DeviceManagementManagedDevices.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device’s owner
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and write Microsoft Intune devices
Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device’s owner
Permission ID:
243333ab-4d21-40cb-a475-36241daa0842
Delegated Permission
Admin consent required
Read and write Microsoft Intune devices
Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner.
User sees: Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner.
Permission ID:
44642bfe-8385-4adc-8fc6-fe3cb2c375c3
Properties
Microsoft Graph v1.0
endpoint-derived-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
aboutMe |
String |
A freeform text entry field for the user to describe themselves. Returned only on $select. |
accountEnabled |
Boolean |
true if the account is enabled; otherwise, false. This property is required when a user is created. , , Returned only on $select. Supports $filter (eq, ne, not, and in). |
ageGroup |
ageGroup |
Sets the age group of the user. Allowed values: null, Minor, NotAdult, and Adult. For more information, see legal age group property definitions. , , Returned only on $select. Supports $filter (eq, ne, not, and in). |
assignedLicenses |
assignedLicense collection |
The licenses that are assigned to the user, including inherited (group-based) licenses. This property doesn't differentiate between directly assigned and inherited licenses. Use the licenseAssignmentStates property to identify the directly assigned and inherited licenses. Not nullable. Returned only on $select. Supports $filter (eq, not, /$count eq 0, /$count ne 0). |
assignedPlans |
assignedPlan collection |
The plans that are assigned to the user. Read-only. Not nullable. , , Returned only on $select. Supports $filter (eq and not). |
birthday |
DateTimeOffset |
The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. , , Returned only on $select. |
businessPhones |
String collection |
The telephone numbers for the user. NOTE: Although it's a string collection, only one number can be set for this property. Read-only for users synced from the on-premises directory. , , Returned by default. Supports $filter (eq, not, ge, le, startsWith). |
city |
String |
The city where the user is located. Maximum length is 128 characters. , , Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
companyName |
String |
The name of the company that the user is associated with. This property can be useful for describing the company that a guest comes from. The maximum length is 64 characters., , Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
consentProvidedForMinor |
consentProvidedForMinor |
Sets whether consent was obtained for minors. Allowed values: null, Granted, Denied, and NotRequired. For more information, see legal age group property definitions. , , Returned only on $select. Supports $filter (eq, ne, not, and in). |
country |
String |
The country or region where the user is located; for example, US or UK. Maximum length is 128 characters. , , Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
createdDateTime |
DateTimeOffset |
The date and time the user was created, in ISO 8601 format and UTC. The value can't be modified and is automatically populated when the entity is created. Nullable. For on-premises users, the value represents when they were first created in Microsoft Entra ID. Property is null for some users created before June 2018 and on-premises users that were synced to Microsoft Entra ID before June 2018. Read-only. , , Returned only on $select. Supports $filter (eq, ne, not , ge, le, in). |
creationType |
String |
Indicates whether the user account was created through one of the following methods: , <ul<liAs a regular school or work account (null). <liAs an external account (Invitation). <liAs a local account for an Azure Active Directory B2C tenant (LocalAccount). <liThrough self-service sign-up by an internal user using email verification (EmailVerified). <liThrough self-service sign-up by a guest signing up through a link that is part of a user flow (SelfServiceSignUp).</ul , Read-only., Returned only on $select. Supports $filter (eq, ne, not, in). |
customSecurityAttributes |
customSecurityAttributeValue |
An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. , , Returned only on $select. Supports $filter (eq, ne, not, startsWith). The filter value is case-sensitive. , <liTo read this property, the calling app must be assigned the CustomSecAttributeAssignment.Read.All permission. To write this property, the calling app must be assigned the CustomSecAttributeAssignment.ReadWrite.All permissions. <liTo read or write this property in delegated scenarios, the admin must be assigned the Attribute Assignment Administrator role. |
deletedDateTime |
DateTimeOffset |
The date and time the user was deleted. , , Returned only on $select. Supports $filter (eq, ne, not, ge, le, in). |
Showing 15 of 141 properties.
