Show / Hide Table of Contents

Policy.ReadWrite.DeviceConfiguration

Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver Type Method
V1 D GET /policies/deviceRegistrationPolicy
V1 D PUT /policies/deviceRegistrationPolicy

Delegate Permission

Id 40b534c3-9552-4550-901b-23879c90bcf9
Consent Type Admin
Display String Read and write your organization's device configuration policies
Description Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.

Resources

azureAdJoinPolicy

Property Type Description
allowedGroups String collection The identifiers of the groups that are in the scope of the policy. Required when the appliesTo property is set to selected.
allowedUsers String collection The identifiers of users that are in the scope of the policy. Required when the appliesTo property is set to selected.
appliesTo policyScope Specifies whether to block or allow fine-grained control of the policy scope. The possible values are: 0 (meaning none), 1 (meaning all), 2 (meaning selected), 3 (meaning unknownFutureValue).

The default value is 1. When set to 2, at least one user or group identifier must be specified in either allowedUsers or allowedGroups. Setting this property to 0 or 1 removes all identifiers in both allowedUsers and allowedGroups.
isAdminConfigurable Boolean Specifies whether this policy scope is configurable by the admin. The default value is false. When an admin has enabled Intune (MEM) to manage devices, this property is set to false and **a

azureADRegistrationPolicy

Property Type Description
allowedGroups String collection The identifiers of the groups that are in the scope of the policy. Either this property or allowedUsers is required when the appliesTo property is set to selected.
allowedUsers String collection The identifiers of users that are in the scope of the policy. Either this property or allowedGroups is required when the appliesTo property is set to selected.
appliesTo policyScope Specifies whether to block or allow fine-grained control of the policy scope. The possible values are: 0 (meaning none), 1 (meaning all), 2 (meaning selected), 3 (meaning unknownFutureValue).

The default value is 1. When set to 2, at least one user or group identifier must be specified in either allowedUsers or allowedGroups. Setting this property to 0 or 1 removes all identifiers in both allowedUsers and allowedGroups.
isAdminConfigurable Boolean Specifies whether this policy scope is configurable by the admin. The default value is false. When an admin has enabled Intune (MEM) to manage devices, this property is set to false and **a

deviceRegistrationPolicy

Property Type Description
azureADJoin azureAdJoinPolicy Specifies the authorization policy for controlling registration of new devices using Azure AD Join within your organization. Required. For more information, see What is a device identity?.
azureADRegistration azureADRegistrationPolicy Specifies the authorization policy for controlling registration of new devices using Azure AD registered within your organization. Required. For more information, see What is a device identity?.
description String The description of the device registration policy. It is always set to Tenant-wide policy that manages intial provisioning controls using quota restrictions, additional authentication and authorization checks. Read-only.
displayName String The name of the device registration policy. It is always set to Device Registration Policy. Read-only.
id String The identifier of the device registration policy. It is always set to deviceRegistrationPolicy. Read-only.
multiFactorAuthConfiguration multiFactorAuthConfiguration Specifies the authentication policy for a user to complete registration using Azure AD Join or Azure AD registered within your organization. The possible values are: 0 (meaning notRequired), 1 (meaning required), and 2 (meaning unknownFutureValue). The default value is 0.
userDeviceQuota Int32 Specifies the maximum number of devices that a user can have within your organization before blocking new device registrations. The default value is set to 50. If this property is not specified during the policy update operation, it is automatically reset to 0 to indicate that users are not allowed to join any devices.
In This Article
Back to top Created by merill | Submit feedback