Device Configuration
Device Configurations
Graph Endpoint:/deviceManagement/deviceConfigurationsService:
ConfigurationProfileServiceOperations: List, Get, Create, Update, Delete, GetAssignments
Permission:
DeviceManagementConfiguration.ReadWrite.All
Traditional device configuration profiles including:
- Device restrictions
- Email profiles
- Wi-Fi profiles
- VPN profiles
- Certificate profiles
- Custom profiles (OMA-URI)
Settings Catalog
Graph Endpoint:/deviceManagement/configurationPoliciesService:
SettingsCatalogServiceOperations: List, Get, GetAssignments
Permission:
DeviceManagementConfiguration.ReadWrite.AllNote: Uses
$top=100 page size limit due to Cosmos DB cursor stability requirements
Modern settings catalog policies with thousands of available settings across Windows, macOS, and iOS/iPadOS.
Administrative Templates
Graph Endpoint:/deviceManagement/groupPolicyConfigurationsService:
AdministrativeTemplateServiceOperations: List, Get, Create, Update, Delete, GetAssignments, Assign
Permission:
DeviceManagementConfiguration.ReadWrite.All
Windows group policy administrative templates (ADMX-backed policies).
ADMX Files
Graph Endpoint:/deviceManagement/groupPolicyUploadedDefinitionFilesService:
AdmxFileServiceOperations: List, Get, Create, Delete
Permission:
DeviceManagementConfiguration.ReadWrite.All
Custom ADMX files uploaded to the tenant for use with administrative templates.
Endpoint Security
Graph Endpoint:/deviceManagement/intentsService:
EndpointSecurityServiceOperations: List, Get, Create, Update, Delete, GetAssignments, Assign
Permission:
DeviceManagementConfiguration.ReadWrite.All
Endpoint security policies:
- Antivirus
- Disk encryption
- Firewall
- Endpoint detection and response (EDR)
- Attack surface reduction
- Account protection
Compliance
Compliance Policies
Graph Endpoint:/deviceManagement/deviceCompliancePoliciesService:
CompliancePolicyServiceOperations: List, Get, Create, Update, Delete, GetAssignments, Assign
Permission:
DeviceManagementConfiguration.ReadWrite.All
Device compliance policies for Windows, macOS, iOS/iPadOS, and Android platforms.
Compliance Scripts
Graph Endpoint:/deviceManagement/deviceComplianceScriptsService:
ComplianceScriptServiceOperations: List, Get
Permission:
DeviceManagementConfiguration.ReadWrite.All
Custom PowerShell scripts for compliance evaluation (Windows 10/11).
Application Management
Applications
Graph Endpoint:/deviceAppManagement/mobileAppsService:
ApplicationServiceOperations: List, Get, GetAssignments
Permission:
DeviceManagementApps.ReadWrite.All
All application types:
- Win32 apps
- Microsoft Store apps
- Microsoft 365 apps
- Web links
- iOS/iPadOS apps
- Android apps
- macOS apps
App Protection Policies
Graph Endpoint:/deviceAppManagement/managedAppPoliciesService:
AppProtectionPolicyServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementApps.ReadWrite.All
Mobile application management (MAM) policies for iOS/iPadOS and Android.
Managed App Configurations
Graph Endpoints:/deviceAppManagement/mobileAppConfigurations/deviceAppManagement/targetedManagedAppConfigurations
ManagedAppConfigurationServiceOperations: List, Get, Create, Update, Delete (both endpoint types)
Permission:
DeviceManagementApps.ReadWrite.All
Managed app configuration policies for both device-based and user-based scenarios.
Policy Sets
Graph Endpoint:/deviceAppManagement/policySetsService:
PolicySetServiceOperations: List, Get
Permission:
DeviceManagementApps.ReadWrite.All
Collections of apps and policies grouped together for unified assignment.
Windows Updates
Feature Update Profiles
Graph Endpoint:/deviceManagement/windowsFeatureUpdateProfilesService:
FeatureUpdateProfileServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementConfiguration.ReadWrite.All
Windows 10/11 feature update deployment profiles.
