Delta Crown is the pilot for a reusable Microsoft 365 brand platform.

Each brand gets its own workspace. Corporate keeps visibility. MSP support gets a clearer operating model.

Microsoft 365 icon Microsoft 365 Tenant foundation
Microsoft Entra ID icon Entra ID Dynamic access
Microsoft SharePoint icon SharePoint Brand hubs + docs
Microsoft Teams collaboration icon Teams Operations workspace
Microsoft security icon Security DLP + least privilege
Pilot live Operational closure underway Expansion not yet sponsored

The architecture is live. The next work is ownership, verification, metadata hygiene, and MSP handoff — the things that make a successful build durable after launch.

View decision brief Open ops model Open MSP handoff

Current Status

Live as a pilot. Not yet a portfolio rollout.

Delta Crown's Microsoft 365 foundation is in place. Expanding this pattern to other brands should be treated as a sponsored business decision after owner model, MSP handoff, and operational verification are accepted.

Live

Microsoft 365 foundation

SharePoint hub/spoke, Teams workspace, DLP baseline, email trust, and dynamic-access design are in place for Delta Crown.

See architecture →
Blocked

Operational verification

Teams read verification, named owners, metadata hygiene, and app provisioning need closure before this is steady state.

See decision queue →
Decision Needed

Pilot or platform?

Leadership needs to decide whether this remains a Delta Crown cleanup or becomes the reusable brand-platform pattern for HTT.

See long-term play →
Next Move

Stabilize before expanding

Confirm owners, MSP runbooks, support boundaries, and verification evidence before rolling this pattern to other brands.

Open MSP handoff →

Why This Matters

One Microsoft platform. Every brand at home. Connected securely. Separated cleanly.

Today, every brand fights for the same shared folders, the same permissions, and the same inboxes. We're rebuilding that as a brand platform — where each brand could have its own digital home, leadership could see from the top down, and the frontline could be heard from the bottom up. Delta Crown is piloting the model. Extending the same pattern to Bishops, Frenchies, HTT corporate, and TLL is a separate decision for HTT leadership to sponsor.

What we're solving

No more shared-folder chaos

One library, every brand, broken permissions. Today's setup makes data sprawl easy and accountability hard.

What we're building

A repeatable brand home

Each brand gets its own hub, its own Teams, its own document libraries — built from one secure pattern that copies cleanly.

What leadership gets

Visibility without leakage

Corporate sees across brands when it needs to. Brands stay private from each other by default. Information flows by design, not accident.

What it costs

$0 in new licenses

Built entirely on the Microsoft 365 Business Premium subscriptions already in place. The cost is process, not software.

The Brand Family

What Delta Crown becomes is what every brand can have.

One pattern, designed to be reusable. Each brand could keep its own people, its own data, and its own walls. Corporate could keep the visibility it needs. Nothing leaks sideways. Delta Crown is the live pilot — extending the same picture to other brands under HTT would be a sponsor-approved decision, not an automatic rollout.

Corporate Hub

HTT Brands

Shared services for the family
HR · IT · Finance · Legal
Leadership read-up
Hub-to-hub linking
● Live Pilot

Delta Crown

First brand on the platform
Identity + dynamic groups
SharePoint hub + spokes
Teams workspace
DLP + brand isolation
Pattern-ready brands

The next chapters

Same playbook, awaiting sponsorship
Bishops Frenchies TLL
Brand identity rules
Brand hub
Brand Teams

The connecting layer

Each brand is its own room. The corporate hub is the hallway. Leadership walks the hallway, reads the room, and sees the right view for their role. Teams in different brands stay private from each other unless an approved cross-brand space is created. No more shared folders pretending to be a security model.

How Information Moves

Information flows in both directions on purpose.

Leadership doesn't have to chase status updates. The frontline doesn't have to email spreadsheets uphill. The same identity, the same workspaces, and the same data show up to each role through the right lens — top-down for direction, bottom-up for reality.

Top-down

From leadership to the frontline
1
Standards set at the topBrand voice, policies, security posture, finance rules, training expectations.
2
Cascaded to brand managersEach brand hub publishes the standards into a workspace its people actually use.
3
Surfaced inside daily toolsTeams channels, SharePoint pages, and shared mailboxes carry the same source of truth.
4
Reaches the frontline consistentlyStylists, operators, and partners see one approved version — not three forwarded PDFs.

Bottom-up

From frontline reality to leadership
1
Activity captured where it happensBookings, support tickets, content posts, and ops checklists land in shared workspaces.
2
Rolled into team viewsLists, dashboards, and shared docs aggregate by team — no manual rekeying.
3
Surfaced at the brand levelEach brand hub gives managers a clear performance and operations picture.
4
Visible to corporate leadershipCross-brand views give directors the comparison they need to lead, without owning every spreadsheet.
Same data. Different views by role. The frontline sees their work. Brand managers see their brand. Corporate sees the portfolio. Nobody emails a spreadsheet around like a sad relay race.

Target Day-One Experience

What onboarding becomes when the operating model is finished.

The goal is not a prettier first-day PDF. The goal is one identity, one workspace, role-based access, and a runbook the MSP can execute without guessing.

  1. 01One invitation arrives

    Name, brand, role, and sign-in link in one place.

  2. 02Identity and MFA happen once

    Microsoft authentication becomes the front door.

  3. 03Brand workspace appears

    Teams and SharePoint are already aligned to the user.

  4. 04Tools follow the role

    Groups provision access instead of ticket archaeology.

  5. 05Work starts without access-chasing

    IT is the backstop, not the bottleneck.

Current gap: metadata hygiene, app provisioning, named owners, Teams-readable verification, and MSP runbooks still need closure before this is fully real.
See the full ops model

Current-State Evidence

The old model depends on perfect manual permissions. Cute theory. Bad control.

The HTT Headquarters SharePoint site keeps every brand's documents in one Shared Documents library. The audit shows why Delta Crown should be built cleanly instead of copying that pattern forward.

41members in scope
17top-level folders
16folders with broken inheritance
0DLP policies at audit time
Operational implication

Brand separation cannot depend on folder hygiene.

Manual permissions drift, inherited access surprises people, and nobody wants to explain to leadership why “shared documents” became the security boundary. That's not governance; that's vibes with ACLs.

Recommended action

Build Delta Crown cleanly; do not migrate HTTHQ wholesale.

Use DCE as the clean operating pilot. Remediate or replace legacy HTTHQ content later with a separate owner-approved plan.

View audited folder examples

httbrands.sharepoint.com/sites/HTTHQ — Shared Documents

📁C Suite
8 perms · broken
📁Exec Leadership
11 perms · broken
📁Brand Leads
18 perms · broken
📁Employee Resources
11 perms · broken
📁Finance
11 perms · broken
📁Fran Dev
50 perms · broken
📁IT-Technology
17 perms · broken
📁Legal
13 perms · broken
📁Master BCC
41 perms · broken
📁Master DCE
? perms · broken
📁Master FMN
39 perms · broken
📁Master TLL
52 perms · broken
📁Product
6 perms · inheriting
📁Real Estate
7 perms · broken
📁Education
? perms · broken
📁Vendors
? perms · broken

Decision Queue

The decisions that make the build durable.

These are the choices that determine whether Delta Crown becomes a stable operating model or just a successful build artifact.

01

Steady-state owner

Who owns the platform after project close, and who handles drift when users, groups, or sites stop matching the model?

02

MSP acceptance

What will Sui Generis support, monitor, execute, and escalate once the new-user runbook is handed over?

03

Brand IA model

Should Brand Resources and Brand Assets be separated before the pattern is reused elsewhere?

04

Verification blocker

Who provides the Teams-licensed readable context needed to complete channel and membership validation?

05

Expansion sponsorship

Should Bishops, Frenchies, TLL, or HTT receive this same pattern — and who sponsors the rollout?

The Architecture

Hub & Spoke.
One Tenant. Brand Isolation.

Every brand gets its own hub with dedicated sites, Teams workspace, security groups, and DLP policies — all on the same M365 Business Premium tenant at zero additional cost.

Microsoft 365 tenant icon 01 Microsoft 365 tenant

One business-premium foundation for identity, collaboration, content, and protection.

Microsoft Entra ID dynamic groups icon 02 Entra ID

User metadata becomes dynamic security groups: AllStaff, Managers, Stylists, Marketing.

Microsoft SharePoint hub icon 03 SharePoint hubs

Delta Crown gets a branded front door, isolated docs, scoped search, and operational sites.

Microsoft Teams collaboration icon 04 Teams collaboration

Group-backed workspace for daily ops; channel layout still gets final verification.

Microsoft security icon 05 Security + DLP

No cross-brand sprawl, no anonymous sharing, no mystery inherited permissions.

M365 Tenant — deltacrown (Business Premium)
Corporate Shared Services Hub
Corp-HR Team Site
Corp-IT Team Site
Corp-Finance Team Site
Corp-Training Team Site
Hub-to-Hub Link
Delta Crown Hub
Operations Team + Teams
Brand Resources Resource Site
Marketing Comm Site
Docs Team Site
Dynamic Security Groups
AllStaff Leadership Marketing
Bishops Hub if sponsored
Frenchies Hub if sponsored
TLL Hub if sponsored
HTT Hub if sponsored

Operations

Connected to Teams — the daily workspace

📋 Bookings List 📋 Staff Schedule 📋 Task Board 📋 Inventory Tracker 📋 Team Calendar 📁 Operations Documents

Brand Resources

Mapped Master DCE resources, shortcuts, and controlled reference folders

📁 Strategy 📁 Financials & Proforma 📁 Product 📁 Franchise Resources

Marketing

Brand assets, campaigns, and marketing calendar

📋 Marketing Calendar 📋 Brand Asset Registry 📁 Campaign Materials 📁 Brand Guidelines

Docs

Policies, SOPs, training, and strategy

📁 Policies & Procedures 📁 Standard Operating Procedures 📁 Training Materials 📁 Strategy (Leadership only)

Microsoft collaboration icon Teams / Collaboration Workspace: Delta Crown Operations

Microsoft 365 group exists dce-operations-team@deltacrown.com 6 members Channels need verification

Graph proved the group and membership. We should verify actual Teams channel layout before promising specific channels.

Microsoft architecture audited so far

Identity labels drive groups.
Groups drive access. Evidence closes the loop.

The current Delta Crown model is built on the Microsoft 365 Business Premium tenant deltacrown, with Entra ID, SharePoint hub/spoke sites, Teams collaboration, Exchange Online, and compliance controls tied together by repeatable identity data — not one-off manual permissions.

Microsoft 365 tenant icon

Microsoft 365 Business Premium

Tenant foundation: deltacrown. Existing page status keeps the license impact at $0 additional license cost for the audited platform model.

Microsoft Entra ID icon

Entra ID

Identity attributes become dynamic groups. Current prefix-free groups are AllStaff, Managers, Stylists, External, and Marketing.

Microsoft SharePoint icon

SharePoint hubs + spokes

Corp shared-services hub and Delta Crown brand hub with spoke sites for operations, marketing, docs/training, and restricted resource lanes.

Microsoft Teams collaboration icon

Teams workspace

Delta Crown Operations is the collaboration workspace. Group and membership are documented; channel layout still needs end-to-end verification.

Microsoft Exchange Online mail icon

Exchange Online

Shared mailboxes: operations@, bookings@, and info@. DDGs: allstaff@, managers@, and stylists@. Exchange activation requires at least one licensed mailbox user.

Microsoft security and compliance icon

Security, DLP + compliance

DLP policies, disabled external sharing, guest-off posture, and anonymous-link controls are documented. Full E2E testing remains pending before launch.

Microsoft people icon

1. Identity facts

companyName, department, title, location, employee type, and extension attributes describe who the person is.

Current evidence: 89 users; 6 fully land in AllStaff because metadata is incomplete.
Microsoft Entra groups icon

2. Entra groups

Dynamic groups translate clean labels into access boundaries: baseline, role, location, pilot, and future functional groups.

Confirmed: AllStaff, Managers, Marketing, Stylists, External. Planned: DCE-* and DCE-Loc-* groups.
Microsoft apps icon

3. Resources light up

SharePoint hubs, Teams, Exchange shared mailboxes, apps, and compliance controls inherit access from groups.

Teams channel detail still needs licensed Teams-readable verification.

Lifecycle flow: onboard cleanly, operate safely, offboard completely

  1. IntakeCollect role, department, title, primary location, owned locations, profile, and internal/external/pilot status.
  2. LabelNormalize identity values before access is considered complete. The attribute set is the control panel.
  3. Resolve groupsLet Entra resolve baseline, role, location, and pilot groups. Direct assignment is an exception, not the model.
  4. Grant resourcesSharePoint, Teams, shared mailbox, and app access follow groups instead of manual one-off permissions.
  5. OffboardDisable or de-scope identity, remove groups/licenses/delegation, verify access denial, and retain/archive content as approved.

Onboarding pattern

  • Collect role, department, title, primary location, owned locations, profile, and internal/external/pilot status.
  • Normalize values before access is considered complete. No Mgr, manager, and Boss Wizard chaos taxonomy.
  • Sync or create the user, then apply identity labels.
  • Wait for dynamic groups to resolve.
  • Test SharePoint hub/site access, Teams/team/channel access, mailbox visibility where relevant, and app access where relevant.
  • Capture direct-assignment exceptions as technical debt.

