Define attestation-floor-enforced roles. Each role specifies the minimum hardware trust level and maximum session TTL. Roles are signed with the admin key and cannot be tampered.

Enroll a user-device pair into NIE. The gateway generates a device fingerprint (SHA-256 of TPM seed), user factor hash, and binding key. The device is paired cryptographically. No password is created.

Select an enrolled user to perform a live attestation against the Azure gateway. The gateway validates the sealed token through the six-check pipeline and returns a session handle.

Test resource authorization using an active session handle. Every authorization call re-checks the revocation cache. If the device was revoked between attestation and authorization, the call fails immediately.

Revoke a device across all three channels simultaneously: in-process cache (instant), Redis persistence (channel 2), and Event Hubs fan-out to SIEM/SOC (channel 3). Propagates globally in under 30 seconds.

Define geographic zones that constrain where attestation is accepted. A device outside an authorized zone is denied regardless of valid credentials. The zone check is part of the attestation pipeline, not a separate policy layer.

Every identity event is recorded in the Providence hash-chained audit trail. Entries are append-only, externally anchored every 5 minutes, and cannot be cleared even with full cloud access. Cryptographic non-repudiation via DSKAG session key HMAC.