Quality Update Profiles
Graph Endpoint:/deviceManagement/windowsQualityUpdateProfilesService:
QualityUpdateProfileServiceOperations: List, Get, Create, Update
Permission:
DeviceManagementConfiguration.ReadWrite.AllNote: Uses
$top=200 page size limit (hard API cap)
Windows 10/11 quality update (monthly cumulative update) deployment profiles.
Driver Update Profiles
Graph Endpoint:/deviceManagement/windowsDriverUpdateProfilesService:
DriverUpdateProfileServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementConfiguration.ReadWrite.AllNote: Uses
$top=200 page size limit (hard API cap)
Windows driver update deployment profiles.
Device Enrollment
Enrollment Configurations
Graph Endpoint:/deviceManagement/deviceEnrollmentConfigurationsService:
EnrollmentConfigurationServiceOperations: List (4 variants by platform), Get, Create, Update, Delete
Permission:
DeviceManagementServiceConfig.ReadWrite.All
Enrollment restrictions and configurations:
- Platform restrictions
- Enrollment status page
- Enrollment time device name templates
- Limit settings
Autopilot Profiles
Graph Endpoint:/deviceManagement/windowsAutopilotDeploymentProfilesService:
AutopilotServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementServiceConfig.ReadWrite.All
Windows Autopilot deployment profiles.
Apple DEP Settings
Graph Endpoint:/deviceManagement/depOnboardingSettingsService:
AppleDepServiceOperations: List, Get, ListEnrollmentProfiles
Permission:
DeviceManagementServiceConfig.ReadWrite.All
Apple Device Enrollment Program (DEP) onboarding settings and enrollment profiles.
Scripts & Remediation
Device Health Scripts
Graph Endpoint:/deviceManagement/deviceHealthScriptsService:
DeviceHealthScriptServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementScripts.ReadWrite.All
Proactive remediation scripts (detection and remediation) for Windows 10/11.
Device Shell Scripts (macOS)
Graph Endpoint:/deviceManagement/deviceShellScriptsService:
DeviceShellScriptServiceOperations: List, Get
Permission:
DeviceManagementScripts.ReadWrite.All
Shell scripts for macOS devices.
Mac Custom Attributes
Graph Endpoint:/deviceManagement/deviceCustomAttributeShellScriptsService:
MacCustomAttributeServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementScripts.ReadWrite.All
Custom attribute collection scripts for macOS devices.
Conditional Access & Identity
Conditional Access Policies
Graph Endpoint:/identity/conditionalAccess/policiesService:
ConditionalAccessPolicyServiceOperations: List, Get
Permission:
Policy.ReadWrite.ConditionalAccess or Policy.Read.All
Entra ID Conditional Access policies.
Named Locations
Graph Endpoint:/identity/conditionalAccess/namedLocationsService:
NamedLocationServiceOperations: List, Get, Create, Update, Delete
Permission:
Policy.ReadWrite.ConditionalAccess
Named locations (IP ranges and country/region locations) for Conditional Access.
Authentication Strengths
Graph Endpoint:/identity/conditionalAccess/authenticationStrength/policiesService:
AuthenticationStrengthServiceOperations: List, Get, Create, Update, Delete
Permission:
Policy.ReadWrite.ConditionalAccess
Custom authentication strength policies defining allowed authentication methods.
Authentication Contexts
Graph Endpoint:/identity/conditionalAccess/authenticationContextClassReferencesService:
AuthenticationContextServiceOperations: List, Get, Create, Update, Delete
Permission:
Policy.ReadWrite.ConditionalAccess
Authentication context class references for step-up authentication scenarios.
Terms of Use
Graph Endpoint:/identityGovernance/termsOfUse/agreementsService:
TermsOfUseServiceOperations: List, Get, Create, Update, Delete
Permission:
Agreement.ReadWrite.All
Entra ID terms of use agreements.