Groups: confirmed vs target taxonomy

Baseline
AllStaff is confirmed and resolves to 6 users today. Managers, Marketing, Stylists, and External are confirmed but currently empty because metadata is incomplete.
Functional
Target groups: DCE-Operations, DCE-ClientServices, DCE-Marketing, DCE-Leadership, DCE-Stylists. These should be driven by extensionAttribute1.
Location + pilot
Target groups: DCE-Loc-*, DCE-Location-Owners, and DCE-CrossTenant-Pilot. Use these only where access truly differs. Decorative groups are access glitter, and access glitter is evil.

Audit, compliance, and launch touchpoints

DLP policies documented: DCE data protection, Corp data protection, and external-sharing block. External sharing disabled, guest access off, and anonymous link controls documented. E2E testing pending for sites, navigation, permissions, Exchange, DLP, and onboarding. No HTTHQ document migration is part of the active rollout. Temporary provisioning app registrations are reviewed and removed as part of go-live cleanup; owner confirmation is tracked separately.

Offboarding / deprovisioning control

Checklist now documented. The canonical flow is disable or de-scope identity, remove group/license/delegation access, verify denial, and retain/archive content by owner direction.

  • Identity owner blocks sign-in, revokes sessions, clears lifecycle attributes, and removes static pilot exceptions.
  • Resource owners validate SharePoint, Teams, Exchange, app, and license cleanup.
  • Mail owners remove shared mailbox Full Access and Send As where no longer approved.
  • Compliance/content owners decide retention, archive, hold, or transfer before anything destructive happens.
  • Read the offboarding checklist.

Ownership + escalation

Owner logic from the resource map; named individual owners are tracked separately where not yet provided.
Operations / statusOperations lead
Marketing resourcesMarketing lead
Strategy / financialsLeadership / Finance
Corporate referencesHTT / Delta Crown leadership
Archive / retentionContent owner / compliance
Named owner gapsPending owner confirmation

Next steps from the audit

1 Normalize user metadata so dynamic groups become trustworthy. 2 Provide licensed Teams-readable context for channel/member verification. 3 Run the approved PnP auth window to export Phase 3 templates. 4 Assign named owners for dynamic groups, offboarding, mailbox delegation, and retention.

Source/evidence reviewed: deployment status, tenant inventory summaries, Exchange inventory, DCE role + location onboarding model, DCE attribute/group/resource matrix, Teams access request, offboarding checklist, Master DCE resource map, and existing page architecture/user-experience content. Detailed evidence remains in local/internal audit outputs where user and permission data is sensitive.

MSP / CSP handoff

MSP responsibilities live in the handoff brief.

Delta Crown's durable operating model depends on a clean seam: HTT owns architecture, Sui Generis executes user/device lifecycle against runbooks, and Pax8 handles CSP licensing. Use the MSP brief for the detailed RACI, acceptance checklist, and Megan-specific operating asks.

HTT owns the design

Identity schema, dynamic-group logic, DLP/security posture, and architectural exceptions.

Sui Generis operates

User metadata, devices, RMM, Conditional Access deployment, break/fix, and lifecycle tasks.

Pax8 bills/licenses

Business Premium covers the platform model with no added license cost for the audited design.

Open MSP brief Open ops model

Document Migration Decision

HTTHQ files stay put.
No document migration.

The hub-and-spoke architecture, security hardening, Teams sites, DLP posture, and onboarding work continue. Tyler decided on 2026-04-29 that HTTHQ document copy/migration is out of scope for this rollout.

No file copy

Do not run phase4-migration/scripts/4.3-Document-Migration.ps1 for production cutover.

ADR superseded

ADR-003 is retained as historical planning only and is marked not implemented.

Security remains live

Tenant sharing is locked down and site permissions have been hardened without relying on migrated content.

Cleanup complete: the unused HTT Brands source-migration Entra app was deleted on 2026-04-30.

The User Experience

From one profile field
to a complete workday.

This is the operational payoff: faster onboarding, fewer access mistakes, and a branded workspace that appears because identity data is clean.

Microsoft-sourced architecture icons from the official Microsoft 365 icon pack, mapped to the systems this rollout actually uses.
Microsoft 365 architecture icon Microsoft 365 Tenant + identity platform
Microsoft directory rules icon Entra ID Dynamic group rules
Microsoft SharePoint workspace icon SharePoint Hub, docs, scoped search
Microsoft collaboration icon Teams / collaboration Group-backed workspace
Microsoft security icon Security Least-privilege access
The ops story

One profile update becomes a fully branded workday.

Instead of hand-building access for every new person, Delta Crown sets the right identity facts once. Microsoft 365 handles the routing. The employee just sees the tools they need.

