Obtain the target policy's ID from GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies
Call GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/deviceStatuses to list per-device compliance states
Filter results using OData $filter=status eq 'nonCompliant' to isolate failing devices
For each non-compliant device, call GET https://graph.microsoft.com/v1.0/deviceManagement/deviceComplianceSettingStates to retrieve individual setting-level failures
Correlate deviceId values back to managed device records via deviceManagement/managedDevices/{deviceId}
Export results to a CSV or push to a SIEM using the response body's value array
Known gotchas
deviceStatuses reflects the last check-in state, not real-time; devices that have not checked in recently may show stale data
The endpoint does not support server-side sorting on all fields; apply client-side sorting after paginating through all pages using @odata.nextLink
Devices in a grace period appear as compliant until the grace period expires; use the nonCompliantDeviceCount field on the overview sub-resource to distinguish
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp