Mastering Device Compliance: Advanced Configuration of Noncompliant Device Actions and Schedule in Microsoft Intune
Typically, in Intune, you can set up these actions through its user interface, deciding how long a device can remain noncompliant before it loses access to company resources. However, this standard method has its limits, especially when it comes to setting specific timeframes.
Enter Microsoft Graph. This advanced approach allows you more flexibility, enabling you to set the exact number of hours for a device to be noncompliant, whether it's 1 hour, 8 hours, or any other specific duration. The Intune GUI is limiting in this area. You can only specify days or large decimal fractions like 12, 6 or 3 hours, anything other than that isn't supported. It will just give you an error that you can't enter a decimal with seperator. This is outlined here.
In this article, I'll guide you through the process of using Microsoft Graph to configure the time for the Schedule in a more precise way, enhancing your ability to manage device compliance effectively.
Setting up the Grace Period for Noncompliant Devices
Step 1: Connect to Microsoft Graph
Connect to Microsoft Graph Explorer and sign-in with your account
Step 2: Set the Right Permissions
First, make sure you have the permission called DeviceManagementConfiguration.ReadWrite.All for the Microsoft Graph API. You can add this permission through the Microsoft Graph Command Line Tools Enterprise App in Entra ID or consent using Graph Explorer. It's okay to use delegated permission.
Step 3: Check Your Current Setup
Lookup the ID of the compliancy policy you want to modify. You will recognize the policy by displayname or description.
GET
https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies
Now, you're going to check your current settings. To do this, use the GET command with the following URL and paste it in Graph Explorer:
GET
https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/{deviceCompliancePolicyId}?$expand=scheduledActionsForRule($expand=scheduledActionConfigurations)
Replace {deviceCompliancePolicyId} with your actual policy ID. This command shows you how your device compliancy policy is set up, including the "gracePeriodHours". This is the time before a noncompliant device gets blocked. (Note: This specific URL isn't in the official documentation, but it works. The one in the docs gives you an error.)
Scroll down a bit and there we find what we are looking for:
领英推荐
TIP: You can find the correct URL in your browser using CTRL-SHIFT-I, select "Network" and browse to the Intune Compliance Policy settings you want to modify:
Step 4: Change the Grace Period
To change the grace period, use the POST command with this URL:
POST https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/{deviceCompliancePolicyId}/scheduleActionsForRules
In the request body, you'll put some details in JSON format. Here's what it looks like:
{
"deviceComplianceScheduledActionForRules": [
{
"ruleName": "PasswordRequired",
"scheduledActionConfigurations": [
{
"actionType": "block",
"gracePeriodHours": 2
}
]
}
]
}
In this JSON, you can change "gracePeriodHours": 2 to the number of hours you want. For example, if you want the grace period to be 8 hours, you would change it to "gracePeriodHours": 8.
If everything is correctly set in Graph Explorer you will get a "OK - 200" after you've run the query. This means that the grace period has been successfully modified. I've set it to two hours in this example.
Step 5: Check Modified Grace Period
As a result, Intune shows a modified grace period of two hours.
When you edit the setting you will see why it's impossible to change it to such value via the Intune portal:
The portal won't accept large values like this.
Wrapping Up
Here you have it! You've successfully fine-tuned the duration for device noncompliance before access to company resources is restricted. This approach offers a level of customization beyond what's typically available in Intune's standard settings. By following these steps diligently, you can adjust the settings precisely to align with your organization's requirements.
Additionally, it's worth noting that the Powershell cmdlets documented for this particular task may not be effective at this time. (they don't work at all).
Thank you for taking the time to read through this guide! ??