Forum Discussion
Solved
Get available policies through Graph API
Hey everyone,
I would like to know if anyone has found a way to get all available policies (Compliance, Configuration) in JSON or any other format.
I know we can get all policies that wer...
Hi Miguel
try to implement empty policies and get them via
https://graph.microsoft.com/beta/devicemanagement/deviceConfigurations
or you can even address them directly:
https://graph.microsoft.com/beta/devicemanagement/deviceConfigurations/{id}
The empty policies will have all options listed. So in the end you will have an query for every empty configuration which gives you all available settings. You can archive them and compare them later.
you will get an output like this:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations/$entity",
"@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
"id": "d15e5d52-b5fc-40ff-8434-ed63f8ed3ab3",
"lastModifiedDateTime": "2018-01-19T16:44:01.0523964Z",
"createdDateTime": "2017-11-20T19:58:24.2758957Z",
"description": "",
"displayName": "Device Restrictions",
"version": 12,
"enableAutomaticRedeployment": true,
"assignedAccessSingleModeUserName": null,
"assignedAccessSingleModeAppUserModelId": null,
"microsoftAccountSignInAssistantSettings": "notConfigured",
"authenticationAllowSecondaryDevice": false,
"authenticationAllowFIDODevice": false,
"cryptographyAllowFipsAlgorithmPolicy": false,
"displayAppListWithGdiDPIScalingTurnedOn": [],
"displayAppListWithGdiDPIScalingTurnedOff": [],
"enterpriseCloudPrintDiscoveryEndPoint": null,
"enterpriseCloudPrintOAuthAuthority": null,
"enterpriseCloudPrintOAuthClientIdentifier": null,
"enterpriseCloudPrintResourceIdentifier": null,
"enterpriseCloudPrintDiscoveryMaxLimit": null,
"enterpriseCloudPrintMopriaDiscoveryResourceIdentifier": null,
"messagingBlockSync": false,
"messagingBlockMMS": false,
"messagingBlockRichCommunicationServices": false,
"searchBlockDiacritics": false,
"searchDisableAutoLanguageDetection": false,
"searchDisableIndexingEncryptedItems": false,
"searchEnableRemoteQueries": false,
"searchDisableUseLocation": false,
"searchDisableIndexerBackoff": false,[...]
best,
Oliver
Hi Miguel,
did you try the Intune samples?
https://github.com/microsoftgraph/powershell-intune-samples
It seems they are fulfilling your needs.
There we have:
DeviceConfiguration_Get.ps1
This script gets all the device configuration policies from the Intune Service that you have authenticated with.
and
CompliancePolicy_Export.ps1
This script gets all the compliance policies from the Intune Service that you have authenticated with. The script will then export the policy to .json format in the directory of your choice.
best,
Oliver
Hi Oliver,
First of all thank you for your answer.
I'd already seen those examples, but from what I can understand, those commands retrieve configured policies. That is, it gets all the policies that we've created, not the available options in all those policies.
What I'm looking for is getting all the available options dynamically, since they seem to change too frequently. It's hard to keep a file updated with all available options for each policy.
Thank you,
Miguel
Hi Miguel
try to implement empty policies and get them via
https://graph.microsoft.com/beta/devicemanagement/deviceConfigurations
or you can even address them directly:
https://graph.microsoft.com/beta/devicemanagement/deviceConfigurations/{id}
The empty policies will have all options listed. So in the end you will have an query for every empty configuration which gives you all available settings. You can archive them and compare them later.
you will get an output like this:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations/$entity",
"@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
"id": "d15e5d52-b5fc-40ff-8434-ed63f8ed3ab3",
"lastModifiedDateTime": "2018-01-19T16:44:01.0523964Z",
"createdDateTime": "2017-11-20T19:58:24.2758957Z",
"description": "",
"displayName": "Device Restrictions",
"version": 12,
"enableAutomaticRedeployment": true,
"assignedAccessSingleModeUserName": null,
"assignedAccessSingleModeAppUserModelId": null,
"microsoftAccountSignInAssistantSettings": "notConfigured",
"authenticationAllowSecondaryDevice": false,
"authenticationAllowFIDODevice": false,
"cryptographyAllowFipsAlgorithmPolicy": false,
"displayAppListWithGdiDPIScalingTurnedOn": [],
"displayAppListWithGdiDPIScalingTurnedOff": [],
"enterpriseCloudPrintDiscoveryEndPoint": null,
"enterpriseCloudPrintOAuthAuthority": null,
"enterpriseCloudPrintOAuthClientIdentifier": null,
"enterpriseCloudPrintResourceIdentifier": null,
"enterpriseCloudPrintDiscoveryMaxLimit": null,
"enterpriseCloudPrintMopriaDiscoveryResourceIdentifier": null,
"messagingBlockSync": false,
"messagingBlockMMS": false,
"messagingBlockRichCommunicationServices": false,
"searchBlockDiacritics": false,
"searchDisableAutoLanguageDetection": false,
"searchDisableIndexingEncryptedItems": false,
"searchEnableRemoteQueries": false,
"searchDisableUseLocation": false,
"searchDisableIndexerBackoff": false,[...]
best,
Oliver
- Thanks a lot!
I guess I supposed if a setting wasn't configured it wouldn't show up on the list. This should work.
