This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
You're setting up an Entra ID app registration that an unattended Azure Function will use to query Intune-managed devices through Microsoft Graph. Which authentication model and permission type should you choose?
App-only access with application permissions (for example, DeviceManagementManagedDevices.Read.All).
DeviceManagementManagedDevices.Read.All
Delegated access with delegated permissions, signed in as the Intune Administrator each run.
Anonymous access — Microsoft Graph allows read-only Intune queries without authentication.
Which credential type is the most appropriate for an Azure Function or container that authenticates to Microsoft Graph for Intune automation?
A long-lived client secret stored as an environment variable in the function code.
A managed identity (when the hosting service supports it) — no app secret has to be stored or rotated.
The Intune Administrator's user password embedded in the script.
You deploy a PowerShell script to Windows devices through Intune. After assignment, when does the Intune Management Extension run the script again on a successfully completed device?
Every hour, automatically, until you remove the assignment.
Only when the script content changes or the assignment changes — scripts run once by default and don't rerun automatically otherwise.
Every time the user signs in, regardless of script outcome.
A scripted automation needs to configure a new Windows compliance policy that lives in the modern Settings Catalog. Which Microsoft Graph endpoint should it target?
/deviceManagement/deviceConfigurations — the standard endpoint for any modern device configuration.
/deviceManagement/deviceConfigurations
/deviceManagement/configurationPolicies — the endpoint for Settings Catalog policies.
/deviceManagement/configurationPolicies
/deviceManagement/managedDevices — the endpoint for device inventory and configuration.
/deviceManagement/managedDevices
You need to find every Intune-managed device that is currently not compliant so you can drive a remediation workflow. Which Graph query expresses this efficiently?
GET /deviceManagement/deviceCompliancePolicies and inspect each policy's settings client-side.
GET /deviceManagement/deviceCompliancePolicies
GET /deviceManagement/managedDevices?$filter=complianceState ne 'compliant'
GET /users and check each user's assignedLicenses for Intune entitlement.
GET /users
assignedLicenses
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?