Policy.ReadWrite.DeviceConfiguration
Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Delegate Permission
|
|
Id |
40b534c3-9552-4550-901b-23879c90bcf9 |
Consent Type |
Admin |
Display String |
Read and write your organization's device configuration policies |
Description |
Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks. |
Resources
Property |
Type |
Description |
allowedGroups |
String collection |
The identifiers of the groups that are in the scope of the policy. Required when the appliesTo property is set to selected . |
allowedUsers |
String collection |
The identifiers of users that are in the scope of the policy. Required when the appliesTo property is set to selected . |
appliesTo |
policyScope |
Specifies whether to block or allow fine-grained control of the policy scope. The possible values are: 0 (meaning none ), 1 (meaning all ), 2 (meaning selected ), 3 (meaning unknownFutureValue ).
The default value is 1 . When set to 2 , at least one user or group identifier must be specified in either allowedUsers or allowedGroups. Setting this property to 0 or 1 removes all identifiers in both allowedUsers and allowedGroups. |
isAdminConfigurable |
Boolean |
Specifies whether this policy scope is configurable by the admin. The default value is false . When an admin has enabled Intune (MEM) to manage devices, this property is set to false and **a |
Property |
Type |
Description |
allowedGroups |
String collection |
The identifiers of the groups that are in the scope of the policy. Either this property or allowedUsers is required when the appliesTo property is set to selected . |
allowedUsers |
String collection |
The identifiers of users that are in the scope of the policy. Either this property or allowedGroups is required when the appliesTo property is set to selected . |
appliesTo |
policyScope |
Specifies whether to block or allow fine-grained control of the policy scope. The possible values are: 0 (meaning none ), 1 (meaning all ), 2 (meaning selected ), 3 (meaning unknownFutureValue ).
The default value is 1 . When set to 2 , at least one user or group identifier must be specified in either allowedUsers or allowedGroups. Setting this property to 0 or 1 removes all identifiers in both allowedUsers and allowedGroups. |
isAdminConfigurable |
Boolean |
Specifies whether this policy scope is configurable by the admin. The default value is false . When an admin has enabled Intune (MEM) to manage devices, this property is set to false and **a |
Property |
Type |
Description |
azureADJoin |
azureAdJoinPolicy |
Specifies the authorization policy for controlling registration of new devices using Azure AD Join within your organization. Required. For more information, see What is a device identity?. |
azureADRegistration |
azureADRegistrationPolicy |
Specifies the authorization policy for controlling registration of new devices using Azure AD registered within your organization. Required. For more information, see What is a device identity?. |
description |
String |
The description of the device registration policy. It is always set to Tenant-wide policy that manages intial provisioning controls using quota restrictions, additional authentication and authorization checks . Read-only. |
displayName |
String |
The name of the device registration policy. It is always set to Device Registration Policy . Read-only. |
id |
String |
The identifier of the device registration policy. It is always set to deviceRegistrationPolicy . Read-only. |
multiFactorAuthConfiguration |
multiFactorAuthConfiguration |
Specifies the authentication policy for a user to complete registration using Azure AD Join or Azure AD registered within your organization. The possible values are: 0 (meaning notRequired ), 1 (meaning required ), and 2 (meaning unknownFutureValue ). The default value is 0 . |
userDeviceQuota |
Int32 |
Specifies the maximum number of devices that a user can have within your organization before blocking new device registrations. The default value is set to 50. If this property is not specified during the policy update operation, it is automatically reset to 0 to indicate that users are not allowed to join any devices. |