Set-DeviceTenantRule

This cmdlet is available only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.

Use the Set-DeviceTenantRule cmdlet to modify your organization's mobile device tenant rule in Basic Mobility and Security in Microsoft 365.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

Set-DeviceTenantRule
   [-Identity] <ComplianceRuleIdParameter>
   [-ApplyPolicyTo <PolicyResourceScope>]
   [-BlockUnsupportedDevices <Boolean>]
   [-Confirm]
   [-DomainController <Fqdn>]
   [-ExclusionList <MultiValuedProperty>]
   [-WhatIf]
   [<CommonParameters>]

Description

The cmdlets in Basic Mobility and Security are described in the following list:

  • DeviceTenantPolicy and DeviceTenantRule cmdlets: A policy that defines whether to block or allow mobile device access to Exchange Online email by unsupported devices that use Exchange ActiveSync only. This setting applies to all users in your organization. Both allow and block scenarios allow reporting for unsupported devices, and you can specify exceptions to the policy based on security groups.
  • DeviceConditionalAccessPolicy and DeviceConditionalAccessRule cmdlets: Policies that control mobile device access to Microsoft 365 for supported devices. These policies are applied to security groups. Unsupported devices are not allowed to enroll in Basic Mobility and Security.
  • DeviceConfigurationPolicy and DeviceConfigurationRule cmdlets: Policies that control mobile device settings for supported devices. These policies are applied to security groups.
  • Get-DevicePolicy: Returns all Basic Mobility and Security policies regardless of type (DeviceTenantPolicy, DeviceConditionalAccessPolicy or DeviceConfigurationPolicy).

For more information about Basic Mobility and Security, see Overview of Basic Mobility and Security for Microsoft 365.

To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Defender portal or Permissions in the Microsoft Purview compliance portal.

Examples

Example 1

Set-DeviceTenantRule -ExclusionList "Research and Development"

This example modifies your organization's mobile device tenant rule by replacing the current exclusion list with the security group named Research and Development. Members of this group are allowed access even if they use non-compliant devices.

Parameters

-ApplyPolicyTo

The ApplyPolicyTo parameter specifies where to apply the policy in your organization. Valid values for this parameter are:

  • ExchangeOnline
  • SharePointOnline
  • ExchangeAndSharePoint
Type:PolicyResourceScope
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-BlockUnsupportedDevices

The BlockUnsupportedDevices parameter specifies whether to block access to your organization by unsupported devices. Valid values for this parameter are:

  • $true: Unsupported devices are blocked.
  • $false: Unsupported devices are allowed.
Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Confirm

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.
  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-DomainController

This parameter is reserved for internal Microsoft use.

Type:Fqdn
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExclusionList

The ExclusionList parameter specifies the security groups to exclude from this policy. Members of the specified security groups who have non-compliant devices are not affected by block access actions.

This parameter uses the GUID value of the group. To find this GUID value, run the command Get-Group | Format-Table Name,GUID.

To enter multiple values and overwrite any existing entries, use the following syntax: Value1,Value2,...ValueN. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Identity

The Identity parameter specifies the name of the mobile device tenant rule that you want to modify, but there's only one in your organization. The name of the rule is a GUID. For example, 7577c5f3-05a4-4f55-a0a3-82aab5e98c84. You can find the name value by running the command Get-DeviceTenantRule | Format-List Name.

Type:ComplianceRuleIdParameter
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False
Applies to:Security & Compliance

-WhatIf

The WhatIf switch doesn't work in Security & Compliance PowerShell.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance