Microsoft Entra ID — Adapter Technical Specification
Microsoft Entra ID — Adapter Technical Specification
Status: active · Class: modernization · Mission: integration · Phase: phase-1
Canon source: canon/modernization-registry.yaml (propagated by uiao/tools/sync_canon.py).
The YAML frontmatter and this banner are regenerated from canon on every sync. Do not hand-edit. Author new material only below the ## Overview heading.
This document is a stub. Replace every _TODO — ..._ block with authored content that is consistent with UIAO canon. Canon invariants (gcc-boundary, ssot-mutation: never, etc.) must never be contradicted.
Overview
The Microsoft Entra ID Adapter is the identity-fabric foundation of the UIAO adapter ecosystem. As an integration-class modernization adapter, it consumes Entra ID (formerly Azure AD) data via the Microsoft Graph API to establish and maintain canonical object identity for every tenant, policy, control, and evidence artifact.
This is the adapter that satisfies the UIAO Adapter Doctrine’s core mandate: “Identity ensures every transaction is certificate-anchored.” All other adapters depend on the identity graph that this adapter produces.
Key capabilities: user/group/service-principal enumeration, conditional access policy assessment, sign-in activity analysis, authentication methods inventory, and directory role mapping. Uses the EntraCollector (real Graph API collector with httpx) for data retrieval.
Implementation: uiao/src/uiao/adapters/entra_adapter.py + collectors/entra/entra_collector.py. Conformance: 30/30 PASS.
Scope
Target surfaces / subsystems: user-objects, group-objects, service-principals, conditional-access-policies
Reads: Graph API endpoints for users, groups, service principals, conditional access policies, named locations, directory roles, authentication methods policy, organization metadata. Emits: ClaimSet with identity-rooted claims, EvidenceObject with KSI provenance. Does NOT: modify Entra ID configuration, access user credentials or tokens, process person identity (object identity only per canon invariant).
Controls
NIST SP 800-53 Rev 5 controls this adapter supports: CM-8, IA-2, IA-4, AC-2
| Control | Role | Adapter capability |
|---|---|---|
| CM-8 Component Inventory | Primary | Enumerates all identity objects (users, groups, service principals) as canonical claims. |
| IA-2 Identification and Authentication | Primary | Conditional access policy assessment verifies MFA enforcement across the tenant. |
| IA-4 Identifier Management | Primary | Service principal and application registration inventory ensures all identifiers are tracked. |
| AC-2 Account Management | Supporting | User and group enumeration supports account lifecycle verification. |
Operational profile
| Field | Value |
|---|---|
| Runtime | powershell-7.4 |
| Runtime pin | TBD |
| Runner class | github-hosted |
| Tenancy | per-customer |
| Evidence class | baseline |
| Retention | 3 year(s) |
Canon invariants
gcc-boundary: gcc-moderatessot-mutation: nevercertificate-anchored: trueobject-identity-only: true
Notes from canon
(none)
References
- UIAO-CANON-002
- UIAO-CANON-003
Generated by uiao/tools/sync_canon.py. See uiao/ARCHITECTURE.md §4 for the cross-repo sync contract. See uiao-docs/_quarto.yml for rendering configuration.