Microsoft Intune · Schema
Microsoft Intune Managed Device
Devices that are managed or pre-enrolled through Intune. Represents a physical or virtual device managed by the Microsoft Intune service via the Microsoft Graph API. Based on the microsoft.graph.managedDevice resource type.
App ProtectionAzureComplianceDevice ConfigurationEndpoint ManagementEnrollmentMAMMDMMicrosoft GraphMobile Application ManagementMobile Device ManagementSecurity
Properties
| Name | Type | Description |
|---|---|---|
| @odata.type | string | The OData type annotation for the managed device resource. |
| id | string | Unique identifier for the device. This property is read-only. |
| userId | string | Unique identifier for the user associated with the device. This property is read-only. |
| deviceName | string | Name of the device. This property is read-only. |
| managedDeviceOwnerType | string | Ownership of the device. Can be 'company' or 'personal'. |
| deviceActionResults | array | List of ComplexType deviceActionResult objects. This property is read-only. |
| enrolledDateTime | string | Enrollment time of the device. Supports $filter operator 'lt' and 'gt'. This property is read-only. |
| lastSyncDateTime | string | The date and time that the device last completed a successful sync with Intune. Supports $filter operator 'lt' and 'gt'. This property is read-only. |
| operatingSystem | string | Operating system of the device. Windows, iOS, etc. This property is read-only. |
| complianceState | string | Compliance state of the device. Examples: Compliant, Conflict, Error, etc. Default is unknown. Supports $filter operator 'eq' and 'or'. This property is read-only. |
| jailBroken | string | Whether the device is jail broken or rooted. Default is an empty string. This property is read-only. |
| managementAgent | string | Management channel of the device. Examples: Intune, EAS, etc. Default is unknown. This property is read-only. |
| osVersion | string | Operating system version of the device. This property is read-only. |
| easActivated | boolean | Whether the device is Exchange ActiveSync activated. This property is read-only. |
| easDeviceId | string | Exchange ActiveSync Id of the device. This property is read-only. |
| easActivationDateTime | string | Exchange ActivationSync activation time of the device. This property is read-only. |
| azureADRegistered | booleannull | Whether the device is Azure Active Directory registered. This property is read-only. |
| deviceEnrollmentType | string | Enrollment type of the device. This property is read-only. |
| activationLockBypassCode | stringnull | The code that allows the Activation Lock on managed device to be bypassed. This property is read-only. |
| emailAddress | string | Email(s) for the user associated with the device. This property is read-only. |
| azureADDeviceId | string | The unique identifier for the Azure Active Directory device. Read only. This property is read-only. |
| deviceRegistrationState | string | Device registration state. This property is read-only. |
| deviceCategoryDisplayName | string | Device category display name. Default is an empty string. This property is read-only. |
| isSupervised | boolean | Device supervised status. This property is read-only. |
| exchangeLastSuccessfulSyncDateTime | string | Last time the device contacted Exchange. This property is read-only. |
| exchangeAccessState | string | The Access State of the device in Exchange. This property is read-only. |
| exchangeAccessStateReason | string | The reason for the device's access state in Exchange. This property is read-only. |
| remoteAssistanceSessionUrl | stringnull | URL that allows a Remote Assistance session to be established with the device. This property is read-only. |
| remoteAssistanceSessionErrorDetails | stringnull | An error string that identifies issues when creating Remote Assistance session objects. This property is read-only. |
| isEncrypted | boolean | Device encryption status. This property is read-only. |
| userPrincipalName | string | Device user principal name. This property is read-only. |
| model | string | Model of the device. This property is read-only. |
| manufacturer | string | Manufacturer of the device. This property is read-only. |
| imei | string | IMEI (International Mobile Equipment Identity). This property is read-only. |
