMB encryption on homes share; no file access auditing.
  • Restored 7 deleted mailboxes (2026-04-25) for HIPAA §164.316(b)(2) 7-year retention.
  • Termination policy established: Convert to shared mailbox, hide from GAL, retain 7 years.

Active Work

Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #110680053).

Migration phase status (as of 2026-05-26):

Machine / User Status
Sharon Edwards (DESKTOP-DLTAGOI) Domain-joined, folder redirect working via registry workaround
Ashley Jensen (DESKTOP-U2DHAP0) Domain-joined, folder redirect manually fixed
Crystal Rodriguez (CRYSTAL-PC) Domain-joined, folder redirect confirmed working 2026-05-21
RECEPTIONIST-PC (frontdesk) Domain-joined 2026-05-22; loopback Replace mode, no folder redirect by design
NURSESTATION-PC Domain-joined, folder redirect complete
Lauren Hasselman Domain-joined, folder redirect complete 2026-05-23
Megan Hiatt (Marketing) COMPLETE 2026-05-27 — domain joined via ProfWiz, folder redirection live, data on server
DESKTOP-KQSL232 (Lois Lane — CareTakers) Blocked — Lois Lane resistant to change; John Trozzi working with her
CHEF-PC, SALES4-PC, MDIRECTOR-PC Not yet started

Blocking issues / pending:

  • M365 relicensing: 31 Business Standard → Business Premium (SUSPENDED — time-critical, 31 SPB seats free)
  • Break-glass accounts: not created (confirmed 2026-05-27)
  • Audit retention infra: not built
  • RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet
  • Entra Connect: OU=Administrative not yet in sync scope; UPN suffix updates for that OU pending
  • NURSESTATION-PC: auto-lock GPO (HIPAA, ~10 min idle) not yet applied
  • #32370 (open): Howard onsite — eFax setup on Karen's and Christin's machines; portable scanner setup on both. No appointment scheduled as of 2026-06-02.
  • #32383 (open — pending customer action): bill.com email delivery for Chris Knight. Cascades must CALL bill.com support to update account email to chris.knight@cascadestucson.com AND clear it from the SendGrid suppression list (cannot be done via web UI). BOK side near-resolved (address corrected; Chris to complete registration). Ticket logged 2026-06-04; investigation billed 1.5h remote.
  • Caregiver device allow-list: 4 laptops need Entra-join + Intune-enroll + extensionAttribute1 tagging before cutover (see Patterns section)
  • ALIS office/privileged standardization: move office/managers/nurses to ALIS SSO-only; disable ALIS-native 2FA per-user then globally (separate workstream)
  • Fix stale SG-Caregivers-Pilot exclude-group on Require MFA for all users policy (known bug, see Known Issues)
  • LAPTOP-8P7HDSEI: upgrade Win 10 → Win 11 before PHI use
  • Chris Knight bill.com/BOK Financial addresses: confirm updated in bill.com backend and at BOK Financial (resolved externally 2026-06-04 but no confirmation of actual address update on vendor side)

