Sync from dev @ 497baf0

Source: main (497baf0)
Excluded: live tenant exports, generated artifacts, and dev-only tooling.

deploy/onboarding-runbook.md

@@ -130,6 +130,64 @@ After importing `azure-pipelines-restore.yml`, find its definition ID:
 2. Set `forceFullRun=true` to get a complete initial snapshot.
 3. Verify that `tenant-state/` is populated and a rolling PR is created.
 
+## Step 11: Provision the event-driven change probe (optional but recommended)
+
+The change probe replaces the previous hourly polling model with responsive, event-driven backup triggers.
+
+### Option A: Automated provisioning
+
+Run the unified provisioning script:
+
+```powershell
+.\deploy\provision-change-probe.ps1 `
+  -TenantName "contoso.onmicrosoft.com" `
+  -ResourceGroupName "rg-astral-probe" `
+  -Location "westeurope" `
+  -DeployFunctionApp
+```
+
+The script will create an Entra app, grant admin consent, provision Azure resources, and deploy the Function App.
+
+### Option B: Manual provisioning
+
+If you prefer manual setup:
+
+1. **Create an app registration** in Entra ID for the probe.
+2. **Grant admin consent** for:
+   - `DeviceManagementConfiguration.Read.All`
+   - `DeviceManagementApps.Read.All`
+   - `AuditLog.Read.All`
+   - `Directory.Read.All`
+3. **Create a client secret** and note the value.
+4. **Provision Azure resources**:
+   - Resource Group
+   - Storage Account (Standard LRS)
+   - Function App (Linux Consumption, Python 3.11)
+5. **Configure Function App settings**:
+   | Setting | Value |
+   |---|---|
+   | `AzureWebJobsStorage` | Storage account connection string |
+   | `PROBE_APP_ID` | App registration client ID |
+   | `PROBE_APP_SECRET` | App registration client secret |
+   | `TENANT_ID` | Your Microsoft 365 tenant ID |
+   | `ADO_ORGANIZATION` | Your Azure DevOps org name |
+   | `ADO_PROJECT` | Your Azure DevOps project name |
+   | `ADO_PIPELINE_ID` | Definition ID of `azure-pipelines.yml` |
+   | `ADO_TOKEN` | Azure DevOps PAT with **Build (read & execute)** |
+   | `ADO_BRANCH` | `main` (or your baseline branch) |
+6. **Deploy the function package** using `WEBSITE_RUN_FROM_PACKAGE` (see `infra/change-probe/README.md`).
+
+### Verify the probe
+
+1. Make a test change in Intune (e.g., create a temporary device configuration profile).
+2. Wait 5–20 minutes for the audit log to propagate.
+3. Check the `ProbeState` table in your Storage Account — the `singleton/default` entity should show `debouncer.state = armed`.
+4. After the quiet window (default 15 min) elapses, a queue message will be emitted.
+5. The `queue_consumer` will dequeue it and queue the backup pipeline.
+6. Verify the pipeline run appears in Azure DevOps with reason `manual` (API-triggered runs show as manual).
+
+> **Note:** The probe uses the same Entra app as the main backup pipeline. You can reuse the app registration created by `bootstrap-tenant.ps1` if you add the `AuditLog.Read.All` permission and create a client secret for it.
+
 ## Optional: progressive feature rollout
 
 | Phase | What to enable |