Asset Inventory
A complete asset inventory is the prerequisite for every protection, monitoring, and compliance capability in this guide. You cannot label what you haven't found, cannot apply compliance policies to unmanaged devices, and cannot govern cloud apps you don't know exist. Asset inventory in Microsoft 365 spans three domains: data, devices, and cloud applications.
Data Asset Inventory
Content Explorer (Cloud Data)
Content Explorer is found in the Purview compliance portal under Data classification → Content Explorer. It shows all labeled content across Exchange, SharePoint, OneDrive, and Teams — searchable by label, sensitive information type (SIT), or location. The view displays item counts per label per location, which is useful for tracking auto-labeling coverage over time.
The display is limited to one million items. For volume reporting beyond that threshold, use Activity Explorer.
Access requires the Content Explorer Content Viewer or Content Explorer List Viewer role. These are separate from the Compliance Administrator role because they grant read access to actual file content — assign them deliberately and to a limited audience.
Activity Explorer (Labeling Activity)
Activity Explorer is found under Data classification → Activity Explorer. It shows labeling events over time: label applied, label changed, label removed, DLP policy matches, and endpoint file events.
To track auto-labeling coverage progress, filter by Label applied combined with Auto-labeling as the activity source. This shows how many files were labeled by service-side policies versus user-applied labels, which is the primary progress metric during a labeling rollout.
On-Premises Data (Purview Scanner)
The Purview Information Protection Scanner runs on a Windows Server node and scans on-premises file shares and SharePoint Server sites. Results are stored in a SQL Server database. The portal shows summary counts, but per-file detail requires a direct SQL query.
For auditors requiring per-file evidence, query the SQL database directly. See Information Protection Scanner for SQL query examples.
Structured Data (Purview Data Map)
For data replicated into Azure SQL, Azure Synapse, or other databases from ERP, CRM, or HRIS systems, the Purview Data Map extends asset inventory to tables and columns. It registers the data source as a cataloged asset and classifies sensitive columns — bank account numbers, SSNs, PII — using the same SIT engine as M365.
See Structured Data Governance for configuration steps.
Device Asset Inventory
Two overlapping inventories serve different purposes for auditors and operations teams.
Entra Device Inventory (Identity Plane)
Access via the Entra admin center under Devices → All devices (portal.azure.com or portal.azure.us for GCC High).
This inventory records every device that has registered or joined the tenant — broader scope than Intune. Key fields include: device name, OS and version, join type (Entra Joined, Hybrid Entra Joined, or Entra Registered), compliance state (a single pass/fail badge reported from Intune), registered owner, and last sign-in.
This inventory does not contain hardware specs, software inventory, or per-policy compliance detail. Scope includes BYOD devices that registered via Entra (for example, for Entra MFA) but were never enrolled in Intune.
To export: Devices → Download (CSV) — provides the full device list with all fields.
What it answers for auditors: What devices have an identity in this directory? Are any stale (last sign-in greater than 90 days)? What is the join type distribution?
Intune Device Inventory (Management Plane)
Access via the Intune admin center under Devices → All devices (endpoint.microsoft.com or endpoint.microsoft.us for GCC High).
Scope is limited to devices enrolled for Intune management — narrower than Entra but far richer per device. Key fields include: manufacturer, model, serial number, IMEI/MEID for mobile devices, RAM, storage, CPU, OS version, last check-in, compliance state, enrolled date, primary user, encryption status, and Intune management profile.
Software inventory is available per device under Devices → [Device] → Discovered apps, which lists all installed applications with version numbers.
To export: Devices → Export (CSV) for the hardware inventory; per-device Discovered apps export for software inventory.
What it answers for auditors: Are all managed devices encrypted? Are OS versions current? What applications are installed on managed devices? When did each device last check in?
The Gap Between Entra and Intune
Devices present in Entra but absent from Intune represent unmanaged endpoints with directory identities — the highest-risk category. These devices can authenticate against M365 resources without being subject to compliance policies.
To identify the gap:
# Connect to both services
Connect-MgGraph -Scopes "Device.Read.All","DeviceManagementManagedDevices.Read.All" -Environment USGov
# Entra device IDs
$entraDevices = Get-MgDevice -All | Select-Object -ExpandProperty DeviceId
# Intune device IDs (azureADDeviceId maps to Entra DeviceId)
$intuneDevices = Get-MgDeviceManagementManagedDevice -All | Select-Object -ExpandProperty AzureAdDeviceId
# Devices in Entra but not Intune
$entraOnly = $entraDevices | Where-Object { $_ -notin $intuneDevices }
Write-Host "$($entraOnly.Count) devices registered in Entra but not enrolled in Intune"
Remediation: require Intune enrollment as a Conditional Access grant control for all resource access. This forces unmanaged devices to enroll or be blocked before they can reach M365 workloads.