JSON Representation
Microsoft Graph v1.0
endpoint-derived-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"aboutMe": "String",
"accountEnabled": true,
"ageGroup": "String",
"assignedLicenses": [
{
"@odata.type": "microsoft.graph.assignedLicense"
}
],
"assignedPlans": [
{
"@odata.type": "microsoft.graph.assignedPlan"
}
],
"birthday": "String (timestamp)",
"businessPhones": [
"String"
],
"city": "String",
"companyName": "String",
"consentProvidedForMinor": "String",
"country": "String",
"createdDateTime": "String (timestamp)",
"creationType": "String",
"customSecurityAttributes": {
"@odata.type": "microsoft.graph.customSecurityAttributeValue"
},
"department": "String",
"displayName": "String",
"employeeHireDate": "2020-01-01T00:00:00Z",
"employeeId": "String",
"employeeOrgData": {
"@odata.type": "microsoft.graph.employeeOrgData"
},
"employeeType": "String",
"faxNumber": "String",
"givenName": "String",
"hireDate": "String (timestamp)",
"id": "String (identifier)",
"identities": [
{
"@odata.type": "microsoft.graph.objectIdentity"
}
],
"imAddresses": [
"String"
],
"interests": [
"String"
],
"isManagementRestricted": "Boolean",
"isResourceAccount": false,
"jobTitle": "String",
"legalAgeGroupClassification": "String",
"licenseAssignmentStates": [
{
"@odata.type": "microsoft.graph.licenseAssignmentState"
}
],
"lastPasswordChangeDateTime": "String (timestamp)",
"mail": "String",
"mailboxSettings": {
"@odata.type": "microsoft.graph.mailboxSettings"
},
"mailNickname": "String",
"mobilePhone": "String",
"mySite": "String",
"officeLocation": "String",
"onPremisesDistinguishedName": "String",
"onPremisesDomainName": "String",
"onPremisesExtensionAttributes": {
"@odata.type": "microsoft.graph.onPremisesExtensionAttributes"
},
"onPremisesImmutableId": "String",
"onPremisesLastSyncDateTime": "String (timestamp)",
"onPremisesProvisioningErrors": [
{
"@odata.type": "microsoft.graph.onPremisesProvisioningError"
}
],
"onPremisesSamAccountName": "String",
"onPremisesSecurityIdentifier": "String",
"onPremisesSyncEnabled": true,
"onPremisesUserPrincipalName": "String",
"otherMails": [
"String"
],
"passwordPolicies": "String",
"passwordProfile": {
"@odata.type": "microsoft.graph.passwordProfile"
},
"pastProjects": [
"String"
],
"postalCode": "String",
"preferredDataLocation": "String",
"preferredLanguage": "String",
"preferredName": "String",
"provisionedPlans": [
{
"@odata.type": "microsoft.graph.provisionedPlan"
}
],
"proxyAddresses": [
"String"
],
"responsibilities": [
"String"
],
"schools": [
"String"
],
"securityIdentifier": "String",
"serviceProvisioningErrors": [
{
"@odata.type": "microsoft.graph.serviceProvisioningXmlError"
}
],
"showInAddressList": true,
"signInActivity": {
"@odata.type": "microsoft.graph.signInActivity"
},
"signInSessionsValidFromDateTime": "String (timestamp)",
"skills": [
"String"
],
"state": "String",
"streetAddress": "String",
"surname": "String",
"usageLocation": "String",
"userPrincipalName": "String",
"userType": "String",
"calendar": {
"@odata.type": "microsoft.graph.calendar"
},
"calendarGroups": [
{
"@odata.type": "microsoft.graph.calendarGroup"
}
],
"calendarView": [
{
"@odata.type": "microsoft.graph.event"
}
],
"calendars": [
{
"@odata.type": "microsoft.graph.calendar"
}
],
"contacts": [
{
"@odata.type": "microsoft.graph.contact"
}
],
"contactFolders": [
{
"@odata.type": "microsoft.graph.contactFolder"
}
],
"createdObjects": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"directReports": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"drive": {
"@odata.type": "microsoft.graph.drive"
},
"drives": [
{
"@odata.type": "microsoft.graph.drive"
}
],
"events": [
{
"@odata.type": "microsoft.graph.event"
}
],
"inferenceClassification": {
"@odata.type": "microsoft.graph.inferenceClassification"
},
"mailFolders": [
{
"@odata.type": "microsoft.graph.mailFolder"
}
],
"manager": {
"@odata.type": "microsoft.graph.directoryObject"
},
"memberOf": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"messages": [
{
"@odata.type": "microsoft.graph.message"
}
],
"outlook": {
"@odata.type": "microsoft.graph.outlookUser"
},
"ownedDevices": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"ownedObjects": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"photo": {
