If you’re aiming for CMMC Level 2, your CMMC asset inventory can’t live in someone’s head or a stale spreadsheet. Assessors want proof that you know what’s in scope, who uses it, what it runs, and whether it’s controlled.
I build inventories around Microsoft Intune and Microsoft Entra ID because they already hold the signals you need for Endpoint Security and access control. Then I patch the gaps with a few supplemental sources for non-Microsoft gear. The goal is simple: one inventory, one unique ID per asset, and repeatable evidence you can hand to an auditor without a fire drill.
Scope first: CUI, FCI, and what “in inventory” really means
Before I export anything, I draw a hard line around scope. In CMMC Level 2, I track assets that store, process, or transmit CUI, plus anything that provides security protection for that environment (identity, logging, segmentation, admin workstations). FCI can expand your “what touches what” conversation, so I still document it, even when the driving controls are tied to CUI work.
A scoping mistake usually looks like this: someone inventories only laptops, then forgets the Entra ID tenant objects that control access, the registered apps that have permissions, and the shared admin accounts that can change everything.
When I need a practical scoping worksheet, I reference the Unified Scoping Guide for sensitive data because it forces clear decisions about where regulated data lives and how systems connect.
Here’s my rule of thumb for Small Business IT teams: if an asset can grant access to CUI, route CUI traffic, or change CUI security settings, it belongs in the inventory. That includes Cloud Infrastructure components, Cloud Management tooling, and admin endpoints used for Technology Consulting work.
If you can’t explain why an asset is out of scope, it’s usually in scope.
Pull inventory from Intune and Entra ID (portal exports and Graph options)
I treat Microsoft as my system of record for modern endpoints and identity. Intune tells me device posture and last activity. Entra ID tells me who and what can authenticate, plus which apps hold permissions.
Intune: managed devices, compliance, encryption, OS, last check-in
In the Intune admin center, I export device lists to CSV for evidence, then I save the export with the date in the filename.
What I pull every cycle:
- Managed device identity: device name, manufacturer, model, serial (when available), and the Intune managed device ID.
- Security posture: compliance state, encryption status (BitLocker or platform encryption), and OS version.
- Operational proof: last check-in time, primary user, and management channel (Windows MDM, iOS, Android Enterprise).
Microsoft-native methods I use:
- Portal export: export the device list view(s) you use for compliance reporting, then keep the CSV as evidence.
- Microsoft Graph (repeatable): query deviceManagement/managedDevices for fields like OS, complianceState, lastSyncDateTime, and encryption-related properties, then write results to a dated CSV.
For Device Hardening, I also keep a screenshot of the policy assignment for CUI device groups, because it ties the inventory to enforcement.
Entra ID: users, groups, roles, devices, and app identities
In the Entra admin center, I export:
- Users: object ID, UPN, account status, user type (member, guest), and last sign-in (if available in your reporting).
- Groups: group object ID, group type, membership method, and purpose tag (CUI access, admin, exception).
- Directory roles: who holds admin roles, and which roles they have.
- Devices: Entra device ID, join type, OS, and last sign-in or last activity fields.
- Applications: registered apps, service principals, and enterprise applications, including owners and permissions.
Graph options I rely on for consistency:
- users, groups, directoryRoles, devices
- applications (app registrations) and servicePrincipals (enterprise app identities)
Why it matters: in a lot of SMB environments, the biggest risk isn’t a missing laptop. It’s an over-permissioned app or a guest account that never got cleaned up. That’s why my Business Continuity & Security work always ties identity inventory back to Conditional Access and role assignments.
For a helpful Microsoft baseline on asset management expectations, I keep this bookmarked: Azure Security Benchmark V2 asset management guidance.
Copy and paste: CMMC Level 2 asset inventory template (with a filled example)
This table is the version I actually use for CMMC readiness. It’s built to join Intune and Entra data to one unique asset record, while leaving room for non-Microsoft assets.
Device and system asset inventory (template + example row)
| Unique Asset ID | Asset Type | Asset Name | Scope (CUI/FCI/Out) | Source | Primary User/Owner | Location | OS / Firmware | Intune Device ID | Entra Device ID | Compliance State | Encryption | Last Check-in/Seen | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DEV-WIN-00017 | Laptop | ENG-LT-017 | CUI | Intune + Entra | j.smith@company.com | HQ, Eng | Windows 11 23H2 | a1b2c3… | 11aa22… | Compliant | BitLocker On | 2026-03-10T14:22Z | CUI access via M365 apps, assigned to CUI-Devices group |
Identity and application inventory (template + example row)
| Unique Asset ID | Asset Type | Name | Scope (CUI/FCI/Out) | Entra Object ID | Privilege Level | Owner | Notes |
|---|---|---|---|---|---|---|---|
| ID-APP-00004 | Enterprise app (service principal) | Vendor SSO Connector | CUI | 77bb88… | High (token access) | it-admin@company.com | Review permissions quarterly, restrict to CUI users group |
Takeaway: the “Unique Asset ID” column is what keeps your inventory stable when device names change, users change roles, or you rotate hardware.
Fill the gaps, store evidence, and keep the inventory accurate all year
Intune and Entra ID won’t see everything. That’s normal. CMMC still expects you to account for the rest, such as network gear, on-prem servers, and purpose-built devices.
Supplemental sources I add (only where they apply):
- Network infrastructure: firewall, switches, Wi-Fi controllers, VPN concentrators. Export configs or device lists from the management interface.
- On-prem servers and virtualization: hypervisor inventory, server OS lists, and patch status. This matters for Data Center Technology and Infrastructure Optimization projects.
- OT, IoT, and specialty systems: building controls, scanners, lab gear, and shop-floor equipment. Document them as “specialized assets” if they can’t meet every control, then show segmentation and access limits.
- Restaurant systems: POS terminals, kitchen display systems, printers, and tablets. Restaurant POS Support and Kitchen Technology Solutions often introduce devices that never touch Intune.
Evidence is what makes the inventory defensible. For each inventory cycle, I store:
- Export files (CSV/JSON) from Intune and Entra ID, with the timestamp in the filename.
- The Graph query used (endpoint and selected fields) saved in a change log.
- One or two screenshots showing the export view and filter (CUI device group, admin roles page).
- A short note on where the files live (SharePoint folder path or ticket ID).
To keep accuracy high, I automate and review:
- Automation: scheduled Graph exports to a controlled SharePoint library, then I alert on new devices or new service principals.
- Reconciliation: monthly compare against DHCP leases or firewall client lists to catch unknown devices.
- One ID per asset: I join records on Entra device ID, Intune device ID, and serial number.
- BYOD and guests: I tag BYOD as “FCI” or “Out” unless it’s approved for CUI, then I enforce app protection and Conditional Access. For guest accounts, I inventory them, set an expiration process, and review access quarterly.
For a practical way to align software inventories with control language, I also map outcomes to CIS Control 2 guidance.
This is where I bring in my Tailored Technology Services mindset. I’m not trying to build paperwork. I’m building proof that your Digital Transformation didn’t weaken security.
Conclusion
A solid CMMC asset inventory is less about spreadsheets and more about repeatable truth. When I anchor it in Intune and Entra ID, I can show device posture, identity control, and app risk in one story. From there, I fill the gaps for servers, network gear, and specialty systems, then I lock in evidence with dated exports and documented queries.
If you want a Business Technology Partner to set this up end-to-end, including Managed IT for Small Business operations, Secure Cloud Architecture, and an IT Strategy for SMBs that survives audits, I’m ready to help.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.