Sync from dev @ 497baf0

Source: main (497baf0)
Excluded: live tenant exports, generated artifacts, and dev-only tooling.

AGENTS.md

@@ -6,7 +6,7 @@ This repository tracks Git-based snapshots of Microsoft Intune and Entra ID conf
 
 The implementation is centered on three Azure DevOps pipelines:
 
-- `azure-pipelines.yml`: hourly backup/export pipeline with rolling PR management.
+- `azure-pipelines.yml`: daily full backup/export pipeline with rolling PR management (previously hourly; now driven primarily by event-driven change probe).
 - `azure-pipelines-review-sync.yml`: 20-minute reviewer-decision sync and post-merge remediation queue.
 - `azure-pipelines-restore.yml`: manual or auto-queued restore pipeline for approved baseline rollback.
 
@@ -33,15 +33,18 @@ Workflow at a high level:
 
 ```
 .
-├── azure-pipelines.yml              # Main hourly backup pipeline
+├── azure-pipelines.yml              # Main backup pipeline (daily snapshot + event-driven trigger)
 ├── azure-pipelines-review-sync.yml  # 20-minute review sync
 ├── azure-pipelines-restore.yml      # Baseline restore pipeline
 ├── scripts/                         # Python automation helpers
 ├── tests/                           # unittest coverage for scripts
-├── tenant-state/                     # Committed JSON exports and reports
+├── tenant-state/                    # Committed JSON exports and reports
 │   ├── intune/
 │   ├── entra/
 │   └── reports/
+├── infra/                           # Azure Function App (change probe)
+│   └── change-probe/
+├── deploy/                          # Infrastructure provisioning scripts
 ├── docs/                            # Security review docs and roadmap
 ├── md2pdf/                          # HTML/PDF styling and configs
 ├── prod-as-built.md                 # Generated as-built source
@@ -63,6 +66,8 @@ Workflow at a high level:
 - `update_pr_review_summary.py`: refreshes PR descriptions with change counts, risk assessment, and optional AI narrative.
 - `apply_reviewer_rejections.py`: processes `/reject` and `/accept` reviewer thread commands.
 - `queue_post_merge_restore.py`: queues restore pipeline after merged PRs that contained `/reject` decisions.
+- `probe_tenant_changes.py`: polls Intune/Entra audit logs via Graph, implements debouncer (idle → armed → cooldown), and decides whether to trigger a backup.
+- `trigger_backup_pipeline.py`: thin ADO REST API wrapper to queue the backup pipeline on demand.
 
 ## Code Style and Conventions
 
@@ -106,6 +111,17 @@ pip3 install "IntuneCD==2.5.0"
 
 For local development, only a Python 3 interpreter is required; scripts use the standard library except for the optional IntuneCD package.
 
+### Change Probe (Event-Driven Backup Trigger)
+
+Because Microsoft Graph change notifications and delta queries do not support Intune device management or Conditional Access resources, an audit-log polling architecture is used instead:
+
+- **Azure Function App** (`infra/change-probe/`):
+  - `probe_timer`: 5-minute timer trigger. Loads debouncer state from Azure Table Storage, runs `probe_tenant_changes.py`, writes state back, and emits a queue message when the debouncer triggers.
+  - `queue_consumer`: queue trigger. Dequeues messages and calls `trigger_backup_pipeline.py` to queue the ADO backup pipeline.
+- **Debouncer**: 15-minute quiet window (idle → armed) + 30-minute cooldown. Prevents backup storms during bulk changes.
+- **State**: stored in Azure Table Storage (`ProbeState` table).
+- **Provisioning**: `deploy/provision-change-probe.ps1` creates the Entra app, grants admin consent, provisions Resource Group / Storage Account / Function App, and configures app settings.
+
 ### Pipeline Jobs
 
 - **Intune backup job** (`backup_intune`):