Skip to main content

Intune Posture Connector Runtime

OP-056 implements the Phase 1 Microsoft Intune / M365 Endpoint Manager posture connector from ADR-0017.

What Works

  • Tenant-scoped Intune connection records.
  • SecretProvider-backed credential references with purpose intune.
  • Sync runs through a Microsoft Graph client abstraction.
  • Redacted posture snapshots for managed devices.
  • integration.intune.sync_completed events for successful and failed syncs.
  • Audit records for connection configuration, sync, denied access, and reads.
  • Read-only Settings console panel for connection and posture status.

Safety Boundaries

  • Raw Microsoft Graph payloads are referenced, not returned.
  • Device names and user principal names are redacted before API/UI exposure.
  • Secrets are never rendered in API responses, audit payloads, events, logs, or docs examples.
  • Operators and auditors can read posture; only tenant admins and approved service accounts can configure or sync.
  • Phase 1 does not expose Intune device-control actions.

Validation

  • tests/test_intune_posture_connector.py covers tenant isolation, role enforcement, SecretProvider refs, redaction, sync success/failure, events, audit, and filters.
  • Frontend tests cover the read-only Settings posture panel and confirm raw provider data is not rendered.

Non-Scope

No macOS agent runtime, native iOS/Android agent, tenant consent automation, Intune write/control action, deployment, CI, Terraform, Helm, or AWS change is included.