Policy.ReadWrite.DeviceConfiguration

Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver	Type	Method
V1	D	GET /policies/deviceRegistrationPolicy
V1	D	PUT /policies/deviceRegistrationPolicy

Delegate Permission


Id	40b534c3-9552-4550-901b-23879c90bcf9
Consent Type	Admin
Display String	Read and write your organization's device configuration policies
Description	Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.

Resources

azureAdJoinPolicy

Property	Type	Description
allowedGroups	String collection	The identifiers of the groups that are in the scope of the policy. Required when the appliesTo property is set to `selected`.
allowedUsers	String collection	The identifiers of users that are in the scope of the policy. Required when the appliesTo property is set to `selected`.
appliesTo	policyScope	Specifies whether to block or allow fine-grained control of the policy scope. The possible values are: `0` (meaning `none`), `1` (meaning `all`), `2` (meaning `selected`), `3` (meaning `unknownFutureValue`). The default value is `1`. When set to `2`, at least one user or group identifier must be specified in either allowedUsers or allowedGroups. Setting this property to `0` or `1` removes all identifiers in both allowedUsers and allowedGroups.
isAdminConfigurable	Boolean	Specifies whether this policy scope is configurable by the admin. The default value is `false`. When an admin has enabled Intune (MEM) to manage devices, this property is set to `false` and **a

azureADRegistrationPolicy

Property	Type	Description
allowedGroups	String collection	The identifiers of the groups that are in the scope of the policy. Either this property or allowedUsers is required when the appliesTo property is set to `selected`.
allowedUsers	String collection	The identifiers of users that are in the scope of the policy. Either this property or allowedGroups is required when the appliesTo property is set to `selected`.
appliesTo	policyScope	Specifies whether to block or allow fine-grained control of the policy scope. The possible values are: `0` (meaning `none`), `1` (meaning `all`), `2` (meaning `selected`), `3` (meaning `unknownFutureValue`). The default value is `1`. When set to `2`, at least one user or group identifier must be specified in either allowedUsers or allowedGroups. Setting this property to `0` or `1` removes all identifiers in both allowedUsers and allowedGroups.
isAdminConfigurable	Boolean	Specifies whether this policy scope is configurable by the admin. The default value is `false`. When an admin has enabled Intune (MEM) to manage devices, this property is set to `false` and **a

deviceRegistrationPolicy

Property	Type	Description
azureADJoin	azureAdJoinPolicy	Specifies the authorization policy for controlling registration of new devices using Azure AD Join within your organization. Required. For more information, see What is a device identity?.
azureADRegistration	azureADRegistrationPolicy	Specifies the authorization policy for controlling registration of new devices using Azure AD registered within your organization. Required. For more information, see What is a device identity?.
description	String	The description of the device registration policy. It is always set to `Tenant-wide policy that manages intial provisioning controls using quota restrictions, additional authentication and authorization checks`. Read-only.
displayName	String	The name of the device registration policy. It is always set to `Device Registration Policy`. Read-only.
id	String	The identifier of the device registration policy. It is always set to `deviceRegistrationPolicy`. Read-only.
multiFactorAuthConfiguration	multiFactorAuthConfiguration	Specifies the authentication policy for a user to complete registration using Azure AD Join or Azure AD registered within your organization. The possible values are: `0` (meaning `notRequired`), `1` (meaning `required`), and `2` (meaning `unknownFutureValue`). The default value is `0`.
userDeviceQuota	Int32	Specifies the maximum number of devices that a user can have within your organization before blocking new device registrations. The default value is set to 50. If this property is not specified during the policy update operation, it is automatically reset to `0` to indicate that users are not allowed to join any devices.