SharePoint is live
Corp-Hub, DCE-Hub, and eight spoke sites are provisioned, hardened, and hub-associated. HTTHQ document migration was deliberately skipped and should not be reopened.
Sui Generis / Megan Myrand
Delta is the template. The runbook makes it real.
This is the MSP-only brief for Delta Crown Extensions. No org-wide billing detours, no cross-tenant archaeology, no “while we're here” swamp monsters. Just what Megan needs to know to operate the deltacrown tenant cleanly.
Current state
What is live in Delta Crown.
Use this as the quick level-set. It is intentionally DCE-specific; the HTT direct-bill, BCC MOSA, Teams Premium, and AppRiver migration threads belong in the org-wide brief, not this page.
TenantActiveMicrosoft 365 Business Premium; Pax8/CSP clean slate.
Users893 disabled. Metadata population remains sparse.
Dynamic groups5Only AllStaff populates today because attributes are missing.
DLP policies3Deployed in TestWithNotifications; enforce flip pending.
Teams exists, audit needs a reader
Delta Crown Operations is live. Channel and membership validation needs a Teams-licensed reviewer identity so we can finish the audit cleanly.
Security baseline is in place
External sharing is restricted, legacy auth is disabled, anonymous resharing is off, and DLP is ready for its enforce-window decision.
Operating seam
Who runs the platform. Who runs the people.
Architecture ownership and managed-services execution are different jobs. Mixing them is how tenants become haunted houses with invoices.
HTT owns architecture
- Identity attribute schema
- Dynamic-group design
- Security baseline and DLP authorship
- New-user runbook definition
Sui Generis executes
- User metadata population
- Device shipping and Atera RMM enrollment
- Conditional Access deployment
- Lifecycle tasks once the runbook is handed over
Pax8 carries CSP
- License purchasing
- Term alignment and renewals
- Entra ID P2 blanket posture
- No DCE Web-Direct cleanup needed
RACI
The ownership table Megan actually needs.
Short, scoped, and operational. If a topic is not needed to run Delta Crown day-to-day, it does not belong here. Revolutionary, apparently.
| Domain | HTT / Tyler | Sui Generis / Megan |
|---|---|---|
| Identity architecture, attribute schema, dynamic-group design | R / A | C / I |
| User metadata population: companyName, department, jobTitle, employeeType | C | R / A |
| Pax8 CSP licensing, renewal alignment, P2 blanket | I | R / A |
| Conditional Access policy authorship | R / A | C |
| Conditional Access deployment on DCE | C | R / A |
| New-user device shipping and Atera RMM enrollment | I | R / A |
| New-user runbook | R define | A execute |
| DLP policy authorship and enforce approval | R / A | C |
| M365 backup posture | C | R? confirm product and recovery scope |
| Cyber-insurance attestation letter | R collect | A provide |
The biggest unblock
The new-user runbook. Megan already offered the right operating motion: “If there's a list of when you create a new user, add to these groups — tell me.” We owe the list.
Until it exists, four of five dynamic groups resolve to zero users and role-based access is architecture-only instead of operations-ready.
What the runbook must contain
- Role → required attributes
- Attributes → expected dynamic groups
- Role → expected license SKU
- Device type and RMM enrollment expectation
- Escalation owner when membership does not resolve
Asks for Megan
Five decisions. Fifteen minutes. No wandering.
These are the DCE-specific asks. If the conversation starts drifting into HTT billing migration, Teams Premium repurchase, or BCC MOSA cleanup, politely punt to the org-wide brief.
DLP enforce window
Confirm when the three DLP policies can move from TestWithNotifications to Enforce.
Teams-licensed reader
Provide a reviewer-class identity with Teams licensing to finish the channel and membership audit.
Temp app cleanup
Remove or explicitly document DeltaCrown-TeamsProvisioner-TEMP; credentials are expired.
Named group owners
Name the escalation owner for dynamic security groups when membership drifts or fails to resolve.
M365 backup posture
Confirm product, coverage, restore expectations, and whether Sui Generis owns the service.
Attestation letter
Provide cyber-insurance language for EDR, patching, firewall posture, backup, and RMM coverage.
The sentence to land
Delta Crown is the golden-child pattern.
It proves the Microsoft 365 architecture works on a clean tenant. The only thing separating “built” from “repeatable” is operational handoff: attributes, runbook, owners, enforcement window, and audit identity.
“Delta is built, audited, and security-hardened. Hand me the new-user runbook to execute, sign off the DLP enforce flip, give me a Teams-licensed reader for the audit, and DCE is the template every other brand inherits from.”