| complianceGracePeriodExpirationDateTime | string | The DateTime when device compliance grace period expires. This property is read-only. |
| serialNumber | string | Serial number of the device. This property is read-only. |
| phoneNumber | string | Phone number of the device. This property is read-only. |
| androidSecurityPatchLevel | string | Android security patch level. This property is read-only. |
| userDisplayName | string | User display name. This property is read-only. |
| configurationManagerClientEnabledFeatures | object | ConfigrMgr client enabled features. This property is read-only. |
| wiFiMacAddress | string | Wi-Fi MAC address. This property is read-only. |
| deviceHealthAttestationState | object | The device health attestation state. This property is read-only. |
| subscriberCarrier | string | Subscriber carrier. This property is read-only. |
| meid | string | MEID (Mobile Equipment Identifier). This property is read-only. |
| totalStorageSpaceInBytes | integer | Total storage in bytes. This property is read-only. |
| freeStorageSpaceInBytes | integer | Free storage in bytes. Default value is 0. This property is read-only. |
| managedDeviceName | string | Automatically generated name to identify a device. Can be overwritten to a user friendly name. |
| partnerReportedThreatState | string | Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read only. This property is read-only. |
| requireUserEnrollmentApproval | booleannull | Reports if the managed iOS device is user approval enrollment. This property is read-only. |
| managementCertificateExpirationDate | string | Reports device management certificate expiration date. This property is read-only. |
| iccid | stringnull | Integrated Circuit Card Identifier, the SIM card's unique identification number. This property is read-only. |
| udid | stringnull | Unique Device Identifier for iOS and macOS devices. This property is read-only. |
| notes | stringnull | Notes on the device created by IT Admin. Default is null. |
| ethernetMacAddress | stringnull | Indicates Ethernet MAC Address of the device. This property is read-only. |
| physicalMemoryInBytes | integer | Total memory in bytes. Default is 0. This property is read-only. |
| enrollmentProfileName | stringnull | Name of the enrollment profile assigned to the device. Default value is empty string. This property is read-only. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://github.com/api-evangelist/microsoft-intune/json-schema/microsoft-intune-managed-device-schema.json",
"title": "Microsoft Intune Managed Device",
"description": "Devices that are managed or pre-enrolled through Intune. Represents a physical or virtual device managed by the Microsoft Intune service via the Microsoft Graph API. Based on the microsoft.graph.managedDevice resource type.",
"type": "object",
"properties": {
"@odata.type": {
"type": "string",
"const": "#microsoft.graph.managedDevice",
"description": "The OData type annotation for the managed device resource."
},
"id": {
"type": "string",
"description": "Unique identifier for the device. This property is read-only.",
"readOnly": true
},
"userId": {
"type": "string",
"description": "Unique identifier for the user associated with the device. This property is read-only.",
"readOnly": true
},
"deviceName": {
"type": "string",
"description": "Name of the device. This property is read-only.",
"readOnly": true
},
"managedDeviceOwnerType": {
"type": "string",
"description": "Ownership of the device. Can be 'company' or 'personal'.",
"enum": [
"unknown",
"company",
"personal"
]
},
"deviceActionResults": {
"type": "array",
"description": "List of ComplexType deviceActionResult objects. This property is read-only.",
"readOnly": true,
"items": {
"$ref": "#/$defs/deviceActionResult"
}
},
"enrolledDateTime": {
"type": "string",
"format": "date-time",
"description": "Enrollment time of the device. Supports $filter operator 'lt' and 'gt'. This property is read-only.",
"readOnly": true
},
"lastSyncDateTime": {
"type": "string",
"format": "date-time",
"description": "The date and time that the device last completed a successful sync with Intune. Supports $filter operator 'lt' and 'gt'. This property is read-only.",
"readOnly": true
},
"operatingSystem": {