"@odata.type": "microsoft.graph.profilePhoto"
},
"photos": [
{
"@odata.type": "microsoft.graph.profilePhoto"
}
],
"registeredDevices": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
]
}Relationships
Microsoft Graph v1.0
endpoint-derived-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
activities |
userActivity collection |
The user's activities across devices. Read-only. Nullable. |
adhocCalls |
adhocCall collection |
Ad hoc calls associated with the user. Read-only. Nullable. |
agreementAcceptances |
agreementAcceptance collection |
The user's terms of use acceptance statuses. Read-only. Nullable. |
appRoleAssignments |
appRoleAssignment collection |
Represents the app roles a user is granted for an application. Supports $expand. |
authentication |
authentication |
The authentication methods that are supported for the user. |
calendar |
calendar |
The user's primary calendar. Read-only. |
calendarGroups |
calendarGroup collection |
The user's calendar groups. Read-only. Nullable. |
calendars |
calendar collection |
The user's calendars. Read-only. Nullable. |
calendarView |
event collection |
The calendar view for the calendar. Read-only. Nullable. |
cloudPCs |
cloudPC collection |
The user's Cloud PCs. Read-only. Nullable. |
contactFolders |
contactFolder collection |
The user's contacts folders. Read-only. Nullable. |
contacts |
contact collection |
The user's contacts. Read-only. Nullable. |
createdObjects |
directoryObject collection |
Directory objects that the user created. Read-only. Nullable. |
dataSecurityAndGovernance |
userDataSecurityAndGovernance |
The data security and governance settings for the user. Read-only. Nullable. |
directReports |
directoryObject collection |
The users and contacts that report to the user. (The users and contacts that have their manager property set to this user.) Read-only. Nullable. Supports $expand. |
drive |
drive |
The user's OneDrive. Read-only. |
drives |
drive collection |
A collection of drives available for this user. Read-only. |
events |
event collection |
The user's events. Default is to show Events under the Default Calendar. Read-only. Nullable. |
extensions |
extension collection |
The collection of open extensions defined for the user. Read-only. Supports $expand. Nullable. |
inferenceClassification |
inferenceClassification |
Relevance classification of the user's messages based on explicit designations that override inferred relevance or importance. |
insights |
itemInsights |
Represents relationships between a user and items such as OneDrive for work or school documents, calculated using advanced analytics and machine learning techniques. Read-only. Nullable. |
licenseDetails |
licenseDetails collection |
A collection of this user's license details. Read-only. |
mailFolders |
mailFolder collection |
The user's mail folders. Read-only. Nullable. |
manager |
directoryObject |
The user or contact that is this user's manager. Read-only. Supports $expand. |
memberOf |
directoryObject collection |
The groups and directory roles that the user is a member of. Read-only. Nullable. Supports $expand. |
messages |
message collection |
The messages in a mailbox or folder. Read-only. Nullable. |
onenote |
onenote |
Read-only. |
onlineMeetings |
onlineMeeting collection |
Information about a meeting, including the URL used to join a meeting, the attendees list, and the description. |
outlook |
outlookUser |
Read-only. |
ownedDevices |
directoryObject collection |
Devices the user owns. Read-only. Nullable. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). |
ownedObjects |
directoryObject collection |
Directory objects the user owns. Read-only. Nullable. Supports $expand, $select nested in $expand, and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). |
people |
person collection |
People that are relevant to the user. Read-only. Nullable. |
permissionGrants |
resourceSpecificPermissionGrant collection |
List all resource-specific permission grants of a user. |
photo |
profilePhoto |
The user's profile photo. Read-only. |
photos |
profilePhoto collection |
The collection of the user's profile photos in different sizes. Read-only. |
planner |
plannerUser |
