App configuration policies allow you to provide platform-specific settings to mobile applications without requiring code changes.
Available Resources
iOS Managed App Configuration Resource : microsoft365_graph_beta_device_and_app_management_ios_managed_device_app_configuration_policyConfigure settings for iOS managed apps.
Android Managed App Configuration Resource : microsoft365_graph_beta_device_and_app_management_android_managed_device_app_configuration_policyConfigure settings for Android managed apps.
iOS Managed Mobile App Resource : microsoft365_graph_beta_device_and_app_management_ios_managed_mobile_appApply app protection policies to iOS apps.
Android Managed Mobile App Resource : microsoft365_graph_beta_device_and_app_management_android_managed_mobile_appApply app protection policies to Android apps.
iOS Managed App Configuration Example resource "microsoft365_graph_beta_device_and_app_management_ios_managed_device_app_configuration_policy" "outlook" { display_name = "Outlook for iOS Configuration" description = "Configure Outlook app settings for iOS devices" # Target specific managed app targeted_mobile_apps = [ microsoft365_graph_beta_device_and_app_management_ios_store_app . outlook . id ] # App configuration settings (XML format) encoded_setting_xml = base64encode ( <<- EOT <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>IntuneMAMAllowedAccountsOnly</key> <string>Enabled</string> <key>IntuneMAMUPN</key> <string>{{userprincipalname}}</string> <key>com.microsoft.outlook.Mail.FocusedInbox</key> <string>Enabled</string> </dict> </plist> EOT ) }
Android Managed App Configuration Example resource "microsoft365_graph_beta_device_and_app_management_android_managed_device_app_configuration_policy" "outlook" { display_name = "Outlook for Android Configuration" description = "Configure Outlook app settings for Android devices" # Target specific managed app targeted_mobile_apps = [ microsoft365_graph_beta_device_and_app_management_android_managed_mobile_app . outlook . id ] # App configuration in JSON format payload_json = jsonencode ({ kind = "androidenterprise#managedConfiguration" managedProperty = [ { key = "com.microsoft.intune.mam.managedbrowser.Account" valueString = "{{userprincipalname}}" }, { key = "com.microsoft.outlook.EmailProfile.EmailAddress" valueString = "{{mail}}" }, { key = "com.microsoft.outlook.EmailProfile.EmailUPN" valueString = "{{userprincipalname}}" } ] }) }
iOS Managed Mobile App Example Apply app protection policies to iOS apps:
resource "microsoft365_graph_beta_device_and_app_management_ios_managed_mobile_app" "outlook_protection" { mobile_app_identifier = { bundle_id = "com.microsoft.office.outlook" } version = "*" }
Android Managed Mobile App Example Apply app protection policies to Android apps:
resource "microsoft365_graph_beta_device_and_app_management_android_managed_mobile_app" "outlook_protection" { mobile_app_identifier = { package_id = "com.microsoft.office.outlook" } version = "*" }
Windows Managed Mobile App Example resource "microsoft365_graph_beta_device_and_app_management_windows_managed_mobile_app" "edge_protection" { # Configuration for Windows app protection }
Configuration Variables Use Intune configuration tokens in your app settings:
Token Description Example {{userprincipalname}}User’s UPN [email protected] {{mail}}User’s email [email protected] {{username}}Username user {{userid}}User’s object ID guid {{deviceid}}Device ID guid {{devicename}}Device name DESKTOP-ABC123
Common App Configurations Microsoft Outlook iOS Outlook
Android Outlook
<? xml version = "1.0" encoding = "UTF-8" ?> <! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" > < plist version = "1.0" > < dict > < key > IntuneMAMUPN </ key > < string > {{userprincipalname}} </ string > < key > com.microsoft.outlook.Mail.FocusedInbox </ key > < string > Enabled </ string > < key > com.microsoft.outlook.Mail.Notifications </ key > < string > Enabled </ string > </ dict > </ plist >
Microsoft Edge resource "microsoft365_graph_beta_device_and_app_management_ios_managed_device_app_configuration_policy" "edge" { display_name = "Edge for iOS Configuration" targeted_mobile_apps = [ microsoft365_graph_beta_device_and_app_management_ios_store_app . edge . id ] encoded_setting_xml = base64encode ( <<- EOT <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.microsoft.intune.mam.managedbrowser.Account</key> <string>{{userprincipalname}}</string> <key>com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock</key> <false/> </dict> </plist> EOT ) }
Best Practices
Use configuration tokens for personalization
Leverage tokens like {{userprincipalname}} and {{mail}} to personalize app settings for each user automatically.
Test configurations before wide deployment
Deploy app configurations to a pilot group first to validate settings work as expected.
Keep documentation of custom XML/JSON settings and their purpose for future reference.
Version your configurations
Use version numbers in display names to track configuration changes over time.
Import Syntax # Import iOS managed app configuration terraform import microsoft365_graph_beta_device_and_app_management_ios_managed_device_app_configuration_policy.outlook < policy-i d > # Import Android managed app configuration terraform import microsoft365_graph_beta_device_and_app_management_android_managed_device_app_configuration_policy.outlook < policy-i d > # Import iOS managed mobile app terraform import microsoft365_graph_beta_device_and_app_management_ios_managed_mobile_app.outlook < app-i d > # Import Android managed mobile app terraform import microsoft365_graph_beta_device_and_app_management_android_managed_mobile_app.outlook < app-i d >
App configuration policies require the targeted apps to be deployed and support managed app configuration. Consult the app vendor’s documentation for supported configuration keys.
