Device.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
Application
Read/Write
All Resources
Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and write devices
Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers.
Permission ID:
1138cb37-bd11-4084-a2b7-9f71582aeddb
Properties
Microsoft Graph v1.0
exact-category-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
accountEnabled |
BooleanNullable |
true if the account is enabled; otherwise, false. Required. Default is true. , , Supports $filter (eq, ne, not, in). Only callers with at least the Cloud Device Administrator role can set this property. |
alternativeSecurityIds |
alternativeSecurityId collection |
For internal use only. Not nullable. Supports $filter (eq, not, ge, le). |
approximateLastSignInDateTime |
DateTimeOffsetNullable |
The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Supports $filter (eq, ne, not, ge, le, and eq on null values) and $orderby. |
complianceExpirationDateTime |
DateTimeOffsetNullable |
The timestamp when the device is no longer deemed compliant. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
deviceCategory |
StringNullable |
User-defined property set by Intune to automatically add devices to groups and simplify managing devices. |
deviceId |
StringNullable |
Unique identifier set by Azure Device Registration Service at the time of registration. This alternate key can be used to reference the device object. Supports $filter (eq, ne, not, startsWith). |
deviceMetadata |
StringNullable |
For internal use only. Set to null. |
deviceOwnership |
StringNullable |
Ownership of the device. Intune sets this property. The possible values are: unknown, company, personal. |
deviceVersion |
Int32Nullable |
For internal use only. |
displayName |
StringNullable |
The display name for the device. Maximum length is 256 characters. Required. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby. |
enrollmentProfileName |
StringNullable |
Enrollment profile applied to the device. For example, Apple Device Enrollment Profile, Device enrollment - Corporate device identifiers, or Windows Autopilot profile name. This property is set by Intune. |
enrollmentType |
StringNullable |
Enrollment type of the device. Intune sets this property. The possible values are: unknown, userEnrollment, deviceEnrollmentManager, appleBulkWithUser, appleBulkWithoutUser, windowsAzureADJoin, windowsBulkUserless, windowsAutoEnrollment, windowsBulkAzureDomainJoin, windowsCoManagement, windowsAzureADJoinUsingDeviceAuth,appleUserEnrollment, appleUserEnrollmentWithServiceAccount. , , NOTE: This property might return other values apart from those listed. |
extensionAttributes |
onPremisesExtensionAttributes |
Contains extension attributes 1-15 for the device. The individual extension attributes aren't selectable. These properties are mastered in the cloud and can be set during creation or update of a device object in Microsoft Entra ID. , , Supports $filter (eq, not, startsWith, and eq on null values). |
id |
String |
The unique identifier for the device. Inherited from directoryObject. Key, Not nullable. Read-only. Supports $filter (eq, ne, not, in). |
isCompliant |
BooleanNullable |
true if the device complies with Mobile Device Management (MDM) policies; otherwise, false. Read-only. This can only be updated by Intune for any device OS type or by an approved MDM app for Windows OS devices. Supports $filter (eq, ne, not). |
Showing 15 of 38 properties.
JSON Representation
Microsoft Graph v1.0
exact-category-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"accountEnabled": "Boolean",
"alternativeSecurityIds": [
{
"@odata.type": "microsoft.graph.alternativeSecurityId"
}
],
"approximateLastSignInDateTime": "String (timestamp)",
"complianceExpirationDateTime": "String (timestamp)",
"deviceCategory": "String",
"deviceId": "String",
"deviceMetadata": "String",
"deviceOwnership": "String",
"deviceVersion": "Int32",
"displayName": "String",
"enrollmentProfileName": "String",
"enrollmentType": "String",
"extensionAttributes": {
"@odata.type": "microsoft.graph.onPremisesExtensionAttributes"
},
"id": "String (identifier)",
"isCompliant": "Boolean",
"isManaged": "Boolean",
"isManagementRestricted": "Boolean",
"isRooted": "Boolean",
"managementType": "String",
"manufacturer": "String",
"mdmAppId": "String",
"model": "String",
"onPremisesLastSyncDateTime": "String (timestamp)",
"onPremisesSecurityIdentifier": "String",
"onPremisesSyncEnabled": "Boolean",
"operatingSystem": "String",
"operatingSystemVersion": "String",
"physicalIds": [
"String"
],
"profileType": "String",
"registrationDateTime": "String (timestamp)",
"systemLabels": [
"String"
],
"trustType": "String"
}Relationships
Microsoft Graph v1.0
exact-category-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
extensions |
extension collection |
The collection of open extensions defined for the device. Read-only. Nullable. |
memberOf |
directoryObject collection |
Groups and administrative units that this device is a member of. Read-only. Nullable. Supports $expand. |
registeredOwners |
directoryObject collection |
The user that cloud joined the device or registered their personal device. The registered owner is set at the time of registration. Read-only. Nullable. Supports $expand. |
registeredUsers |
directoryObject collection |
Collection of registered users of the device. For cloud joined devices and registered personal devices, registered users are set to the same value as registered owners at the time of registration. Read-only. Nullable. Supports $expand. |
transitiveMemberOf |
directoryObject collection |
Groups and administrative units that the device is a member of. This operation is transitive. Supports $expand. |
alternativeSecurityIds |
alternativeSecurityId collection |
For internal use only. Not nullable. Supports $filter (eq, not, ge, le). |
physicalIds |
string collection |
For internal use only. Not nullable. Supports $filter (eq, not, ge, le, startsWith,/$count eq 0, /$count ne 0). |
systemLabels |
string collection |
List of labels applied to the device by the system. Supports $filter (/$count eq 0, /$count ne 0). |
alternativeNames |
string collection |
List of alternative names for the device. |
commands |
command collection |
Set of commands sent to this device. |
deviceTemplate |
deviceTemplate collection |
Device template used to instantiate this device. Nullable. Read-only. |
hostnames |
string collection |
List of host names for the device. |
usageRights |
usageRight collection |
Represents the usage rights a device has been granted. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Delete device
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Devices["{device-id}"].DeleteAsync();
JavaScript
Delete device
const options = {
authProvider,
};
const client = Client.init(options);
await client.api('/devices/{id}')
.delete();
PowerShell
Delete device
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Remove-MgDevice -DeviceId $deviceId
Python
Delete device
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
await graph_client.devices.by_device_id('device-id').delete()App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions and search for Device.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.