History Highlights

Date Event
2026-03-06 ACG onboarding begins. Initial audit (CS-SERVER Dell R610, pfSense, UniFi, Synology). 19 machines. No backup, no HIPAA compliance.
2026-03-09 AD security hardening: Monica Ramirez removed from Domain Admins, lockout policy fixed, AD Recycle Bin enabled, MachineAccountQuota set to 0.
2026-03-31 Cascades onboarded to remediation tool. Tenant ID documented. 50 users, Secure Score 34%.
2026-04-13 Major onsite: 13 stale AD accounts deleted, OU structure cleaned, UPNs migrated to cascadestucson.com, Homes share created, Folder Redirection GPO deployed (registry workaround), first domain joins.
2026-04-14 Sandra Fish global admin revoked. ALIS SSO confirmed. Business Premium proposal created.
2026-04-16 Breach checks: Megan Hiatt (credential stuffing, not breached; password reset). John Trozzi (clean). Crystal Rodriguez phish. /remediation-tool skill built.
2026-04-17 Howard onsite: folder redirect Sharon Edwards diagnosis. John Trozzi WiFi (TP-Link + UniFi roaming instability).
2026-04-25 Entra Connect installed on CS-SERVER (staging mode). 7 deleted mailboxes restored for HIPAA. Dual-WAN discovered.
2026-04-28-29 CA policy reconciliation. Audit retention architecture (ACG-billed, LAW 90d + Storage 6yr). Break-glass design (2 accounts, YubiKeys). Caregiver pilot scope corrected (phased only).
2026-04-30 CA rollout (Report-only mode): 3 caregiver policies created. SDM bootstrap.
2026-05-01 Howard billed 33.5 hrs against prepaid block on Entra project ticket #32214 ($0 invoice).
2026-05-07-08 SDM phone provisioning. SDM token success. ALIS SSO app registration values captured to vault.
2026-05-14-16 Caregiver AD accounts created. Security groups always deliberate (no OU→group automation). Wireless diagnostic.
2026-05-18 Billing review. 39.5 hrs remaining before session. 7 hrs billed separately.
2026-05-20 Canva email delivery resolved (canva.com domains added to EOP).
2026-05-21 Crystal Rodriguez folder redirect confirmed working. Lauren Hasselman + Crystal Rodriguez domain join attempted — passwords didn't work initially.
2026-05-22 Ashley Jensen domain-joined. RECEPTIONIST-PC domain-joined. GPO ILT fixes (FrontDesk printer + R: drive). cascadesDS auth failure diagnosed (workgroup collision) and deferred.
2026-05-14 Entra Connect exited staging mode — actively syncing. CA pilot re-pointed to SG-Caregivers.
2026-05-23 Lauren Hasselman folder redirect complete. Megan Hiatt (Marketing) confirmed in AD, domain join pending.
2026-05-24 RECEPTIONIST-PC GuruRMM agent noted as 0.6.37 straggler while fleet at 0.6.38. Flaky WebSocket.
2026-05-26 Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked).
2026-06-03 ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (AllPrincipals User.Read) on ALIS SP e1cae4ad. Caregiver device allow-list CA policy created in report-only (CSC - Caregivers: allow-listed devices only (REPORT-ONLY), id 1b7fd025). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched.
2026-06-04 Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs.
2026-06-05 NURSESTATION-PC localadmin login-screen issue: diagnosed as SpecialAccounts\UserList hide (localadmin=0) — account was already enabled and in Administrators; removed the registry value via RMM (agent f5a89784-834f-47b1-82e2-7e3e9dd337ff); account will appear after sign-out/reboot. Vault hygiene: sysadmin@ GA (object id 471b13dc-3cf8-416b-a132-f5f3bc8d1cc8) password rotated by Mike 2026-06-04 and vaulted by Howard 2026-06-05 (clients/cascades-tucson/m365-sysadmin.sops.yaml). Voice MFA scoped group created: "MFA - Voice Call Scoped (sysadmin)" (304f941e-3594-4705-b8e6-ee676297df11), single member sysadmin@; Voice method enabled scoped to that group (tenant-wide voice still disabled); alternateMobile updated to +1 520-585-1310 (Howard; was +1 520-331-5551).

Compilation Notes

Session logs read: 25 root session logs + client-specific logs in clients/cascades-tucson/session-logs/ + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-05.

Client folder: clients/cascades-tucson/ (NOT clients/cascades/ — that directory does not exist).

Open items flagged as unverified:

  • Hour balance — always live-check; treat cached counts as approximate (15.75 hrs derived from session log; not a live Syncro pull)
  • Break-glass accounts + YubiKeys — confirmed not created as of 2026-05-27; YubiKey arrival unconfirmed
  • Audit retention infra — approved 2026-04-29, not yet built
  • dunedolly21@gmail.com guest invite — confirm with Lauren
  • Windows MDM auto-enroll scope — confirm in portal (Entra → Devices → Mobility → Microsoft Intune → MDM user scope)
  • #32381 / #32382 ticket details (Tamra scanner, Megan file access) — referenced in 2026-06-04 session log reference table only; full ticket details not documented in session logs
  • Chris Knight bill.com/BOK Financial vendor-side address updates — resolved externally but no confirmation of actual update on vendor side

Resolved since last compile:

  • New tiered remediation app suite — confirmed consented 2026-04-21 (all 6 apps active)
  • DMARC — confirmed upgraded to p=quarantine;pct=100
  • ALIS AADSTS65001 sign-in failures — resolved 2026-06-03 by granting admin consent
  • BOK Financial email delivery for Chris Knight — resolved 2026-06-04 by correcting email in BOK portal (bill.com side still requires support call); no tenant config changes needed

Backlinks

  • projects/gururmm — RECEPTIONIST-PC enrolled (site CascadesTucson); CS-SERVER enrolled
Reference in New Issue View Git Blame Copy Permalink