openapi: 3.1.0 info: title: Microsoft Endpoint Configuration Management Microsoft Intune Graph API description: >- Microsoft Graph API endpoints for Intune device management, enabling programmatic access to manage devices, apps, compliance policies, and configuration profiles. Supports both v1.0 and beta endpoints. Requires an active Intune license for the tenant. version: 1.0.0 contact: name: Microsoft Graph Support url: https://developer.microsoft.com/en-us/graph/support license: name: Microsoft API License url: https://learn.microsoft.com/en-us/legal/microsoft-apis/terms-of-use servers: - url: https://graph.microsoft.com/v1.0 description: Microsoft Graph v1.0 production endpoint - url: https://graph.microsoft.com/beta description: Microsoft Graph beta endpoint security: - oauth2: [] paths: /deviceManagement/managedDevices: get: operationId: listManagedDevices summary: Microsoft Endpoint Configuration Management List managed devices description: >- List properties and relationships of the managedDevice objects enrolled in Intune. tags: - Devices parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/orderby' - $ref: '#/components/parameters/count' responses: '200': description: Successful response returning a collection of managed devices. content: application/json: schema: type: object properties: '@odata.context': type: string '@odata.count': type: integer '@odata.nextLink': type: string value: type: array items: $ref: '#/components/schemas/ManagedDevice' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' post: operationId: createManagedDevice summary: Microsoft Endpoint Configuration Management Create managed device description: Create a new managedDevice object. tags: - Devices requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ManagedDevice' responses: '201': description: Successfully created managed device. content: application/json: schema: $ref: '#/components/schemas/ManagedDevice' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' /deviceManagement/managedDevices/{managedDeviceId}: get: operationId: getManagedDevice summary: Microsoft Endpoint Configuration Management Get managed device description: Read properties and relationships of a managedDevice object. tags: - Devices parameters: - name: managedDeviceId in: path required: true description: The unique identifier of the managed device. schema: type: string - $ref: '#/components/parameters/select' responses: '200': description: Successful response returning the managed device. content: application/json: schema: $ref: '#/components/schemas/ManagedDevice' '404': $ref: '#/components/responses/NotFound' patch: operationId: updateManagedDevice summary: Microsoft Endpoint Configuration Management Update managed device description: Update the properties of a managedDevice object. tags: - Devices parameters: - name: managedDeviceId in: path required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ManagedDevice' responses: '200': description: Successfully updated managed device. content: application/json: schema: $ref: '#/components/schemas/ManagedDevice' delete: operationId: deleteManagedDevice summary: Microsoft Endpoint Configuration Management Delete managed device description: Deletes a managedDevice. tags: - Devices parameters: - name: managedDeviceId in: path required: true schema: type: string responses: '204': description: Successfully deleted. '404': $ref: '#/components/responses/NotFound' /deviceManagement/managedDevices/{managedDeviceId}/retire: post: operationId: retireManagedDevice summary: Microsoft Endpoint Configuration Management Retire a device description: >- Retire a device, removing corporate data while leaving personal data intact. tags: - Device Actions parameters: - name: managedDeviceId in: path required: true schema: type: string responses: '204': description: Device retire action initiated. /deviceManagement/managedDevices/{managedDeviceId}/wipe: post: operationId: wipeManagedDevice summary: Microsoft Endpoint Configuration Management Wipe a device description: Factory reset a device, removing all data. tags: - Device Actions parameters: - name: managedDeviceId in: path required: true schema: type: string requestBody: content: application/json: schema: type: object properties: keepEnrollmentData: type: boolean keepUserData: type: boolean macOsUnlockCode: type: string responses: '204': description: Device wipe action initiated. /deviceManagement/managedDevices/{managedDeviceId}/syncDevice: post: operationId: syncManagedDevice summary: Microsoft Endpoint Configuration Management Sync device description: Trigger a sync for the managed device with Intune. tags: - Device Actions parameters: - name: managedDeviceId in: path required: true schema: type: string responses: '204': description: Device sync action initiated. /deviceManagement/managedDevices/{managedDeviceId}/remoteLock: post: operationId: remoteLockManagedDevice summary: Microsoft Endpoint Configuration Management Remote lock a device description: Remotely lock a managed device. tags: - Device Actions parameters: - name: managedDeviceId in: path required: true schema: type: string responses: '204': description: Remote lock action initiated. /deviceManagement/managedDevices/{managedDeviceId}/resetPasscode: post: operationId: resetPasscode summary: Microsoft Endpoint Configuration Management Reset passcode description: Reset the passcode on a managed device. tags: - Device Actions parameters: - name: managedDeviceId in: path required: true schema: type: string responses: '204': description: Passcode reset action initiated. /deviceManagement/managedDevices/{managedDeviceId}/rebootNow: post: operationId: rebootManagedDevice summary: Microsoft Endpoint Configuration Management Reboot device description: Remotely reboot a managed device. tags: - Device Actions parameters: - name: managedDeviceId in: path required: true schema: type: string responses: '204': description: Reboot action initiated. /deviceManagement/deviceCompliancePolicies: get: operationId: listDeviceCompliancePolicies summary: Microsoft Endpoint Configuration Management List device compliance policies description: >- List properties and relationships of the deviceCompliancePolicy objects. tags: - Compliance Policies parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/orderby' responses: '200': description: Successful response returning compliance policies. content: application/json: schema: type: object properties: '@odata.context': type: string value: type: array items: $ref: '#/components/schemas/DeviceCompliancePolicy' post: operationId: createDeviceCompliancePolicy summary: Microsoft Endpoint Configuration Management Create device compliance policy description: Create a new deviceCompliancePolicy object. tags: - Compliance Policies requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DeviceCompliancePolicy' responses: '201': description: Successfully created compliance policy. content: application/json: schema: $ref: '#/components/schemas/DeviceCompliancePolicy' /deviceManagement/deviceCompliancePolicies/{deviceCompliancePolicyId}: get: operationId: getDeviceCompliancePolicy summary: Microsoft Endpoint Configuration Management Get device compliance policy description: >- Read properties and relationships of a deviceCompliancePolicy object. tags: - Compliance Policies parameters: - name: deviceCompliancePolicyId in: path required: true schema: type: string - $ref: '#/components/parameters/select' responses: '200': description: Successful response returning the compliance policy. content: application/json: schema: $ref: '#/components/schemas/DeviceCompliancePolicy' patch: operationId: updateDeviceCompliancePolicy summary: Microsoft Endpoint Configuration Management Update device compliance policy description: Update the properties of a deviceCompliancePolicy object. tags: - Compliance Policies parameters: - name: deviceCompliancePolicyId in: path required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DeviceCompliancePolicy' responses: '200': description: Successfully updated compliance policy. delete: operationId: deleteDeviceCompliancePolicy summary: Microsoft Endpoint Configuration Management Delete device compliance policy description: Deletes a deviceCompliancePolicy. tags: - Compliance Policies parameters: - name: deviceCompliancePolicyId in: path required: true schema: type: string responses: '204': description: Successfully deleted. /deviceManagement/deviceCompliancePolicies/{deviceCompliancePolicyId}/assign: post: operationId: assignDeviceCompliancePolicy summary: Microsoft Endpoint Configuration Management Assign compliance policy description: Assign a device compliance policy to groups. tags: - Compliance Policies parameters: - name: deviceCompliancePolicyId in: path required: true schema: type: string requestBody: required: true content: application/json: schema: type: object properties: assignments: type: array items: $ref: '#/components/schemas/DeviceCompliancePolicyAssignment' responses: '200': description: Successfully assigned compliance policy. /deviceAppManagement/mobileApps: get: operationId: listMobileApps summary: Microsoft Endpoint Configuration Management List mobile apps description: List properties and relationships of the mobileApp objects. tags: - Applications parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/orderby' responses: '200': description: Successful response returning mobile apps. content: application/json: schema: type: object properties: '@odata.context': type: string value: type: array items: $ref: '#/components/schemas/MobileApp' post: operationId: createMobileApp summary: Microsoft Endpoint Configuration Management Create mobile app description: Create a new mobileApp object. tags: - Applications requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MobileApp' responses: '201': description: Successfully created mobile app. content: application/json: schema: $ref: '#/components/schemas/MobileApp' /deviceAppManagement/mobileApps/{mobileAppId}: get: operationId: getMobileApp summary: Microsoft Endpoint Configuration Management Get mobile app description: Read properties and relationships of a mobileApp object. tags: - Applications parameters: - name: mobileAppId in: path required: true schema: type: string - $ref: '#/components/parameters/select' responses: '200': description: Successful response returning the mobile app. content: application/json: schema: $ref: '#/components/schemas/MobileApp' patch: operationId: updateMobileApp summary: Microsoft Endpoint Configuration Management Update mobile app description: Update the properties of a mobileApp object. tags: - Applications parameters: - name: mobileAppId in: path required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MobileApp' responses: '200': description: Successfully updated mobile app. delete: operationId: deleteMobileApp summary: Microsoft Endpoint Configuration Management Delete mobile app description: Deletes a mobileApp. tags: - Applications parameters: - name: mobileAppId in: path required: true schema: type: string responses: '204': description: Successfully deleted. /deviceAppManagement/mobileApps/{mobileAppId}/assign: post: operationId: assignMobileApp summary: Microsoft Endpoint Configuration Management Assign mobile app description: Assign a mobile app to groups. tags: - Applications parameters: - name: mobileAppId in: path required: true schema: type: string requestBody: required: true content: application/json: schema: type: object properties: mobileAppAssignments: type: array items: $ref: '#/components/schemas/MobileAppAssignment' responses: '204': description: Successfully assigned mobile app. /deviceAppManagement/mobileApps/{mobileAppId}/deviceStatuses: get: operationId: listMobileAppDeviceStatuses summary: Microsoft Endpoint Configuration Management List app device statuses description: >- Get the installation status of a mobile app across devices. tags: - Applications parameters: - name: mobileAppId in: path required: true schema: type: string - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/select' responses: '200': description: Successful response returning device statuses. content: application/json: schema: type: object properties: value: type: array items: type: object properties: id: type: string deviceId: type: string installState: type: string installStateDetail: type: string /deviceManagement/deviceConfigurations: get: operationId: listDeviceConfigurations summary: Microsoft Endpoint Configuration Management List device configurations description: >- List properties and relationships of the deviceConfiguration objects. tags: - Configuration Profiles parameters: - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/skip' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/orderby' responses: '200': description: Successful response returning device configurations. content: application/json: schema: type: object properties: '@odata.context': type: string value: type: array items: $ref: '#/components/schemas/DeviceConfiguration' post: operationId: createDeviceConfiguration summary: Microsoft Endpoint Configuration Management Create device configuration description: Create a new deviceConfiguration object. tags: - Configuration Profiles requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DeviceConfiguration' responses: '201': description: Successfully created device configuration. content: application/json: schema: $ref: '#/components/schemas/DeviceConfiguration' /deviceManagement/deviceConfigurations/{deviceConfigurationId}: get: operationId: getDeviceConfiguration summary: Microsoft Endpoint Configuration Management Get device configuration description: >- Read properties and relationships of a deviceConfiguration object. tags: - Configuration Profiles parameters: - name: deviceConfigurationId in: path required: true schema: type: string - $ref: '#/components/parameters/select' responses: '200': description: Successful response returning the device configuration. content: application/json: schema: $ref: '#/components/schemas/DeviceConfiguration' patch: operationId: updateDeviceConfiguration summary: Microsoft Endpoint Configuration Management Update device configuration description: Update the properties of a deviceConfiguration object. tags: - Configuration Profiles parameters: - name: deviceConfigurationId in: path required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DeviceConfiguration' responses: '200': description: Successfully updated device configuration. delete: operationId: deleteDeviceConfiguration summary: Microsoft Endpoint Configuration Management Delete device configuration description: Deletes a deviceConfiguration. tags: - Configuration Profiles parameters: - name: deviceConfigurationId in: path required: true schema: type: string responses: '204': description: Successfully deleted. /deviceManagement/deviceConfigurations/{deviceConfigurationId}/assign: post: operationId: assignDeviceConfiguration summary: Microsoft Endpoint Configuration Management Assign device configuration description: Assign a device configuration profile to groups. tags: - Configuration Profiles parameters: - name: deviceConfigurationId in: path required: true schema: type: string requestBody: required: true content: application/json: schema: type: object properties: assignments: type: array items: $ref: '#/components/schemas/DeviceConfigurationAssignment' responses: '200': description: Successfully assigned device configuration. /deviceManagement/deviceCompliancePolicyDeviceStateSummary: get: operationId: getDeviceCompliancePolicyDeviceStateSummary summary: Microsoft Endpoint Configuration Management Get compliance state summary description: >- Read properties of the deviceCompliancePolicyDeviceStateSummary object providing a summary of device compliance states across the tenant. tags: - Compliance Policies responses: '200': description: Successful response returning compliance state summary. content: application/json: schema: type: object properties: id: type: string inGracePeriodCount: type: integer configManagerCount: type: integer compliantDeviceCount: type: integer nonCompliantDeviceCount: type: integer remediatedDeviceCount: type: integer errorDeviceCount: type: integer conflictDeviceCount: type: integer unknownDeviceCount: type: integer notApplicableDeviceCount: type: integer /users/{userId}/ownedDevices: get: operationId: listUserOwnedDevices summary: Microsoft Endpoint Configuration Management List user owned devices description: >- Get the list of devices registered to a user from Azure Active Directory. tags: - Devices parameters: - name: userId in: path required: true schema: type: string - $ref: '#/components/parameters/top' - $ref: '#/components/parameters/select' responses: '200': description: Successful response returning user devices. content: application/json: schema: type: object properties: value: type: array items: type: object properties: id: type: string deviceId: type: string displayName: type: string operatingSystem: type: string operatingSystemVersion: type: string components: securitySchemes: oauth2: type: oauth2 flows: authorizationCode: authorizationUrl: https://login.microsoftonline.com/common/oauth2/v2.0/authorize tokenUrl: https://login.microsoftonline.com/common/oauth2/v2.0/token scopes: DeviceManagementManagedDevices.Read.All: Read managed devices DeviceManagementManagedDevices.ReadWrite.All: Read and write managed devices DeviceManagementApps.Read.All: Read app management data DeviceManagementApps.ReadWrite.All: Read and write app management data DeviceManagementConfiguration.Read.All: Read device configurations DeviceManagementConfiguration.ReadWrite.All: Read and write device configurations parameters: top: name: $top in: query description: Number of items to return. schema: type: integer skip: name: $skip in: query description: Number of items to skip. schema: type: integer filter: name: $filter in: query description: OData filter expression. schema: type: string select: name: $select in: query description: Comma-separated list of properties to include in the response. schema: type: string orderby: name: $orderby in: query description: Order results by a property. schema: type: string count: name: $count in: query description: Include count of items. schema: type: boolean schemas: ManagedDevice: type: object description: >- Devices that are managed or pre-enrolled through Intune. properties: id: type: string description: Unique identifier for the device. readOnly: true userId: type: string description: Unique identifier for the user associated with the device. readOnly: true deviceName: type: string description: Name of the device. readOnly: true managedDeviceOwnerType: type: string description: Ownership of the device. enum: - unknown - company - personal enrolledDateTime: type: string format: date-time description: Enrollment time of the device. readOnly: true lastSyncDateTime: type: string format: date-time description: >- The date and time that the device last completed a successful sync with Intune. readOnly: true operatingSystem: type: string description: Operating system of the device (Windows, iOS, etc.). readOnly: true complianceState: type: string description: Compliance state of the device. enum: - unknown - compliant - noncompliant - conflict - error - inGracePeriod - configManager jailBroken: type: string description: Whether the device is jail broken or rooted. readOnly: true managementAgent: type: string description: Management channel of the device. enum: - eas - mdm - easMdm - intuneClient - easIntuneClient - configurationManagerClient - configurationManagerClientMdm - configurationManagerClientMdmEas - unknown - jamf - googleCloudDevicePolicyController osVersion: type: string description: Operating system version of the device. readOnly: true easActivated: type: boolean description: Whether the device is Exchange ActiveSync activated. readOnly: true easDeviceId: type: string description: Exchange ActiveSync Id of the device. readOnly: true azureADRegistered: type: boolean description: Whether the device is Azure Active Directory registered. readOnly: true deviceEnrollmentType: type: string description: Enrollment type of the device. enum: - unknown - userEnrollment - deviceEnrollmentManager - appleBulkWithUser - appleBulkWithoutUser - windowsAzureADJoin - windowsBulkUserless - windowsAutoEnrollment - windowsBulkAzureDomainJoin - windowsCoManagement - windowsAzureADJoinUsingDeviceAuth - appleUserEnrollment - appleUserEnrollmentWithServiceAccount readOnly: true emailAddress: type: string description: Email(s) for the user associated with the device. readOnly: true azureADDeviceId: type: string description: The unique identifier for the Azure Active Directory device. readOnly: true deviceRegistrationState: type: string description: Device registration state. enum: - notRegistered - registered - revoked - keyConflict - approvalPending - certificateReset - notRegisteredPendingEnrollment - unknown readOnly: true isSupervised: type: boolean description: Device supervised status. readOnly: true isEncrypted: type: boolean description: Device encryption status. readOnly: true userPrincipalName: type: string description: Device user principal name. readOnly: true model: type: string description: Model of the device. readOnly: true manufacturer: type: string description: Manufacturer of the device. readOnly: true imei: type: string description: IMEI. readOnly: true serialNumber: type: string description: Serial number of the device. readOnly: true phoneNumber: type: string description: Phone number of the device. readOnly: true androidSecurityPatchLevel: type: string description: Android security patch level. readOnly: true userDisplayName: type: string description: User display name. readOnly: true wiFiMacAddress: type: string description: Wi-Fi MAC address. readOnly: true subscriberCarrier: type: string description: Subscriber carrier. readOnly: true meid: type: string description: MEID. readOnly: true totalStorageSpaceInBytes: type: integer format: int64 description: Total storage in bytes. readOnly: true freeStorageSpaceInBytes: type: integer format: int64 description: Free storage in bytes. readOnly: true managedDeviceName: type: string description: >- Automatically generated name to identify a device. Can be overwritten to a user friendly name. partnerReportedThreatState: type: string description: Threat state of a device when a Mobile Threat Defense partner is in use. enum: - unknown - activated - deactivated - secured - lowSeverity - mediumSeverity - highSeverity - unresponsive - compromised - misconfigured readOnly: true physicalMemoryInBytes: type: integer format: int64 description: Total memory in bytes. readOnly: true enrollmentProfileName: type: string description: Name of the enrollment profile assigned to the device. readOnly: true DeviceCompliancePolicy: type: object description: >- Base class for compliance policy. Compliance policies are platform specific and individual per-platform compliance policies inherit from here. properties: id: type: string description: Key of the entity. createdDateTime: type: string format: date-time description: DateTime the object was created. readOnly: true description: type: string description: Admin provided description of the device configuration. lastModifiedDateTime: type: string format: date-time description: DateTime the object was last modified. readOnly: true displayName: type: string description: Admin provided name of the device configuration. version: type: integer description: Version of the device configuration. readOnly: true DeviceCompliancePolicyAssignment: type: object description: Assignment of a device compliance policy to a group. properties: id: type: string target: type: object properties: '@odata.type': type: string groupId: type: string MobileApp: type: object description: >- Abstract class containing the base properties for Intune mobile apps. properties: id: type: string description: Key of the entity. readOnly: true displayName: type: string description: The admin provided or imported title of the app. description: type: string description: The description of the app. publisher: type: string description: The publisher of the app. largeIcon: type: object description: The large icon for the app. properties: type: type: string value: type: string format: byte createdDateTime: type: string format: date-time description: The date and time the app was created. readOnly: true lastModifiedDateTime: type: string format: date-time description: The date and time the app was last modified. readOnly: true isFeatured: type: boolean description: Whether the app is marked as featured by the admin. privacyInformationUrl: type: string description: The privacy statement URL. informationUrl: type: string description: The more information URL. owner: type: string description: The owner of the app. developer: type: string description: The developer of the app. notes: type: string description: Notes for the app. publishingState: type: string description: The publishing state for the app. enum: - notPublished - processing - published readOnly: true MobileAppAssignment: type: object description: Assignment of a mobile app to a group. properties: id: type: string intent: type: string enum: - available - required - uninstall - availableWithoutEnrollment target: type: object properties: '@odata.type': type: string groupId: type: string settings: type: object DeviceConfiguration: type: object description: Device configuration profile. properties: id: type: string description: Key of the entity. lastModifiedDateTime: type: string format: date-time description: DateTime the object was last modified. readOnly: true createdDateTime: type: string format: date-time description: DateTime the object was created. readOnly: true description: type: string description: Admin provided description of the device configuration. displayName: type: string description: Admin provided name of the device configuration. version: type: integer description: Version of the device configuration. readOnly: true DeviceConfigurationAssignment: type: object description: Assignment of a device configuration profile to a group. properties: id: type: string target: type: object properties: '@odata.type': type: string groupId: type: string ODataError: type: object properties: error: type: object properties: code: type: string message: type: string innerError: type: object properties: request-id: type: string date: type: string responses: BadRequest: description: Bad request. The request body or parameters are invalid. content: application/json: schema: $ref: '#/components/schemas/ODataError' Unauthorized: description: Unauthorized. Authentication is required. content: application/json: schema: $ref: '#/components/schemas/ODataError' Forbidden: description: Forbidden. Insufficient permissions. content: application/json: schema: $ref: '#/components/schemas/ODataError' NotFound: description: Not found. The specified resource does not exist. content: application/json: schema: $ref: '#/components/schemas/ODataError' tags: - name: Applications description: Manage mobile applications. - name: Compliance Policies description: Manage device compliance policies. - name: Configuration Profiles description: Manage device configuration profiles. - name: Device Actions description: Remote device actions such as wipe, retire, sync, and lock. - name: Devices description: Manage enrolled devices in Intune.