TenantAtlas/specs/030-intune-rbac-backup/plan.md

Plan: Intune RBAC Backup (Role Definitions + Assignments) (030)

Branch: feat/030-intune-rbac-backup
Date: 2026-01-04
Input: spec.md

Approach

1. Confirm Graph API details for RBAC:
   • deviceManagement/roleDefinitions
   • deviceManagement/roleAssignments
   • required permissions, paging, and any known restrictions
2. Decide modeling:
   • policy types (in Policy inventory) vs foundation types (backup-only)
3. Add config/contract entries with restore mode preview-only.
4. Implement snapshot capture with careful sanitization (no secrets, no tokens).
5. Implement restore preview dependency checks:
   • groups referenced by assignments
   • scope tags / scope members
6. Add targeted tests for inventory + backup + preview.

Decisions / Notes

• Default to preview-only for execution due to high blast radius.
• Prefer mapping by stable identifiers (roleDefinition roleKey/displayName) and treat ambiguity as a block.