"type": "string",
"description": "Operating system of the device. Windows, iOS, etc. This property is read-only.",
"readOnly": true
},
"complianceState": {
"type": "string",
"description": "Compliance state of the device. Examples: Compliant, Conflict, Error, etc. Default is unknown. Supports $filter operator 'eq' and 'or'. This property is read-only.",
"readOnly": true,
"enum": [
"unknown",
"compliant",
"noncompliant",
"conflict",
"error",
"inGracePeriod",
"configManager"
]
},
"jailBroken": {
"type": "string",
"description": "Whether the device is jail broken or rooted. Default is an empty string. This property is read-only.",
"readOnly": true
},
"managementAgent": {
"type": "string",
"description": "Management channel of the device. Examples: Intune, EAS, etc. Default is unknown. This property is read-only.",
"readOnly": true,
"enum": [
"eas",
"mdm",
"easMdm",
"intuneClient",
"easIntuneClient",
"configurationManagerClient",
"configurationManagerClientMdm",
"configurationManagerClientMdmEas",
"unknown",
"jamf",
"googleCloudDevicePolicyController"
]
},
"osVersion": {
"type": "string",
"description": "Operating system version of the device. This property is read-only.",
"readOnly": true
},
"easActivated": {
"type": "boolean",
"description": "Whether the device is Exchange ActiveSync activated. This property is read-only.",
"readOnly": true
},
"easDeviceId": {
"type": "string",
"description": "Exchange ActiveSync Id of the device. This property is read-only.",
"readOnly": true
},
"easActivationDateTime": {
"type": "string",
"format": "date-time",
"description": "Exchange ActivationSync activation time of the device. This property is read-only.",
"readOnly": true
},
"azureADRegistered": {
"type": ["boolean", "null"],
"description": "Whether the device is Azure Active Directory registered. This property is read-only.",
"readOnly": true
},
"deviceEnrollmentType": {
"type": "string",
"description": "Enrollment type of the device. This property is read-only.",
"readOnly": true,
"enum": [
"unknown",
"userEnrollment",
"deviceEnrollmentManager",
"appleBulkWithUser",
"appleBulkWithoutUser",
"windowsAzureADJoin",
"windowsBulkUserless",
"windowsAutoEnrollment",
"windowsBulkAzureDomainJoin",
"windowsCoManagement",
"windowsAzureADJoinUsingDeviceAuth",
"appleUserEnrollment",
"appleUserEnrollmentWithServiceAccount"
]
},
"activationLockBypassCode": {
"type": ["string", "null"],
"description": "The code that allows the Activation Lock on managed device to be bypassed. This property is read-only.",
"readOnly": true
},
"emailAddress": {
"type": "string",
"description": "Email(s) for the user associated with the device. This property is read-only.",
"readOnly": true
},
"azureADDeviceId": {
"type": "string",
"description": "The unique identifier for the Azure Active Directory device. Read only. This property is read-only.",
"readOnly": true
},
"deviceRegistrationState": {
"type": "string",
"description": "Device registration state. This property is read-only.",
"readOnly": true,
"enum": [
"notRegistered",
"registered",
"revoked",
"keyConflict",
"approvalPending",
"certificateReset",
"notRegisteredPendingEnrollment",
"unknown"
]
},
"deviceCategoryDisplayName": {
"type": "string",
"description": "Device category display name. Default is an empty string. This property is read-only.",
"readOnly": true
},
"isSupervised": {
"type": "boolean",
"description": "Device supervised status. This property is read-only.",
"readOnly": true
},
"exchangeLastSuccessfulSyncDateTime": {
"type": "string",
"format": "date-time",
"description": "Last time the device contacted Exchange. This property is read-only.",
"readOnly": true
},
"exchangeAccessState": {
"type": "string",
"description": "The Access State of the device in Exchange. This property is read-only.",
"readOnly": true,
"enum": [
"none",
"unknown",
"allowed",
"blocked",
"quarantined"
]
},
"exchangeAccessStateReason": {
"type": "string",
"description": "The reason for the device's access state in Exchange. This property is read-only.",
"readOnly": true,
"enum": [
"none",
"unknown",
"exchangeGlobalRule",
"exchangeIndividualRule",
"exchangeDeviceRule",
"exchangeUpgrade",
"exchangeMailboxPolicy",
"other",
"compliant",
"notCompliant",
"notEnrolled",
"unknownLocation",
"mfaRequired",
"azureADBlockDueToAccessPolicy",
"compromisedPassword",
"deviceNotKnownWithManagedApp"
]
},
"remoteAssistanceSessionUrl": {
"type": ["string", "null"],
"format": "uri",
"description": "URL that allows a Remote Assistance session to be established with the device. This property is read-only.",
"readOnly": true
},
"remoteAssistanceSessionErrorDetails": {
"type": ["string", "null"],
"description": "An error string that identifies issues when creating Remote Assistance session objects. This property is read-only.",
"readOnly": true
},
"isEncrypted": {
"type": "boolean",
"description": "Device encryption status. This property is read-only.",
"readOnly": true
},
"userPrincipalName": {
"type": "string",
"description": "Device user principal name. This property is read-only.",
"readOnly": true
},
"model": {
"type": "string",
"description": "Model of the device. This property is read-only.",
"readOnly": true
},
"manufacturer": {
"type": "string",
"description": "Manufacturer of the device. This property is read-only.",
"readOnly": true
},
"imei": {
"type": "string",
"description": "IMEI (International Mobile Equipment Identity). This property is read-only.",
"readOnly": true
},
"complianceGracePeriodExpirationDateTime": {
"type": "string",
"format": "date-time",
"description": "The DateTime when device compliance grace period expires. This property is read-only.",
"readOnly": true
},
"serialNumber": {
"type": "string",
"description": "Serial number of the device. This property is read-only.",
"readOnly": true
},
"phoneNumber": {
"type": "string",
"description": "Phone number of the device. This property is read-only.",
"readOnly": true
},
"androidSecurityPatchLevel": {
"type": "string",
"description": "Android security patch level. This property is read-only.",
"readOnly": true
},
"userDisplayName": {
"type": "string",
"description": "User display name. This property is read-only.",
"readOnly": true
},
"configurationManagerClientEnabledFeatures": {
"$ref": "#/$defs/configurationManagerClientEnabledFeatures",
"description": "ConfigrMgr client enabled features. This property is read-only.",
"readOnly": true
},
"wiFiMacAddress": {
"type": "string",
"description": "Wi-Fi MAC address. This property is read-only.",
"readOnly": true
},
"deviceHealthAttestationState": {
"$ref": "#/$defs/deviceHealthAttestationState",
"description": "The device health attestation state. This property is read-only.",
"readOnly": true
},
"subscriberCarrier": {
"type": "string",
"description": "Subscriber carrier. This property is read-only.",
"readOnly": true
},
"meid": {
"type": "string",
"description": "MEID (Mobile Equipment Identifier). This property is read-only.",
"readOnly": true
},
"totalStorageSpaceInBytes": {
"type": "integer",
"description": "Total storage in bytes. This property is read-only.",
"readOnly": true
},
"freeStorageSpaceInBytes": {
"type": "integer",
"description": "Free storage in bytes. Default value is 0. This property is read-only.",
"readOnly": true,
"default": 0
},
"managedDeviceName": {
"type": "string",
"description": "Automatically generated name to identify a device. Can be overwritten to a user friendly name."
},
"partnerReportedThreatState": {
"type": "string",
"description": "Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read only. This property is read-only.",
"readOnly": true,
"enum": [
"unknown",
"activated",
"deactivated",
"secured",
"lowSeverity",
"mediumSeverity",
"highSeverity",
"unresponsive",
"compromised",
"misconfigured"
]
},
"requireUserEnrollmentApproval": {
"type": ["boolean", "null"],
"description": "Reports if the managed iOS device is user approval enrollment. This property is read-only.",
"readOnly": true
},
"managementCertificateExpirationDate": {
"type": "string",
"format": "date-time",
"description": "Reports device management certificate expiration date. This property is read-only.",
"readOnly": true
},
"iccid": {
"type": ["string", "null"],
"description": "Integrated Circuit Card Identifier, the SIM card's unique identification number. This property is read-only.",
"readOnly": true
},
"udid": {
"type": ["string", "null"],
"description": "Unique Device Identifier for iOS and macOS devices. This property is read-only.",
"readOnly": true
},
"notes": {
"type": ["string", "null"],
"description": "Notes on the device created by IT Admin. Default is null."
},
"ethernetMacAddress": {
"type": ["string", "null"],
"description": "Indicates Ethernet MAC Address of the device. This property is read-only.",
"readOnly": true
},
"physicalMemoryInBytes": {
"type": "integer",
"description": "Total memory in bytes. Default is 0. This property is read-only.",
"readOnly": true,
"default": 0
},
"enrollmentProfileName": {
"type": ["string", "null"],
"description": "Name of the enrollment profile assigned to the device. Default value is empty string. This property is read-only.",
"readOnly": true
}
},
"required": [
"id"
],
"$defs": {
"deviceActionResult": {
"type": "object",
"title": "Device Action Result",
"description": "Device action result returned from performing an action on a managed device.",
"properties": {
"@odata.type": {
"type": "string",
"const": "microsoft.graph.deviceActionResult"
},
"actionName": {
"type": "string",
"description": "Action name."
},
"actionState": {
"type": "string",
"description": "State of the action.",
"enum": [
"none",
"pending",
"canceled",
"active",
"done",
"failed",
"notSupported"
]
},
"startDateTime": {
"type": "string",
"format": "date-time",
"description": "Time the action was initiated."
},
"lastUpdatedDateTime": {
"type": "string",
"format": "date-time",
"description": "Time the action state was last updated."
}
}
},
"configurationManagerClientEnabledFeatures": {
"type": "object",
"title": "Configuration Manager Client Enabled Features",
"description": "Represents the enabled features of the Configuration Manager client co-managed with Intune.",
"properties": {
"@odata.type": {
"type": "string",
"const": "microsoft.graph.configurationManagerClientEnabledFeatures"
},
"inventory": {
"type": "boolean",
"description": "Whether inventory is managed by Intune."
},
"modernApps": {
"type": "boolean",
"description": "Whether modern application is managed by Intune."
},
"resourceAccess": {
"type": "boolean",
"description": "Whether resource access is managed by Intune."
},
"deviceConfiguration": {
"type": "boolean",
"description": "Whether device configuration is managed by Intune."
},
"compliancePolicy": {
"type": "boolean",
"description": "Whether compliance policy is managed by Intune."
},
"windowsUpdateForBusiness": {
"type": "boolean",
"description": "Whether Windows Update for Business is managed by Intune."
}
}
},
"deviceHealthAttestationState": {
"type": "object",
"title": "Device Health Attestation State",
"description": "The device health attestation state, providing hardware-based security and health status information.",
"properties": {
"@odata.type": {
"type": "string",
"const": "microsoft.graph.deviceHealthAttestationState"
},
"lastUpdateDateTime": {
"type": "string",
"description": "The timestamp of the last update."
},
"contentNamespaceUrl": {
"type": "string",
"format": "uri",
"description": "The DHA report version (namespace version)."
},
"deviceHealthAttestationStatus": {
"type": "string",
"description": "The device health attestation status."
},
"contentVersion": {
"type": "string",
"description": "The HealthAttestation state schema version."
},
"issuedDateTime": {
"type": "string",
"format": "date-time",
"description": "The DateTime when device was evaluated or issued to MDM."
},
"attestationIdentityKey": {
"type": "string",
"description": "TWhen an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate."
},
"resetCount": {
"type": "integer",
"description": "The number of times a PC device has hibernated or resumed."
},
"restartCount": {
"type": "integer",
"description": "The number of times a PC device has rebooted."
},
"dataExcutionPolicy": {
"type": "string",
"description": "DEP policy defines a set of hardware and software technologies that perform additional checks on memory."
},
"bitLockerStatus": {
"type": "string",
"description": "On or Off of BitLocker Drive Encryption."
},
"bootManagerVersion": {
"type": "string",
"description": "The version of the Boot Manager."
},
"codeIntegrityCheckVersion": {
"type": "string",
"description": "The version of the code integrity check."
},
"secureBoot": {
"type": "string",
"description": "When Secure Boot is enabled, the core components must have correct cryptographic signatures."
},
"bootDebugging": {
"type": "string",
"description": "When bootDebugging is enabled, it is used to provide diagnostic information during development."
},
"operatingSystemKernelDebugging": {
"type": "string",
"description": "When operatingSystemKernelDebugging is enabled, it allows kernel debugging."
},
"codeIntegrity": {
"type": "string",
"description": "When code integrity is enabled, code execution is restricted to integrity verified code."
},
"testSigning": {
"type": "string",
"description": "When test signing is allowed, the device does not enforce signature validation during boot."
},
"safeMode": {
"type": "string",
"description": "Safe mode is a troubleshooting option for Windows that starts the computer in a limited state."
},
"windowsPE": {
"type": "string",
"description": "Operating system running with limited services that is used to prepare a computer for Windows."
},
"earlyLaunchAntiMalwareDriverProtection": {
"type": "string",
"description": "ELAM provides protection for the computers in your network when they start up."
},
"virtualSecureMode": {
"type": "string",
"description": "VSM is a container that protects high value assets from a compromised kernel."
},
"pcrHashAlgorithm": {
"type": "string",
"description": "Informational attribute that identifies the HASH algorithm that was used by TPM."
},
"bootAppSecurityVersion": {
"type": "string",
"description": "The security version number of the Boot Application."
},
"bootManagerSecurityVersion": {
"type": "string",
"description": "The security version number of the Boot Manager."
},
"tpmVersion": {
"type": "string",
"description": "The security version number of the Boot Application."
},
"pcr0": {
"type": "string",
"description": "A fingerprint of the legacy BIOS configuration measured in PCR[0]."
},
"secureBootConfigurationPolicyFingerPrint": {
"type": "string",
"description": "Fingerprint of the Custom Secure Boot Configuration Policy."
},
"codeIntegrityPolicy": {
"type": "string",
"description": "The Code Integrity policy that is controlling the security of the boot environment."
},
"bootRevisionListInfo": {
"type": "string",
"description": "The Boot Revision List that was loaded during initial boot on the attested device."
},
"operatingSystemRevListInfo": {
"type": "string",
"description": "The Operating System Revision List that was loaded during initial boot on the attested device."
},
"healthStatusMismatchInfo": {
"type": "string",
"description": "This attribute appears if DHA-Service detects an integrity issue."
},
"healthAttestationSupportedStatus": {
"type": "string",
"description": "This attribute indicates if DHA is supported for the device."
}
}
}
},
"examples": [
{
"@odata.type": "#microsoft.graph.managedDevice",
"id": "705c034c-034c-705c-4c03-5c704c035c70",
"userId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"deviceName": "DESKTOP-ABC123",
"managedDeviceOwnerType": "company",
"enrolledDateTime": "2024-01-15T10:30:00Z",
"lastSyncDateTime": "2026-03-01T14:22:00Z",
"operatingSystem": "Windows",
"complianceState": "compliant",
"jailBroken": "False",
"managementAgent": "mdm",
"osVersion": "10.0.22631.3007",
"easActivated": false,
"azureADRegistered": true,
"deviceEnrollmentType": "windowsAzureADJoin",
"isSupervised": false,
"isEncrypted": true,
"userPrincipalName": "[email protected]",
"model": "Surface Pro 9",
"manufacturer": "Microsoft Corporation",
"serialNumber": "012345678901",
"userDisplayName": "Jane Doe",
"wiFiMacAddress": "AA:BB:CC:DD:EE:FF",
"totalStorageSpaceInBytes": 512110190592,
"freeStorageSpaceInBytes": 256055095296,
"managedDeviceName": "user_Windows_3/1/2026_2:22 PM",
"partnerReportedThreatState": "secured",
"physicalMemoryInBytes": 17179869184,
"notes": null
}
]
}