Device.Command | Graph Permissions

Permission Details

Delegated Permission

Communicate with user devices

Allows the app to launch another app or communicate with another app on a user's device on behalf of the signed-in user.

Permission ID: bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property	Type	Description
`accountEnabled`	`Boolean`Nullable	true if the account is enabled; otherwise, false. Required. Default is true. , , Supports $filter (eq, ne, not, in). Only callers with at least the Cloud Device Administrator role can set this property.
`alternativeSecurityIds`	`alternativeSecurityId collection`	For internal use only. Not nullable. Supports $filter (eq, not, ge, le).
`approximateLastSignInDateTime`	`DateTimeOffset`Nullable	The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Supports $filter (eq, ne, not, ge, le, and eq on null values) and $orderby.
`complianceExpirationDateTime`	`DateTimeOffset`Nullable	The timestamp when the device is no longer deemed compliant. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.
`deviceCategory`	`String`Nullable	User-defined property set by Intune to automatically add devices to groups and simplify managing devices.
`deviceId`	`String`Nullable	Unique identifier set by Azure Device Registration Service at the time of registration. This alternate key can be used to reference the device object. Supports $filter (eq, ne, not, startsWith).
`deviceMetadata`	`String`Nullable	For internal use only. Set to null.
`deviceOwnership`	`String`Nullable	Ownership of the device. Intune sets this property. The possible values are: unknown, company, personal.
`deviceVersion`	`Int32`Nullable	For internal use only.
`displayName`	`String`Nullable	The display name for the device. Maximum length is 256 characters. Required. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby.
`enrollmentProfileName`	`String`Nullable	Enrollment profile applied to the device. For example, Apple Device Enrollment Profile, Device enrollment - Corporate device identifiers, or Windows Autopilot profile name. This property is set by Intune.
`enrollmentType`	`String`Nullable	Enrollment type of the device. Intune sets this property. The possible values are: unknown, userEnrollment, deviceEnrollmentManager, appleBulkWithUser, appleBulkWithoutUser, windowsAzureADJoin, windowsBulkUserless, windowsAutoEnrollment, windowsBulkAzureDomainJoin, windowsCoManagement, windowsAzureADJoinUsingDeviceAuth,appleUserEnrollment, appleUserEnrollmentWithServiceAccount. , , NOTE: This property might return other values apart from those listed.
`extensionAttributes`	`onPremisesExtensionAttributes`	Contains extension attributes 1-15 for the device. The individual extension attributes aren't selectable. These properties are mastered in the cloud and can be set during creation or update of a device object in Microsoft Entra ID. , , Supports $filter (eq, not, startsWith, and eq on null values).
`id`	`String`	The unique identifier for the device. Inherited from directoryObject. Key, Not nullable. Read-only. Supports $filter (eq, ne, not, in).
`isCompliant`	`Boolean`Nullable	true if the device complies with Mobile Device Management (MDM) policies; otherwise, false. Read-only. This can only be updated by Intune for any device OS type or by an approved MDM app for Windows OS devices. Supports $filter (eq, ne, not).

Showing 15 of 38 properties.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation

{
  "accountEnabled": "Boolean",
  "alternativeSecurityIds": [
    {
      "@odata.type": "microsoft.graph.alternativeSecurityId"
    }
  ],
  "approximateLastSignInDateTime": "String (timestamp)",
  "complianceExpirationDateTime": "String (timestamp)",
  "deviceCategory": "String",
  "deviceId": "String",
  "deviceMetadata": "String",
  "deviceOwnership": "String",
  "deviceVersion": "Int32",
  "displayName": "String",
  "enrollmentProfileName": "String",
  "enrollmentType": "String",
  "extensionAttributes": {
    "@odata.type": "microsoft.graph.onPremisesExtensionAttributes"
  },
  "id": "String (identifier)",
  "isCompliant": "Boolean",
  "isManaged": "Boolean",
  "isManagementRestricted": "Boolean",
  "isRooted": "Boolean",
  "managementType": "String",
  "manufacturer": "String",
  "mdmAppId": "String",
  "model": "String",
  "onPremisesLastSyncDateTime": "String (timestamp)",
  "onPremisesSecurityIdentifier": "String",
  "onPremisesSyncEnabled": "Boolean",
  "operatingSystem": "String",
  "operatingSystemVersion": "String",
  "physicalIds": [
    "String"
  ],
  "profileType": "String",
  "registrationDateTime": "String (timestamp)",
  "systemLabels": [
    "String"
  ],
  "trustType": "String"
}