89tenant users
5dynamic groups
6Delta staff live
Microsoft people icon New or updated user Sarah Miller companyName = Delta Crown Extensions
Microsoft automation icon Entra rule engine AllStaff Automatic membership, no ticket ping-pong
Microsoft workspace icon Workday opens brand workspace Hub, docs, ops resources, scoped search
01
Microsoft 365 tenant icon

Tell Microsoft who they are

Ops updates a few identity fields: company, job title, department. That is the control panel.

companyNameDelta Crown Extensions jobTitleOwner / Stylist / Manager departmentOperations / Marketing
02
Microsoft access key icon

Access lands automatically

The person drops into the right groups. No shared passwords. No mystery permissions. No “can someone add me?” circus.

AllStaff Managers Stylists Marketing External
03
Microsoft apps icon

The user sees a clean Delta Crown front door

They land in a branded, scoped experience: not the HTT junk drawer, not every brand’s documents, just the Delta Crown operating system.

Hub
OperationsBrand ResourcesDocsMarketing
Search only Delta Crown content…
04
Microsoft security shield icon

Ops gets control without becoming IT traffic control

Safer onboarding, faster corrections, cleaner audits, and a template that can roll to future brands.

Launch faster Reduce access mistakes Keep brand data separated Scale the playbook
Microsoft security access icon

Who sees what?

Access is designed around the work, not around folders people have to beg for.

Everyone at Delta Crown Hub Docs Marketing read-only
Owners / leadership Full control Strategy docs Ops oversight
Brand resources Master DCE map Folder permissions Corporate shortcuts
Not everyone No tenant-wide “Everyone” access No inherited junk drawer permissions No cross-brand sprawl
What is live now AllStaff resolves to 6 real Delta Crown users. Delta Crown Operations group exists with those users.
What needs ops cleanup Fill job titles/departments so Managers, Stylists, and Marketing light up automatically.
What not to overpromise yet Teams channels still need verification; Graph proved the group, not the channel layout.

Project Progress

What's done.
What's next.

Core SharePoint/Teams security hardening is complete and Exchange Online is live. Document migration is skipped by decision; next steps are cleanup, E2E testing, and launch readiness.

Phase 1
Done

Email Trust

SPF configured
DKIM deployed
DMARC enforced
Brand domain verified
Phase 2
Code Done

Hub Foundation

Corp Hub script
Hub script
Dynamic groups
Verification suite
Phase 3
Complete

Sites & Teams

4 brand sites deployed
8 document libraries
6 SharePoint lists
Hub associations
brand theme applied
PnP templates
Phase 4
Skipped

Document Migration

Tyler decision recorded
No HTTHQ files copied
ADR-003 superseded
Unused HTT PnP app deleted
E2E testing
Production launch
Phase 5
Complete

Exchange Online

3 shared mailboxes
3 dynamic distribution groups
deltacrown.com authoritative
Auto-reply copy owner review

48 Scripts

Phase 2: 17 scripts
Phase 3: 13 scripts
Phase 4: 16 scripts
Shared modules: 2

167 Tests

117 Python architecture tests
50 Pester unit tests
All passing ✓

Security Audited

STRIDE threat analysis (ADR-001, ADR-002)
17 remediations applied
Conditionally approved

How It Works

Two commands.
Everything deploys.

The master orchestrators handle dependency ordering, auth, idempotency, and rollback. Approve 4 browser prompts and walk away.

Phase 2 Master

Corp Hub → Hub → Groups
~45 min

Phase 3 Master

Sites → Teams → Security → DLP
~30 min

Live

Branded hub ready
for users

The Vision

Build once.
Deploy to every brand.

Delta Crown is the template. PnP template capture from the live deployment is in progress, and is designed to enable a ~2-week brand rollout pattern if and when HTT leadership sponsors additional brands.

Delta Crown Extensions Template 1.0 — In Progress
Bishops ~2-week pattern, when sponsored
Frenchies ~2-week pattern, when sponsored
HTT & TLL ~2-week pattern, when sponsored

30-Day Decision Gate

Scale
Sponsor next brand
Adapt
Refine, extend 2 wks
Stop
Reverse, zero sunk cost

Ready for Operations.

48 scripts. 50 phase-3 tests. Security hardened. Document migration skipped. The executive operations view is ready for the Delta Brands rollout story.

Open Operations View

$0
License Cost
0GB
Docs To Copy
4+
Brands Unlocked

Delta Crown Extensions — Operational Framework
Secure brand platform without a document-migration detour.