Policy.ReadWrite.DeviceConfiguration

Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.ReadWrite.DeviceConfiguration permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	230fb2d5-aa21-49c1-bfa7-ae1be179d867	40b534c3-9552-4550-901b-23879c90bcf9
DisplayText	Read and write your organization's device configuration policies	Read and write your organization's device configuration policies
Description	Allows the application to read and write your organization's device configuration policies without a signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.	Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /policies/deviceRegistrationPolicy
	PUT /policies/deviceRegistrationPolicy

	Commands
	Get-MgBetaPolicyDeviceRegistrationPolicy

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: azureADJoinPolicy

Property	Type	Description
allowedToJoin	deviceRegistrationMembership	Determines if Microsoft Entra join is allowed.
isAdminConfigurable	Boolean	Determines if administrators can modify this policy.
localAdmins	localAdminSettings	Determines who becomes a local administrator on joined devices.

Graph reference: azureADRegistrationPolicy

Property	Type	Description
allowedToRegister	deviceRegistrationMembership	Determines if Microsoft Entra registered is allowed.
isAdminConfigurable	Boolean	Determines if administrators can modify this policy.

Graph reference: deviceRegistrationPolicy

Property	Type	Description
azureADJoin	azureADJoinPolicy	Specifies the authorization policy for controlling registration of new devices using Microsoft Entra join within your organization. Required. For more information, see What is a device identity?.
azureADRegistration	azureADRegistrationPolicy	Specifies the authorization policy for controlling registration of new devices using Microsoft Entra registered within your organization. Required. For more information, see What is a device identity?.
description	String	The description of the device registration policy. It's always set to `Tenant-wide policy that manages intial provisioning controls using quota restrictions, additional authentication and authorization checks`. Read-only.
displayName	String	The name of the device registration policy. It's always set to `Device Registration Policy`. Read-only.
id	String	The identifier of the device registration policy. It's always set to `deviceRegistrationPolicy`. Read-only.
localAdminPassword	localAdminPasswordSettings	Specifies the setting for Local Admin Password Solution (LAPS) within your organization.
multiFactorAuthConfiguration	multiFactorAuthConfiguration	Specifies the authentication policy for a user to complete registration using Microsoft Entra join or Microsoft Entra registered within your organization. The possible values are: `notRequired`, `required`, `unknownFutureValue`. The default value is `notRequired`.
userDeviceQuota	Int32	Specifies the maximum number of devices that a user can have within your organization before blocking new device registrations. The default value is set to 50. If this property isn't specified during the policy update operation, it's automatically reset to `0` to indicate that users aren't allowed to join any devices.

Graph reference: localAdminPasswordSettings

Property	Type	Description
isEnabled	Boolean	Specifies whether this policy scope is configurable by the admin. The default value is `false`. An admin can set it to true to enable Local Admin Password Solution (LAPS) within their organzation.

Table of Contents

Policy.ReadWrite.DeviceConfiguration

Graph Methods

Resources