Microsoft 365 Devices can be a very complicated topic to approach. You need to take into consideration the size of your organization, whether to enforce MFA, how many devices a user can have, and whether the devices are company-owned or personal. Luckily, many of these settings can be controlled from a couple screens in Azure using the Device Registration Policy.  Unfortunately, these settings have remained out of reach programmatically, even as they became included in industry benchmark standards.

 

New Endpoint

The Microsoft Graph API is a extensive undertaking to map all the data and capabilities of Azure to a single RESTful API. It’s been many years since the introduction of Graph, but we still see dozens of feature requests in the backlog. Microsoft has made great strides in the functionality that the API offers, but we see only a portion of the API’s power at any time.

When looking around, the device policies I want to access do not have an endpoint. Or do they? Using Chrome’s built-in Developer Tools, the Network traffic log reveals that the data on the page is fetched via the Graph API.

https://portal.azure.com/#blade/Microsoft_AAD_Devices/DevicesMenuBlade/DeviceSettings/menuId/

 

Network Traffic from the Device Settings Page

 

Extracting the URL and pasting into Microsoft’s Graph Explorer tool, we see that the endpoint is indeed live and pulling back real data.

 

Graph Explorer shot of the Endpoint

 

However, there’s no documentation of the API endpoint nor any documented SDK support at the time of writing. This is most likely this is a prototype that is being field tested before official announcement.  There may be more work behind the scenes though, as there is a 2nd very similar but distinct API that also will return back the same data.

A second endpoint?

2 Graph endpoints deployed and usable without general notice is interesting.

Go ahead and give them a try.  Log in to an Azure instance with a sufficiently privileged account (Global Admin for example). The test instance through Graph Explorer will err out on these calls.

https://graph.microsoft.com/beta/deviceRegistrationPolicy
https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy

For now, GET calls have succeeded but others like PATCH and POST have failed.  Be warned, normally Microsoft has given a notice window before they EOL one of their Beta endpoints but this may not be the case here.

 

Wrap-up

The Device Registration Policy is an important area for Microsoft 365 Admins to take note of. It helps secure your Azure tenant as well as bring you in line with security standards.  Getting the related data programmatically has been out of reach.  That may be changing very soon as the Graph API continues to evolve.