BEL 0172 - 754 954 of mail

Alpha beeldmerk
Alpha naam
Tech Insights     
Compliant
Advanced Configuration of Noncompliant Device Actions and Schedule

Mastering Device Compliance

Typically, in Intune, you can set up these actions through its user interface, deciding how long a device can remain noncompliant before it loses access to company resources. However, this standard method has its limits, especially when it comes to setting specific timeframes.

Enter Microsoft Graph. This advanced approach allows you more flexibility, enabling you to set the exact number of hours for a device to be noncompliant, whether it's 1 hour, 8 hours, or any other specific duration. The Intune GUI is limiting in this area. You can only specify days or large decimal fractions like 12, 6 or 3 hours, anything other than that isn't supported. It will just give you an error that you can't enter a decimal with seperator. This is outlined here.

1705512422880

In this article, I'll guide you through the process of using Microsoft Graph to configure the time for the Schedule in a more precise way, enhancing your ability to manage device compliance effectively.

Setting up the Grace Period for Noncompliant Devices

Step 1: Connect to Microsoft Graph

Connect to Microsoft Graph Explorer and sign-in with your account

Step 2: Set the Right Permissions

First, make sure you have the permission called DeviceManagementConfiguration.ReadWrite.All for the Microsoft Graph API. You can add this permission through the Microsoft Graph Command Line Tools Enterprise App in Entra ID or consent using Graph Explorer. It's okay to use delegated permission.

1705508048238

Step 3: Check Your Current Setup

Lookup the ID of the compliancy policy you want to modify. You will recognize the policy by displayname or description.

GET https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePoliciesMinimize imageEdit imageDelete imageThe ID of the compliance policy, we need this in the next step

Now, you're going to check your current settings. To do this, use the GET command with the following URL and paste it in Graph Explorer:

GET https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/{deviceCompliancePolicyId}?$expand=scheduledActionsForRule($expand=scheduledActionConfigurations)

Replace {deviceCompliancePolicyId} with your actual policy ID. This command shows you how your device compliancy policy is set up, including the "gracePeriodHours". This is the time before a noncompliant device gets blocked. (Note: This specific URL isn't in the official documentation, but it works. The one in the docs gives you an error.)

1705509119783

Scroll down a bit and there we find what we are looking for:

1705512050483

Grace Period Hours is set for 24 hours. Intune shows this as 1 day

1705512681180

1 day in Intune GUI

TIP: You can find the correct URL in your browser using CTRL-SHIFT-I, select "Network" and browse to the Intune Compliance Policy settings you want to modify:

1705509057753

Step 4: Change the Grace Period

To change the grace period, use the POST command with this URL:

POST https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/{deviceCompliancePolicyId}/scheduleActionsForRules

In the request body, you'll put some details in JSON format. Here's what it looks like:

{ "deviceComplianceScheduledActionForRules": [ { "ruleName": "PasswordRequired", "scheduledActionConfigurations": [ { "actionType": "block", "gracePeriodHours": 2 } ] } ] }

In this JSON, you can change "gracePeriodHours": 2 to the number of hours you want. For example, if you want the grace period to be 8 hours, you would change it to "gracePeriodHours": 8.

If everything is correctly set in Graph Explorer you will get a "OK - 200" after you've run the query. This means that the grace period has been successfully modified. I've set it to two hours in this example.

1705512878130

Changing the grace period to two hours

Step 5: Check Modified Grace Period

As a result, Intune shows a modified grace period of two hours.

1705513049033

When you edit the setting you will see why it's impossible to change it to such value via the Intune portal:

1705513177415

The portal won't accept large values like this.

Wrapping Up

Here you have it! You've successfully fine-tuned the duration for device noncompliance before access to company resources is restricted. This approach offers a level of customization beyond what's typically available in Intune's standard settings. By following these steps diligently, you can adjust the settings precisely to align with your organization's requirements.

Additionally, it's worth noting that the Powershell cmdlets documented for this particular task may not be effective at this time. (they don't work at all).

Thank you for taking the time to read through this guide! 😊