Automate device and policy tasks using Microsoft Graph
This unit explains how to use Microsoft Graph to automate device and policy lifecycle tasks in Intune. You learn common automation scenarios such as creating or updating policies, assigning profiles, and checking policy compliance state.
What automation can do for Intune policy management
Microsoft Graph makes it possible to manage Intune policies and devices without using the Azure portal. Automating these tasks helps you:
- Create and update compliance policies and device configuration profiles.
- Assign policies to user or device groups.
- Monitor policy deployment status and troubleshooting information.
- Evaluate device compliance and automate remediation workflows.
Automate policy creation and assignment
Use Microsoft Graph to create policies and assign them to Entra ID groups. The same operations are available through Graph REST and Graph PowerShell. For automation, focus on:
deviceManagement/deviceCompliancePoliciesdeviceManagement/deviceConfigurationsdeviceManagement/managedDevices
Create a compliance policy
A common automation task is creating a compliance policy for Windows devices.
Note
The sample URLs below are Graph API request endpoints. They require authentication and are not browser pages you can open directly.
POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"displayName": "Require BitLocker",
"description": "Require BitLocker and enforce basic compliance settings for Windows devices.",
"bitLockerEnabled": true,
"scheduledActionsForRule": [
{
"ruleName": "default",
"scheduledActionConfigurations": [
{
"actionType": "block",
"gracePeriodHours": 0
}
]
}
]
}
Assign a policy to a group
After a policy is created, assign it to a device or user group.
Note
This sample URL is a Graph API request endpoint that requires authentication and is not a browser-accessible documentation page.
POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assign
Content-Type: application/json
{
"assignments": [
{
"target": {
"groupId": "YOUR_GROUP_ID"
}
}
]
}
Note
Use group-based assignment to target policies to the correct devices or users. Avoid assigning policies to all devices unless that is your intended configuration.
Automate policy updates and lifecycle changes
Graph automation helps you update existing policies and propagate settings quickly.
Settings Catalog policies
In Microsoft Intune, device configuration can be managed through two different policy models in Microsoft Graph. The older template-based configuration profiles are exposed via deviceManagement/deviceConfigurations, while the newer Settings Catalog policies are managed through deviceManagement/configurationPolicies.
Settings Catalog policies are the modern approach and are recommended for new deployments because they provide a broader set of configurable settings and align with current Intune capabilities.
List Settings Catalog policies
GET https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies
This endpoint returns all Settings Catalog-based policies created in Intune.
Assign a Settings Catalog policy
POST https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/assign
Content-Type: application/json
{
"assignments": [
{
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "00000000-0000-0000-0000-000000000000"
}
}
]
}
Update a Settings Catalog policy
PATCH https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}
Content-Type: application/json
{
"name": "Windows 11 device settings",
"description": "Updated settings for Windows 11 workstations."
}
Important
New policies created in the Intune admin center as Settings Catalog policies will appear under deviceManagement/configurationPolicies, not deviceConfigurations. The endpoint deviceManagement/deviceConfigurations is still valid but only applies to legacy template-based configuration profiles. It should be used only for managing existing legacy profiles, not for creating new policies.
Add or remove policy assignments
You can update assignments without recreating the policy, which helps manage the policy lifecycle more safely and efficiently. Changing assignments lets you move a policy from a pilot group to a broader audience, replace groups when teams change, or temporarily remove a target for troubleshooting—without altering the policy settings themselves. When you automate assignment changes, include verification steps that confirm group membership and deployment success so you can detect and roll back unintended assignments quickly.
Note
This sample URL is a Graph API request endpoint that requires authentication and is not a browser-accessible documentation page.
POST https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{profileId}/assign
Content-Type: application/json
{
"assignments": [
{
"target": {
"groupId": "ANOTHER_GROUP_ID"
}
}
]
}
This request creates a profile assignment that targets the specified Entra ID group so devices or users in that group receive the configuration profile.
Monitor and validate automation results
After automation runs, check deployment status and device compliance.
Get policy assignment status
You need to add the policyId of the policy you want get the status of and replace the placeholder with this ID.
Note
This sample URL is a Graph API request endpoint that requires authentication and is not a browser-accessible documentation page.
GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assignments
Get device compliance state
Note
This sample URL is a Graph API request endpoint that requires authentication and is not a browser-accessible documentation page.
GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=complianceState ne 'compliant'
Tip
Use filters such as $filter=complianceState ne 'compliant' to quickly identify devices that need remediation.
Permissions and secure automation
Intune policy automation requires the right Graph permissions. Use application permissions for unattended automation and delegated permissions for interactive scenarios.
Common permissions for policy automation include:
DeviceManagementConfiguration.ReadWrite.AllDeviceManagementConfiguration.Read.AllDeviceManagementManagedDevices.Read.AllDeviceManagementManagedDevices.ReadWrite.All
Important
Always grant the least privilege needed. Review and consent to permissions in Microsoft Entra ID, and avoid placing credentials in scripts.