ESC
Type to search...
Navigate Open ESC Close

Device.CreateFromOwnedTemplate

Export JSON
Export CSV
Copy URL
Print
Delegated Read Owned Only

Allows the app to create device objects based on device templates owned by the signed-in user, on behalf of the signed in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Delegated Permission Admin consent required

Create devices based on owned device templates

Allows the app to create device objects based on device templates owned by the signed-in user, on behalf of the signed in user.

User sees: Allows the app to create device objects based on device templates you own, on your behalf.
Permission ID: edc92e89-a987-48a9-911a-a7b1967dd7b1

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
accountEnabled BooleanNullable true if the account is enabled; otherwise, false. Required. Default is true. , , Supports $filter (eq, ne, not, in). Only callers with at least the Cloud Device Administrator role can set this property.
alternativeSecurityIds alternativeSecurityId collection For internal use only. Not nullable. Supports $filter (eq, not, ge, le).
approximateLastSignInDateTime DateTimeOffsetNullable The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Supports $filter (eq, ne, not, ge, le, and eq on null values) and $orderby.
complianceExpirationDateTime DateTimeOffsetNullable The timestamp when the device is no longer deemed compliant. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.
deviceCategory StringNullable User-defined property set by Intune to automatically add devices to groups and simplify managing devices.
deviceId StringNullable Unique identifier set by Azure Device Registration Service at the time of registration. This alternate key can be used to reference the device object. Supports $filter (eq, ne, not, startsWith).
deviceMetadata StringNullable For internal use only. Set to null.
deviceOwnership StringNullable Ownership of the device. Intune sets this property. The possible values are: unknown, company, personal.
deviceVersion Int32Nullable For internal use only.
displayName StringNullable The display name for the device. Maximum length is 256 characters. Required. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby.
enrollmentProfileName StringNullable Enrollment profile applied to the device. For example, Apple Device Enrollment Profile, Device enrollment - Corporate device identifiers, or Windows Autopilot profile name. This property is set by Intune.
enrollmentType StringNullable Enrollment type of the device. Intune sets this property. The possible values are: unknown, userEnrollment, deviceEnrollmentManager, appleBulkWithUser, appleBulkWithoutUser, windowsAzureADJoin, windowsBulkUserless, windowsAutoEnrollment, windowsBulkAzureDomainJoin, windowsCoManagement, windowsAzureADJoinUsingDeviceAuth,appleUserEnrollment, appleUserEnrollmentWithServiceAccount. , , NOTE: This property might return other values apart from those listed.
extensionAttributes onPremisesExtensionAttributes Contains extension attributes 1-15 for the device. The individual extension attributes aren't selectable. These properties are mastered in the cloud and can be set during creation or update of a device object in Microsoft Entra ID. , , Supports $filter (eq, not, startsWith, and eq on null values).
id String The unique identifier for the device. Inherited from directoryObject. Key, Not nullable. Read-only. Supports $filter (eq, ne, not, in).
isCompliant BooleanNullable true if the device complies with Mobile Device Management (MDM) policies; otherwise, false. Read-only. This can only be updated by Intune for any device OS type or by an approved MDM app for Windows OS devices. Supports $filter (eq, ne, not).

Showing 15 of 38 properties.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "accountEnabled": "Boolean",
  "alternativeSecurityIds": [
    {
      "@odata.type": "microsoft.graph.alternativeSecurityId"
    }
  ],
  "approximateLastSignInDateTime": "String (timestamp)",
  "complianceExpirationDateTime": "String (timestamp)",
  "deviceCategory": "String",
  "deviceId": "String",
  "deviceMetadata": "String",
  "deviceOwnership": "String",
  "deviceVersion": "Int32",
  "displayName": "String",
  "enrollmentProfileName": "String",
  "enrollmentType": "String",
  "extensionAttributes": {
    "@odata.type": "microsoft.graph.onPremisesExtensionAttributes"
  },
  "id": "String (identifier)",
  "isCompliant": "Boolean",
  "isManaged": "Boolean",
  "isManagementRestricted": "Boolean",
  "isRooted": "Boolean",
  "managementType": "String",
  "manufacturer": "String",
  "mdmAppId": "String",
  "model": "String",
  "onPremisesLastSyncDateTime": "String (timestamp)",
  "onPremisesSecurityIdentifier": "String",
  "onPremisesSyncEnabled": "Boolean",
  "operatingSystem": "String",
  "operatingSystemVersion": "String",
  "physicalIds": [
    "String"
  ],
  "profileType": "String",
  "registrationDateTime": "String (timestamp)",
  "systemLabels": [
    "String"
  ],
  "trustType": "String"
}

