Microsoft Entra ID — Adapter Validation Suite
Microsoft Entra ID — Adapter Validation Suite
Status: active · Class: modernization · Mission: integration · Phase: phase-1
Canon source: canon/modernization-registry.yaml (propagated by uiao/tools/sync_canon.py).
The YAML frontmatter and this banner are regenerated from canon on every sync. Do not hand-edit. Author new material only below the ## Overview heading.
This document instantiates the UIAO_121 Adapter Conformance Test Plan and the UIAO_123 Adapter Integration Test Plan for the entra-id adapter (roadmap §2.6, round 2).
The adapter clears the conformance gate today against mocked collectors: 30 / 30 conformance criteria PASS, 13 behavioral tests + framework tests green, scheduler-wired through the UIAO_100 orchestrator. Tier-1 (live M365 tenant via the M365 Developer Program) is pending — see Phase 4 below — and is the only gap to a fully-active validation status.
Overview
Validation suite for the Entra ID adapter covering Graph API user/group normalization, conditional access assessment, and evidence generation with mocked collector.
Test coverage: 13 behavioral tests + existing framework tests. 1 E2E OSCAL SAR test. 30/30 conformance PASS.
Scope
Target surfaces / subsystems: user-objects, group-objects, service-principals, conditional-access-policies
Validated: User/group/SP normalization, deterministic hashing, mocked collector evidence generation, OSCAL SAR pipeline. Fixtures: entra-users-groups.json (2 users + 1 group). NOT validated: Live Graph API (requires azure-identity + httpx), conditional access evaluation logic.
Controls
NIST SP 800-53 Rev 5 controls this adapter supports: CM-8, IA-2, IA-4, AC-2.
| Control | Adapter role | Notes |
|---|---|---|
| AC-2 Account Management | primary | The Graph /users + /groups collectors are the canonical inventory of Entra accounts. The normalized ClaimSet feeds account-lifecycle drift detection (creates / disables / role changes). |
| IA-2 Identification and Authentication | primary | Conditional-access policies governing MFA and passwordless flows are read from /identity/conditionalAccess/policies. Each policy is normalized into IA-2-tagged claims; the EPL epl:enforce-mfa policy (UIAO_116, §3.5) consumes them. |
| IA-4 Identifier Management | supporting | Service-principal IDs and user object IDs are surfaced as object-keyed identity claims; the adapter is the source of canonical Entra identifiers but does not itself govern issuance. |
| CM-8 System Component Inventory | supporting | Service principals + groups serve as the application-and-workload inventory for Entra-managed resources; not a continuous discovery loop, only refreshed per scheduler dispatch. |
All four controls are CI-gated through the conformance + behavioral test set. No NEW (Proposed) flags. The adapter currently runs against a mocked Graph collector; tier-1 against a live tenant is pending the M365 Developer Program signup (roadmap §0.1).
Operational profile
| Field | Value |
|---|---|
| Runtime | powershell-7.4 |
| Runtime pin | TBD |
| Runner class | github-hosted |
| Tenancy | per-customer |
| Evidence class | baseline |
| Retention | 3 year(s) |
Canon invariants
gcc-boundary: gcc-moderatessot-mutation: nevercertificate-anchored: trueobject-identity-only: true
Notes from canon
(none)
References
- UIAO-CANON-002
- UIAO-CANON-003
Generated by uiao/tools/sync_canon.py. See uiao/ARCHITECTURE.md §4 for the cross-repo sync contract. See uiao-docs/_quarto.yml for rendering configuration.
Conformance Matrix
Per uiao/canon/specs/adapter-conformance-test-plan-template.md v1.0. Adapter: entra-id · Class: modernization · Mission: integration · Tier: T1
| Domain | Criterion | Status |
|---|---|---|
| 2.1.1 | connect() returns ConnectionProvenance | PASS |
| 2.1.2 | identity contains adapter-specific identifier | PASS |
| 2.1.3 | endpoint matches configured backend | PASS |
| 2.1.4 | auth_method reflects auth mechanism | PASS |
| 2.1.5 | timestamp is UTC | PASS |
| 2.2.1 | discover_schema() returns SchemaMappingObject | PASS |
| 2.2.2 | vendor_schema has adapter-relevant fields | PASS |
| 2.2.3 | canonical_schema has UIAO identity pattern | PASS |
| 2.2.4 | unmapped_fields is non-empty | PASS |
| 2.2.5 | version_hash is deterministic | PASS |
| 2.3.1 | execute_query() returns QueryProvenance | PASS |
| 2.3.2 | vendor_query has adapter-native syntax | PASS |
| 2.3.3 | execution_plan_hash is deterministic | PASS |
| 2.4.1 | normalize([]) returns empty ClaimSet | PASS |
| 2.4.2 | normalize([one]) produces 1 ClaimObject | PASS |
| 2.4.3 | claim_id follows adapter:… pattern | PASS |
| 2.4.4 | source == ADAPTER_ID | PASS |
| 2.4.5 | provenance_hash non-empty, deterministic | PASS |
| 2.4.6 | multiple records produce unique claim_ids | PASS |
| 2.5.1 | detect_drift() returns DriftReport | PASS |
| 2.5.2 | drift_type has adapter-specific prefix | PASS |
| 2.5.3 | details contains adapter key | PASS |
| 2.6.1 | collect_evidence() returns EvidenceObject | PASS |
| 2.6.2 | ksi_id preserved | PASS |
| 2.6.3 | source == ADAPTER_ID | PASS |
| 2.6.4 | provenance dict non-empty | PASS |
| 2.7.1 | collect_and_align() returns dict | PASS |
| 2.7.2 | adapter_id matches ADAPTER_ID | PASS |
| 2.7.3 | vendor field non-empty | PASS |
| 2.7.4 | metadata has last_collected timestamp | PASS |
| 4.1 | ADAPTER_ID matches canon registry id | PASS |
| 4.2 | registered in init.py all | PASS |
Extension Methods
| Method | Status | Notes |
|---|---|---|
| (adapter-specific methods) | IMPLEMENTED | All extension methods have real implementations (zero stubs remaining) |
Matrix updated 2026-04-16. All extension methods implemented, zero stubs. 330/330 conformance CI-gated.
Integration Test Plan
Per uiao/canon/specs/adapter-integration-test-plan.md v1.0.
Vendor API: Microsoft Graph API Authentication: OAuth client-credential Fixture files: entra-users-groups.json Runner class: github-hosted Controls: CM-8, IA-2, IA-4, AC-2
Phase 4: Acceptance Test Cases
| # | Test | Input | Expected Output |
|---|---|---|---|
| A1 | Connect to Graph API | Real client credentials | ConnectionProvenance with graph.microsoft.com endpoint |
| A2 | List users | Graph /users endpoint | ClaimSet with real user objects |
| A3 | Conditional access policies | Graph /identity/conditionalAccess/policies | Claims with MFA/block policies |
| A4 | Evidence bundle | Real Graph data | EvidenceObject with IA-2 provenance |
Current Phase Status
| Phase | Status | Evidence |
|---|---|---|
| 1. Unit | PASS | 30/30 conformance + behavioral tests |
| 2. Integration | PASS | OSCAL SAR/POA&M/SSP pipeline proven |
| 3. System | PASS | CI-gated (adapter-conformance.yml) |
| 4. Acceptance | PENDING | Requires real vendor credentials |
| 5. Production | PENDING | Requires Phase 4 + runner deployment |