Relationships

Microsoft Graph v1.0 exact-category-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship	Type	Description
`extensions`	`extension collection`	The collection of open extensions defined for the device. Read-only. Nullable.
`memberOf`	`directoryObject collection`	Groups and administrative units that this device is a member of. Read-only. Nullable. Supports $expand.
`registeredOwners`	`directoryObject collection`	The user that cloud joined the device or registered their personal device. The registered owner is set at the time of registration. Read-only. Nullable. Supports $expand.
`registeredUsers`	`directoryObject collection`	Collection of registered users of the device. For cloud joined devices and registered personal devices, registered users are set to the same value as registered owners at the time of registration. Read-only. Nullable. Supports $expand.
`transitiveMemberOf`	`directoryObject collection`	Groups and administrative units that the device is a member of. This operation is transitive. Supports $expand.
`alternativeSecurityIds`	`alternativeSecurityId collection`	For internal use only. Not nullable. Supports $filter (eq, not, ge, le).
`physicalIds`	`string collection`	For internal use only. Not nullable. Supports $filter (eq, not, ge, le, startsWith,/$count eq 0, /$count ne 0).
`systemLabels`	`string collection`	List of labels applied to the device by the system. Supports $filter (/$count eq 0, /$count ne 0).
`alternativeNames`	`string collection`	List of alternative names for the device.
`commands`	`command collection`	Set of commands sent to this device.
`deviceTemplate`	`deviceTemplate collection`	Device template used to instantiate this device. Nullable. Read-only.
`hostnames`	`string collection`	List of host names for the device.
`usageRights`	`usageRight collection`	Represents the usage rights a device has been granted.

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

No API methods available for this version.

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/me/devices/{id}/commands/{id}`
POST `/me/devices/{id}/commands`

No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell v1.0 commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell beta commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

Code Examples

C# / .NET SDK

using Azure.Identity;
using Microsoft.Graph;

var scopes = new[] { "Device.Command" };
var credential = new InteractiveBrowserCredential(
    new InteractiveBrowserCredentialOptions
    {
        ClientId = "YOUR_CLIENT_ID",
        TenantId = "YOUR_TENANT_ID",
        RedirectUri = new Uri("http://localhost")
    });

var graphClient = new GraphServiceClient(credential, scopes);
var response = await graphClient
    .WithUrl("https://graph.microsoft.com/v1.0/me/devices/{id}/commands/{id}")
    .GetAsync();

JavaScript

import { Client } from "@microsoft/microsoft-graph-client";
import { InteractiveBrowserCredential } from "@azure/identity";

const credential = new InteractiveBrowserCredential({
  clientId: "YOUR_CLIENT_ID",
  tenantId: "YOUR_TENANT_ID",
  redirectUri: "http://localhost"
});

const token = await credential.getToken(["Device.Command"]);
const client = Client.init({
  authProvider: (done) => done(null, token.token)
});

const response = await client.api("/me/devices/{id}/commands/{id}").get();

PowerShell

Connect-MgGraph -Scopes "Device.Command"
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me/devices/{id}/commands/{id}"

Python

from azure.identity import InteractiveBrowserCredential
import requests

credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)

token = credential.get_token("Device.Command")
response = requests.get(
    "https://graph.microsoft.com/v1.0/me/devices/{id}/commands/{id}",
    headers={"Authorization": f"Bearer {token.token}"}
)

print(response.json())

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Delegated permissions and search for Device.Command

4

Grant Admin Consent

Users can consent to this permission during sign-in.