Graph API for creation of Account Protection Local User Group Membership policy

Max Demajo 1 Reputation point
2023-01-10T16:16:57.197+00:00

Hi,

I would like to create a Local user group membership policy on the Account Protection page via Microsoft Graph or Powershell. I have been able to create an Account Protection policy based on an existing configuration template (0f2b5d70-d4e9-4156-8c16-1397eb6c54a5), but have not found a template for Local user group membership - It does not seem to exist. I queried for the available templates using the deviceManagement/templates endpoint.

I know there is a way to accomplish this using CSP policies, but this results in the policy being created within the Configuration Profiles blade. It is a requirement that the policies be created within the Account Protection blade for easy organization and management.

I have not found a way of automating creation of Local user group membership policies within the Account Protection page. Is anyone aware of a way I can do this?

Thank you

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,511 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,300 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Randall 86 Reputation points Microsoft Employee
    2023-03-20T14:43:02.18+00:00

    This can be accomplished with a POST to: https://graph.microsoft.com/beta/deviceManagement/configurationPolicies

     

    Easiest way to figure it out is just do a F12 Developer Tool trace during creation with UI.  Then take the Request Body and modify as needed.

     

    Here’s my request body that worked in Graph Explorer to create a basic new policy with one user:

    {"name":"Test","description":"test","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"device_vendor_msft_policy_config_localusersandgroups_configure","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance","settingDefinitionId":"device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users","simpleSettingCollectionValue":[{"value":"AzureAD\adam@contoso.onmicrosoft.com","@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue"}]}]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingCollectionInstance","settingDefinitionId":"device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc","choiceSettingCollectionValue":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators","children":[]}]}]}],"settingInstanceTemplateReference":{"settingInstanceTemplateId":"76fa254e-cbdb-4718-8bdd-cd41e57caa02"}}]}],"settingInstanceTemplateReference":{"settingInstanceTemplateId":"de06bec1-4852-48a0-9799-cf7b85992d45"}}}],"templateReference":{"templateId":"22968f54-45fa-486c-848e-f8224aa69772_1"}}

     

     

    1 person found this answer helpful.
    0 comments
  2. Mehtab Siddique (MINDTREE LIMITED) 966 Reputation points
    2023-02-08T05:41:41.38+00:00

    Hi @Max Demajo,

    Have you checked out this method of Manage local groups on Windows devices:

    User's image

    For more information: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy#manage-local-groups-on-windows-devices

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments