Retrieve the compliance policy ID using GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies
Determine the target Microsoft Entra group ID for the assignment using GET https://graph.microsoft.com/v1.0/groups with a $filter on displayName or other attributes
POST to https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assignments with a body containing an assignments array; each entry specifies target.@odata.type as #microsoft.graph.groupAssignmentTarget and target.groupId
Verify the assignment by GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assignments and confirming the group ID appears
To assign to all users or all devices, use target.@odata.type set to #microsoft.graph.allUsersAssignmentTarget or #microsoft.graph.allDevicesAssignmentTarget respectively
For exclusion assignments, use #microsoft.graph.exclusionGroupAssignmentTarget in the same assignments POST body alongside inclusion targets
Known gotchas
Assignments are replaced, not merged, on each POST to the assignments endpoint; sending a new assignment array without including existing assignments will remove previously configured assignments
The DeviceManagementConfiguration.ReadWrite.All permission is required for write operations; DeviceManagementConfiguration.Read.All alone will result in a 403 on the POST
Changes to assignments propagate to devices on the next check-in cycle; there is no mechanism to force an immediate re-evaluation of all devices in the target group via the API
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp