TenantAtlas/specs/030-intune-rbac-backup/plan.md

# Plan: Intune RBAC Backup (Role Definitions + Assignments) (030)

**Branch**: `feat/030-intune-rbac-backup`  
**Date**: 2026-01-04  
**Input**: [spec.md](./spec.md)

## Approach
1. Confirm Graph API details for RBAC:
   - `deviceManagement/roleDefinitions`
   - `deviceManagement/roleAssignments`
   - required permissions, paging, and any known restrictions
2. Decide modeling:
   - policy types (in Policy inventory) vs foundation types (backup-only)
3. Add config/contract entries with restore mode `preview-only`.
4. Implement snapshot capture with careful sanitization (no secrets, no tokens).
5. Implement restore preview dependency checks:
   - groups referenced by assignments
   - scope tags / scope members
6. Add targeted tests for inventory + backup + preview.

## Decisions / Notes
- Default to `preview-only` for execution due to high blast radius.
- Prefer mapping by stable identifiers (roleDefinition roleKey/displayName) and treat ambiguity as a block.