Relationships

Microsoft Graph v1.0 exact-category-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
extensions extension collection The collection of open extensions defined for the device. Read-only. Nullable.
memberOf directoryObject collection Groups and administrative units that this device is a member of. Read-only. Nullable. Supports $expand.
registeredOwners directoryObject collection The user that cloud joined the device or registered their personal device. The registered owner is set at the time of registration. Read-only. Nullable. Supports $expand.
registeredUsers directoryObject collection Collection of registered users of the device. For cloud joined devices and registered personal devices, registered users are set to the same value as registered owners at the time of registration. Read-only. Nullable. Supports $expand.
transitiveMemberOf directoryObject collection Groups and administrative units that the device is a member of. This operation is transitive. Supports $expand.
alternativeSecurityIds alternativeSecurityId collection For internal use only. Not nullable. Supports $filter (eq, not, ge, le).
physicalIds string collection For internal use only. Not nullable. Supports $filter (eq, not, ge, le, startsWith,/$count eq 0, /$count ne 0).
systemLabels string collection List of labels applied to the device by the system. Supports $filter (/$count eq 0, /$count ne 0).
alternativeNames string collection List of alternative names for the device.
commands command collection Set of commands sent to this device.
deviceTemplate deviceTemplate collection Device template used to instantiate this device. Nullable. Read-only.
hostnames string collection List of host names for the device.
usageRights usageRight collection Represents the usage rights a device has been granted.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

No API methods available for this version.

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
POST /directory/templates/deviceTemplates/{deviceTemplateId}/createDeviceFromTemplate
No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell v1.0 commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs
No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell beta commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

Code Examples

C# / .NET SDK
deviceTemplate: createDeviceFromTemplate
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Templates.DeviceTemplates.Item.CreateDeviceFromTemplate;

var requestBody = new CreateDeviceFromTemplatePostRequestBody
{
	ExternalDeviceId = "2fa9424e-7ab0-4a22-8c90-2a20d15d8183",
	OperatingSystemVersion = "Ubuntu 18.04",
	ExternalSourceName = "unknown",
	AccountEnabled = false,
	AlternativeNames = new List<string>
	{
		"/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourcegroups/testrg/providers/microsoft.deviceregistry/assets/asset1",
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Templates.DeviceTemplates["{deviceTemplate-id}"].CreateDeviceFromTemplate.PostAsync(requestBody);
JavaScript
deviceTemplate: createDeviceFromTemplate
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const device = {
  externalDeviceId: '2fa9424e-7ab0-4a22-8c90-2a20d15d8183',
  operatingSystemVersion: 'Ubuntu 18.04',
  externalSourceName: 'unknown',
  accountEnabled: false,
  alternativeNames: [
    '/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourcegroups/testrg/providers/microsoft.deviceregistry/assets/asset1'
  ]
};

await client.api('/templates/deviceTemplates/2d62b12a-0163-457d-9796-9602e9807e1/createDeviceFromTemplate')
	.version('beta')
	.post(device);
PowerShell 
Connect-MgGraph -Scopes "Device.CreateFromOwnedTemplate"
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/directory/templates/deviceTemplates/{id}/createDeviceFromTemplate"
Python
deviceTemplate: createDeviceFromTemplate
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.templates.devicetemplates.item.create_device_from_template.create_device_from_template_post_request_body import CreateDeviceFromTemplatePostRequestBody
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = CreateDeviceFromTemplatePostRequestBody(
	external_device_id = "2fa9424e-7ab0-4a22-8c90-2a20d15d8183",
	operating_system_version = "Ubuntu 18.04",
	external_source_name = "unknown",
	account_enabled = False,
	alternative_names = [
		"/subscriptions/00001111-aaaa-2222-bbbb-3333cccc4444/resourcegroups/testrg/providers/microsoft.deviceregistry/assets/asset1",
	],
)

result = await graph_client.templates.device_templates.by_device_template_id('deviceTemplate-id').create_device_from_template.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Delegated permissions and search for Device.CreateFromOwnedTemplate

4

Grant Admin Consent

This delegated permission requires admin consent.