Entry-point to the Planner resource that might exist for a user. Read-only. |
registeredDevices |
directoryObject collection |
Devices that are registered for the user. Read-only. Nullable. Supports $expand and returns up to 100 objects. |
solutions |
userSolutionRoot |
The identifier that relates the user to the working time schedule triggers. Read-Only. Nullable |
sponsors |
directoryObject collection |
The users and groups responsible for this guest's privileges in the tenant and keeping the guest's information and access updated. (HTTP Methods: GET, POST, DELETE.). Supports $expand. |
teamwork |
userTeamwork |
A container for Microsoft Teams features available for the user. Read-only. Nullable. |
todo |
todo |
Represents the To Do services available to a user. |
transitiveMemberOf |
directoryObject collection |
The groups, including nested groups, and directory roles that a user is a member of. Nullable. |
auditEvents |
auditEvent collection |
The Audit Events |
complianceManagementPartners |
complianceManagementPartner collection |
The list of Compliance Management Partners configured by the tenant. |
detectedApps |
detectedApp collection |
The list of detected apps associated with a device. |
deviceCategories |
deviceCategory collection |
The list of device categories with the tenant. |
deviceCompliancePolicies |
deviceCompliancePolicy collection |
The device compliance policies. |
deviceCompliancePolicySettingStateSummaries |
deviceCompliancePolicySettingStateSummary collection |
The summary states of compliance policy settings for this account. |
deviceConfigurations |
deviceConfiguration collection |
The device configurations. |
deviceEnrollmentConfigurations |
deviceEnrollmentConfiguration collection |
The list of device enrollment configurations |
deviceManagementPartners |
deviceManagementPartner collection |
The list of Device Management Partners configured by the tenant. |
exchangeConnectors |
deviceManagementExchangeConnector collection |
The list of Exchange Connectors configured by the tenant. |
importedWindowsAutopilotDeviceIdentities |
importedWindowsAutopilotDeviceIdentity collection |
Collection of imported Windows autopilot devices. |
intuneAccountId |
uuid |
Intune Account Id for given tenant |
iosUpdateStatuses |
iosUpdateDeviceStatus collection |
The IOS software update installation statuses for this account. |
managedDevices |
managedDevice collection |
The list of managed devices. |
mobileAppTroubleshootingEvents |
mobileAppTroubleshootingEvent collection |
The collection property of MobileAppTroubleshootingEvent. |
mobileThreatDefenseConnectors |
mobileThreatDefenseConnector collection |
The list of Mobile threat Defense connectors configured by the tenant. |
notificationMessageTemplates |
notificationMessageTemplate collection |
The Notification Message Templates. |
remoteAssistancePartners |
remoteAssistancePartner collection |
The remote assist partners. |
resourceOperations |
resourceOperation collection |
The Resource Operations. |
roleAssignments |
deviceAndAppManagementRoleAssignment collection |
The Role Assignments. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docs
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Get managedDeviceCompliance
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.TenantRelationships.ManagedTenants.ManagedDeviceCompliances["{managedDeviceCompliance-id}"].GetAsync();
JavaScript
Get managedDeviceCompliance
const options = {
authProvider,
};
const client = Client.init(options);
let managedDeviceCompliance = await client.api('/tenantRelationships/managedTenants/managedDeviceCompliances/{managedDeviceComplianceId}')
.version('beta')
.get();
PowerShell
Get managedDeviceCompliance
Import-Module Microsoft.Graph.Beta.ManagedTenants
Get-MgBetaTenantRelationshipManagedTenantManagedDeviceCompliance -ManagedDeviceComplianceId $managedDeviceComplianceId
Python
Get managedDeviceCompliance
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
result = await graph_client.tenant_relationships.managed_tenants.managed_device_compliances.by_managed_device_compliance_id('managedDeviceCompliance-id').get()App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for DeviceManagementManagedDevices.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.