Policy.Read.DeviceConfiguration
Allows the app to read your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
Policy.Read.DeviceConfigurationpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | bdba4817-6ba1-4a7c-8a01-be9bc7c242dd | 3616a4b0-6746-49c4-a678-4c237599074d |
| DisplayText | Read your organization's device configuration policies | Read your organization's device configuration policies |
| Description | Allows the application to read your organization's device configuration policies without a signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks. | Allows the app to read your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods |
|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: deviceRegistrationPolicy
| Property | Type | Description |
|---|---|---|
| azureADJoin | azureADJoinPolicy | Specifies the authorization policy for controlling registration of new devices using Microsoft Entra join within your organization. Required. For more information, see What is a device identity?. |
| azureADRegistration | azureADRegistrationPolicy | Specifies the authorization policy for controlling registration of new devices using Microsoft Entra registered within your organization. Required. For more information, see What is a device identity?. |
| description | String | The description of the device registration policy. It's always set to Tenant-wide policy that manages intial provisioning controls using quota restrictions, additional authentication and authorization checks. Read-only. |
| displayName | String | The name of the device registration policy. It's always set to Device Registration Policy. Read-only. |
| id | String | The identifier of the device registration policy. It's always set to deviceRegistrationPolicy. Read-only. |
| localAdminPassword | localAdminPasswordSettings | Specifies the setting for Local Admin Password Solution (LAPS) within your organization. |
| multiFactorAuthConfiguration | multiFactorAuthConfiguration | Specifies the authentication policy for a user to complete registration using Microsoft Entra join or Microsoft Entra registered within your organization. The possible values are: notRequired, required, unknownFutureValue. The default value is notRequired. |
| userDeviceQuota | Int32 | Specifies the maximum number of devices that a user can have within your organization before blocking new device registrations. The default value is set to 50. If this property isn't specified during the policy update operation, it's automatically reset to 0 to indicate that users aren't allowed to join any devices. |