Microsoft Intune Endpoint Compliance Adapter — Adapter Technical Specification
Microsoft Intune Endpoint Compliance Adapter — Adapter Technical Specification
Status: reserved · Class: conformance · Mission: telemetry · Phase: phase-planning
Canon source: canon/adapter-registry.yaml (propagated by uiao/tools/sync_canon.py).
The YAML frontmatter and this banner are regenerated from canon on every sync. Do not hand-edit. Author new material only below the ## Overview heading.
This document is a stub. Replace every _TODO — ..._ block with authored content that is consistent with UIAO canon. Canon invariants (gcc-boundary, ssot-mutation: never, etc.) must never be contradicted.
Overview
The Intune Adapter is a conformance-class telemetry adapter that observes endpoint compliance state via Microsoft Graph API (Intune/Defender for Endpoint). Natural complement to the M365 modernization adapter — M365 manages tenant configuration while Intune observes device compliance.
Key capabilities: managed device compliance enumeration (compliant/noncompliant), OS version tracking, endpoint protection status, and KSI-anchored evidence generation with compliant/noncompliant counts.
Implementation: uiao/src/uiao/adapters/intune_adapter.py. Conformance: 30/30 PASS.
Scope
Target surfaces / subsystems: device-compliance, endpoint-protection, configuration-profiles, update-compliance
Reads: Microsoft Graph API (/deviceManagement/managedDevices) for device compliance state, OS version, management agent, and last sync time. Emits: ClaimSet with one claim per managed device (compliance_state, os_version, device_name), EvidenceObject with compliant/noncompliant/total counts. Does NOT: modify device configuration or compliance policies, access device content, or enroll/unenroll devices. Read-only telemetry.
Controls
NIST SP 800-53 Rev 5 controls this adapter supports: CM-8, SI-2, CA-7, SC-7
| Control | Role | Adapter capability |
|---|---|---|
| CM-8 Component Inventory | Primary | Managed device enumeration with OS version and management agent. |
| SI-2 Flaw Remediation | Supporting | Update compliance tracking supports patch/update remediation monitoring. |
| CA-7 Continuous Monitoring | Supporting | Scheduled compliance collection provides continuous endpoint posture evidence. |
| SC-7 Boundary Protection | Supporting | Device compliance state supports zero-trust boundary decisions. |
Operational profile
| Field | Value |
|---|---|
| Runtime | python-3.12 |
| Runtime pin | TBD |
| Runner class | github-hosted |
| Tenancy | per-customer |
| Evidence class | interval |
| Retention | 3 year(s) |
Canon invariants
gcc-boundary: gcc-moderatessot-mutation: nevercertificate-anchored: trueobject-identity-only: true
Notes from canon
Tier 4 conformance adapter. Endpoint compliance telemetry via Microsoft Graph API (Intune device compliance + Defender for Endpoint). Natural complement to the m365 modernization adapter. Read-only — observes device state, never mutates configuration.
References
- UIAO-CANON-003
Generated by uiao/tools/sync_canon.py. See uiao/ARCHITECTURE.md §4 for the cross-repo sync contract. See uiao-docs/_quarto.yml for rendering configuration.