Branding & Tenant Settings
Intune Branding
Graph Endpoint:/deviceManagement/intuneBrandingProfilesService:
IntuneBrandingServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementServiceConfig.ReadWrite.All
Intune Company Portal branding profiles.
Azure Branding
Graph Endpoint:/organization/{id}/branding/localizationsService:
AzureBrandingServiceOperations: List, Get, Create, Update, Delete
Permissions:
Organization.Read.All, OrganizationalBranding.ReadWrite.All
Entra ID sign-in page branding and localizations.
Terms and Conditions
Graph Endpoint:/deviceManagement/termsAndConditionsService:
TermsAndConditionsServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementServiceConfig.ReadWrite.All
Intune terms and conditions that users must accept before enrollment.
Role-Based Access Control
Role Definitions
Graph Endpoint:/deviceManagement/roleDefinitionsService:
RoleDefinitionServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementRBAC.ReadWrite.All
Custom RBAC role definitions for Intune administration.
Scope Tags
Graph Endpoint:/deviceManagement/roleScopeTagsService:
ScopeTagServiceOperations: List, Get, Create, Update, Delete
Permission:
DeviceManagementRBAC.ReadWrite.All
Scope tags for role-based administration and multi-tenant management.
Assignment & Filters
Assignment Filters
Graph Endpoint:/deviceManagement/assignmentFiltersService:
AssignmentFilterServiceOperations: List, Get
Permission:
DeviceManagementConfiguration.ReadWrite.All
Dynamic device assignment filters for targeted policy and app deployment.
Groups
Groups
Graph Endpoints:/groups/groups/{id}/members
GroupServiceOperations: List, Search, GetMembers, GetMemberCounts
Permissions:
Group.Read.All, GroupMember.Read.All
Entra ID groups used for policy and app assignments.
Windows 365 (Cloud PC)
Cloud PC Provisioning Policies
Graph Endpoint:/deviceManagement/virtualEndpoint/provisioningPoliciesService:
CloudPcProvisioningServiceOperations: List, Get
Permission:
CloudPC.ReadWrite.All
Requires an active Windows 365 license. Endpoints return HTTP 403 without proper licensing regardless of app permissions.
Cloud PC User Settings
Graph Endpoint:/deviceManagement/virtualEndpoint/userSettingsService:
CloudPcUserSettingsServiceOperations: List, Get
Permission:
CloudPC.ReadWrite.All
Requires an active Windows 365 license. Endpoints return HTTP 403 without proper licensing regardless of app permissions.
Other Objects
Device Categories
Graph Endpoint:/deviceManagement/deviceCategoriesService:
DeviceCategoryServiceOperations: List, Get
Permission:
DeviceManagementManagedDevices.Read.All
Device categories for organizational grouping.
Notification Templates
Graph Endpoint: (varies by notification type)Service:
NotificationTemplateServicePermission:
DeviceManagementServiceConfig.ReadWrite.All
Notification message templates for end-user communications.
VPP Tokens
Graph Endpoint: (Apple/Microsoft Volume Purchase Program endpoints)Service:
VppTokenServicePermission:
DeviceManagementApps.ReadWrite.All
Volume Purchase Program token management for app licensing.
Reusable Policy Settings
Graph Endpoint:/deviceManagement/reusablePolicySettingsService:
ReusablePolicySettingServicePermission:
DeviceManagementConfiguration.ReadWrite.All
Reusable settings groups for endpoint security policies.
API Version
All services use the Microsoft Graph Beta API (/beta endpoint). Intune Commander uses the Microsoft.Graph.Beta SDK (version 5.130.x-preview), not the stable Microsoft.Graph package.
Multi-Cloud Support
All object types are supported across all four cloud environments:- Microsoft Commercial (
graph.microsoft.com) - GCC (
graph.microsoft.com) - GCC-High (
graph.microsoft.us) - DoD (
dod-graph.microsoft.us)