Files
claudetools/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md
Howard Enos ed620af3fc sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-18 10:17:42
2026-04-18 10:17:45 -07:00

90 lines
5.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Staff Entra P2 Candidates — Cascades
**Status:** Documentation only — no license purchase or policy activation yet. Awaiting full list from John Trozzi.
**Last updated:** 2026-04-18 (Howard)
**Related (different population):** `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver phone rollout.
## Why this list is separate
Two different problems both use P2 features, and conflating them makes the license math fuzzy:
- **Caregiver rollout** (covered elsewhere): ~39 hourly staff, shared Android phones, goal is location-locked mobile access during shifts.
- **This list** — office staff whose risk is:
- Receives / sends PHI (new resident intake forms, doctor-supplied medical info)
- Works from home or checks email on a personal phone, which is where we need either Conditional Access compliance enforcement or just a targeted location restriction
- Or — should be restricted to in-building sign-in only
The Conditional Access policies will likely differ between the two groups (office staff need "work from home or from trusted device with compliance", caregivers need strict "on-prem network + managed shared phone only"), so tracking them separately keeps the policy design clean.
## Criteria (from Howard → leadership email, 2026-04-16)
A staff member needs P2 if they match one or more:
1. Signs in on a phone or tablet at Cascades (skip-MFA-in-building story)
2. Should only sign in from the building (enforce location restriction)
3. Handles sensitive / medical information via email (PHI — need to enforce encryption + DLP policies that P2-tier features back)
## Candidates confirmed so far
### From Crystal Rodriguez (2026-04-16 reply)
| Name | Role | Reason P2 is needed | Notes |
|---|---|---|---|
| Megan Hiatt | Sales Director | Handles new-resident intake forms (PHI from doctors); works from home; email on personal cell | Already a protected user for anti-impersonation |
| Crystal Rodriguez | Sales Associate | Same as Megan — intake forms, home + cell access | Already a protected user |
| Tamra Matthews | Move-In Coordinator | Same — intake forms | **Leaving in June 2026** — license can be re-harvested on exit. Value of buying P2 for ~2 months is a call for Meredith (short-term HIPAA coverage vs. one-off cost). |
### Awaiting from John Trozzi
Per his 2026-04-17 email: "I will gather this information for you tomorrow." Expected additions likely include:
- Meredith Kuhn (Executive Director — CEO-equivalent, highest impersonation / PHI risk)
- Ashley Jensen (Assistant Executive Director)
- John Trozzi himself (Facilities/Maintenance Director — judgment call on PHI exposure)
- Lois Lane (Health Services Director — clinical data)
- Karen Rossini (Health Services Manager — clinical data)
- Britney Thompson (Memory Care Nurse — clinical data)
- Shelby Trozzi (Memory Care Director — clinical data)
- Christina DuPras (Resident Services Director)
- Christine Nyanzunda (Memory Care Admin Assistant)
- Susan Hicks (Life Enrichment Director — activity records may include PHI-adjacent data)
- Sharon Edwards (Life Enrichment Assistant)
Don't presume — wait for John's actual reply before buying licenses.
## Decision still open (from Howard's 2026-04-16 email to leadership)
> "Do you want all staff restricted to signing in only from the building, or just certain roles/users (like front desk, kitchen, clinical)?"
No answer yet. This decision directly changes the license count and the CA policy design:
- If **all staff restricted to building-only** → every AD-synced user needs P2 and a matching CA policy. Larger spend.
- If **only some restricted** → P2 only for those users; cheaper, but requires ongoing judgment on who gets which policy.
## Intersection with other rollouts
- **Anti-impersonation protection** (`docs/cloud/m365-impersonation-protection.md`) — same top-tier users are the protected users there. Keep the lists in sync.
- **Business Premium upgrade** (`docs/proposals/m365-premium-upgrade.md`) — Business Premium bundles P2-equivalent CA features, so if we go Premium tenant-wide, standalone P2 purchases go away. Default recommendation: **bundle everything into Business Premium**, only buy standalone P2 if budget forces staying on Business Standard for some users.
- **Caregiver rollout** (`docs/cloud/caregiver-m365-p2-rollout.md`) — ~39 additional licenses. Combined target ~61 Premium licenses for the whole org.
## Rough license math (staff side only)
| Scenario | Qty | Notes |
|---|---|---|
| Confirmed today (Crystal, Megan, Tamra-through-June) | 3 | Crystal's reply |
| Likely additions from John + Meredith (guessed) | ~58 | Wait for actual reply |
| All staff (if "restrict everyone" decision) | ~23 | Equals the full post-cleanup licensed-user count from `docs/cloud/m365.md` |
## Action items
- [ ] Follow up with John Trozzi on the gathering — he owes us the list
- [ ] Push Meredith for the "restrict everyone or just some" decision
- [ ] When list is final, decide: standalone P2 add-on OR move those users to Business Premium OR move the whole tenant to Business Premium (recommended)
- [ ] Build CA policy `CSC - Office Staff PHI Access` separate from the caregiver mobile policy
- [ ] Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026)
## Related docs
- `docs/cloud/m365.md`
- `docs/cloud/m365-impersonation-protection.md`
- `docs/cloud/caregiver-m365-p2-rollout.md`
- `docs/proposals/m365-premium-upgrade.md`
- `docs/security/hipaa.md`