Register an app in Microsoft Entra ID and grant DeviceManagementConfiguration.Read.All permission
Acquire an OAuth 2.0 access token using client credentials flow against the Microsoft identity platform token endpoint
Send GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies with the bearer token in the Authorization header
Parse the returned JSON collection; each item contains id, displayName, scheduledActionsForRule, and platform-specific settings
Use OData $filter or $select query parameters to narrow results by platform or assignment group
Store policy IDs for downstream compliance state queries against the deviceStatuses sub-resource
Known gotchas
The v1.0 endpoint requires an active Intune license on the tenant; the call succeeds with a 403 if Intune is not licensed even with correct permissions
Platform-specific policy types (e.g., iosCompliancePolicy, windows10CompliancePolicy) are returned as base deviceCompliancePolicy objects; use the @odata.type field to determine the concrete type
Delegated permission requires the calling user to have at least Intune Read-Only Operator; application permission works without a signed-in user but needs admin consent
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp