Skip to main content
Device Management resources enable you to configure, secure, and manage devices across Windows, macOS, iOS, Android, and Linux platforms.

Resource Categories

Configuration Policies

Device settings and configurations

Compliance Policies

Device compliance requirements

Windows Updates

Update rings and driver updates

Device Enrollment

Enrollment policies and configurations

Platform Support

PlatformConfigurationComplianceUpdatesEnrollment
Windows
macOS
iOS/iPadOS-
Android-
Linux--

Quick Start

Windows Compliance Policy

resource "microsoft365_graph_beta_device_management_windows_device_compliance_policy" "baseline" {
  display_name = "Windows 11 Baseline Compliance"
  description  = "Baseline compliance requirements for Windows 11 devices"
  
  # Require BitLocker
  bit_locker_enabled = true
  
  # Require secure boot
  secure_boot_enabled = true
  
  # OS version requirements
  os_minimum_version = "10.0.22000.0"
  
  # Password requirements
  password_required               = true
  password_minimum_length         = 8
  password_required_type          = "alphanumeric"
  password_minutes_of_inactivity_before_lock = 15
}

Settings Catalog Configuration

resource "microsoft365_graph_beta_device_management_settings_catalog_configuration_policy" "security" {
  name        = "Windows Security Settings"
  description = "Security configuration for Windows devices"
  platforms   = "windows10"
  technologies = "mdm"
  
  settings = [
    {
      setting_instance = {
        setting_definition_id = "device_vendor_msft_policy_config_defender_allowrealtimemonitoring"
        setting_value = {
          value = "1"
        }
      }
    }
  ]
}

Common Scenarios

Create compliance policies to ensure devices meet your security requirements before accessing corporate resources.
  • Minimum OS versions
  • Encryption requirements
  • Password policies
  • Security features (firewall, antivirus)
Use configuration policies to standardize device settings:
  • Wi-Fi and VPN configurations
  • Email profiles
  • Certificate deployment
  • Security baselines
Control update deployment timing and behavior:
  • Update rings for different user groups
  • Deferral periods for testing
  • Maintenance windows
  • Feature update controls
Customize the enrollment experience:
  • Enrollment restrictions
  • Auto-enrollment settings
  • Terms and conditions
  • Branding and customization

Policy Assignment

Most device management policies support flexible assignment: 
resource "microsoft365_graph_beta_device_management_windows_device_compliance_policy" "policy" {
  display_name = "Compliance Policy"
  # ... policy settings
}

# Assign to specific group
resource "microsoft365_graph_beta_device_management_device_compliance_policy_assignment" "assignment" {
  policy_id = microsoft365_graph_beta_device_management_windows_device_compliance_policy.policy.id
  
  target = {
    assignment_target_type = "groupAssignmentTarget"
    group_id              = microsoft365_graph_beta_groups_group.windows_devices.id
  }
}

Advanced Features

Endpoint Privilege Management

Control elevation of privileges on Windows devices: 
resource "microsoft365_graph_beta_device_management_endpoint_privilege_management_json" "elevation_rules" {
  # Configure privilege elevation rules
}

App Control for Business

Manage application control policies: 
resource "microsoft365_graph_beta_device_management_app_control_for_business_policy" "applocker" {
  display_name = "AppLocker Policy"
  # ... configuration
}

Remediation Scripts

Deploy PowerShell scripts for device remediation: 
resource "microsoft365_graph_beta_device_management_windows_remediation_script" "cleanup" {
  display_name = "Disk Cleanup Script"
  # ... script configuration
}

Role-Based Access Control

Manage Intune RBAC permissions: 
resource "microsoft365_graph_beta_device_management_role_definition" "custom_role" {
  display_name = "Device Manager"
  description  = "Can manage device configurations"
  
  # ... permissions
}

resource "microsoft365_graph_beta_device_management_role_assignment" "assignment" {
  role_definition_id = microsoft365_graph_beta_device_management_role_definition.custom_role.id
  
  # ... scope and members
}

Best Practices

1

Start with compliance policies

Define compliance requirements before deploying configuration policies to ensure devices meet minimum standards.
2

Use pilot groups for testing

Test new policies with pilot groups before broad deployment to identify issues early.
3

Monitor compliance status

Regularly review compliance reports to identify non-compliant devices and take corrective action.
4

Document your policies

Maintain documentation of policy intent, settings, and assignment targets for operational clarity.
5

Plan for updates

Create a structured update deployment strategy with rings for different user populations.

Next Steps

Configuration Policies

Create device configuration policies

Compliance Policies

Define compliance requirements

Windows Updates

Manage Windows Update deployment

Enrollment

Configure device enrollment

Build docs developers (and LLMs) love

Get started for freeTalk to us