Cloud Application Asset Inventory
Defender for Cloud Apps — Shadow IT Discovery
Microsoft Defender for Cloud Apps (MDA) discovers all cloud apps accessed from managed endpoints by analyzing DNS queries and network traffic forwarded from Defender for Endpoint.
Access via security.microsoft.com (or security.microsoft.us for GCC High) under Cloud Apps → Cloud Discovery → Dashboard.
Each discovered app shows its risk score (0–10), user count, traffic volume, and whether it has been marked as sanctioned or unsanctioned. The Cloud App Catalog contains risk assessments for over 31,000 apps — each scored on security, compliance, and legal dimensions.
Establishing the sanctioned app list:
- Review discovered apps sorted by user count.
- Mark IT-approved apps as Sanctioned — these form the baseline allowed list.
- Mark prohibited apps (personal storage, unapproved AI tools) as Unsanctioned — MDA can generate a block list exportable to proxy or firewall for enforcement.
Microsoft Entra Application Registration Inventory
Access via the Entra admin center under Applications → App registrations (all applications) and Enterprise applications.
- App registrations — first-party apps your organization has registered: service principals for automation, custom apps, and integrations.
- Enterprise applications — all apps, first and third party, that have been granted access to the tenant, including OAuth consent grants.
To export: each blade has a Download option for CSV.
OAuth consent grant audit:
Overprivileged OAuth apps granted permissions such as Mail.ReadWrite, Files.ReadWrite.All, or Directory.ReadWrite.All represent a significant risk vector. Review these quarterly using the App Governance dashboard in Defender for Cloud Apps. See Threat Defense for App Governance alert configuration.
Asset Inventory — Compliance Control Mapping
- GCC High (CMMC)
- Commercial
CMMC Level 2 does not have a dedicated asset inventory control family, but asset inventory evidence is required across multiple domains:
| NIST Control | Asset Inventory Connection |
|---|---|
| CM.L2-3.4.1 — Baseline configurations | Intune device inventory confirms all in-scope devices are under management and have baselines applied |
| CM.L2-3.4.2 — Security configuration enforcement | Intune compliance report demonstrates baseline enforcement; gap analysis (Entra vs. Intune) identifies unmanaged devices |
| SI.L2-3.14.1 — Flaw remediation | Intune software inventory identifies devices with outdated OS or application versions |
| MP.L2-3.8.3 — Sanitization | Device inventory identifies devices leaving scope (retired, reassigned) requiring sanitization |
| AC.L2-3.1.1 — Authorized access | Intune enrollment report confirms only authorized, managed devices have access to CUI resources via Conditional Access with compliant device requirement |
| RA.L2-3.11.1 — Risk assessments | Content Explorer label coverage report provides the data inventory input to risk assessment |
| CA.L2-3.12.4 — System security plan | Asset inventory (devices, apps, data locations) is a required input to the SSP |
Audit Evidence Package — Asset Inventory
Provide to CMMC assessors:
- Intune device inventory CSV — all managed devices, enrollment date, compliance state, last check-in
- Entra device list CSV — full tenant device list; compare to Intune for gap evidence
- Content Explorer label coverage report — screenshot or export
- Sanctioned/unsanctioned cloud app list from MDA Cloud Discovery
- Entra enterprise application list — OAuth grants
NIST SP 800-171 Rev. 3 Control Mapping
| Control | Asset Inventory Connection |
|---|---|
| 3.4.1 — Baseline configurations | Intune device inventory with compliance state |
| 3.4.2 — Configuration enforcement | Gap analysis between Entra and Intune enrollment |
| 3.14.1 — Flaw identification | Intune discovered apps for software version tracking |
| 3.1.1 — Authorized access | Enrolled device list as the authorized device registry |
SOC 2 Type II — CC6.1 (Logical Access)
The combination of Entra device inventory and Intune device inventory, supplemented by MDA cloud app discovery, satisfies the SOC 2 CC6.1 requirement to identify and manage the inventory of information assets. Provide the Intune device CSV, the Content Explorer label summary, and the MDA sanctioned app list to SOC 2 auditors as evidence of asset inventory controls.
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.