Quickstart: SoT Foundations & Assignments (006)

This is a developer/operator checklist to validate foundations-first restore and assignment-aware restore.

Prerequisites

Local dev via Sail.
A tenant configured for Graph access with sufficient permissions for:
- Assignment filters: DeviceManagementConfiguration.ReadWrite.All
- Scope tags: DeviceManagementRBAC.ReadWrite.All
- Notification templates: DeviceManagementServiceConfig.ReadWrite.All

In a test tenant, create:
- 1–2 assignment filters
- 1–2 scope tags (non-built-in)
- 1 notification message template
Run a sync + backup via the app’s existing workflow.
In the target tenant, ensure those objects do not exist.
Run restore in preview:
- Verify preview includes a “Foundations” section.
- Verify it reports old→new mapping decisions.
Run restore in execute:
- Verify missing foundations are created.
- Verify collisions result in “created_copy” behavior (if you intentionally create same-named items beforehand).

Create a policy that has assignments:
- Group targeting
- Assignment filters (include/exclude)
- Scope tags where applicable
Back up the tenant.
Restore into a target tenant where:
- some foundations exist
- some foundations are missing
Run restore preview:
- Verify assignments are marked “applied” only when mappings exist.
- Verify unsafe assignments are “skipped” with explicit reasons (no broad targeting).
Run restore execute:
- Verify the policy is restored.
- Verify assignment application uses the mapping.

Ensure the backup contains at least one Conditional Access policy.
Run restore preview:
- Verify CA items appear with a clear preview-only marker.
Run restore execute:
- Verify CA changes are not applied and are recorded as skipped/preview-only.

If UI changes don’t appear, run the project’s dev/build pipeline (composer run dev / pnpm dev) according to existing repo conventions.