This post will explain how to Enable or Disable camera settings using Intune and Microsoft Graph API. This method helps automate configuration policy creation and deployment. You could also use Powershell to automate the creation of Intune configuration profiles.
Microsoft Intune provides a wide range of policies within the admin center. These policies can apply predefined settings to users and devices, all of which can be automated using Graph APIs. I will create a configuration policy that will disable the use of the Camera and deploy it to security groups in this example.
Microsoft Graph, a RESTful web API, facilitates access to Microsoft Cloud service resources. It lets you access data, intelligence, and insights from Microsoft 365 and other Microsoft Cloud services through a single endpoint, including data from Microsoft 365, Windows, and Enterprise Mobility + Security.
The Microsoft Graph API is designed to perform the same range of Intune operations as those available through the portal. Using Microsoft Graph, developers can build intelligent applications that leverage the power of Microsoft 365 and other Microsoft services to enhance productivity and collaboration.
Table of Contents
Reason for Disabling the Use of the Camera
Disabling the Use of the Camera has many advantages. In specific high-security settings, the ability to control camera usage on computer devices is paramount. For enhanced security measures, it is recommended that organizations consider the feasibility of disabling the cameras on end user’s computers.
When this policy is disabled, it prevents anyone from accessing sensitive visual data without permission. It also allows you to reduce the chances of security issues and protect confidential information. Turning off the use of cameras is essential for preserving unauthorized access and accidental recording.
Disabling the camera will help save battery life and improve workstation performance. It will additionally diminish the likelihood of cyber attacks and guarantee that unauthorized surveillance via the device’s camera is prevented.
- Best Guide to Restart Intune Devices Remotely using Microsoft Graph API and PowerShell
- Best Guide to Run Intune Device Query with Microsoft Graph API
- Automate Microsoft Intune Device Compliance Report using Graph API
Create a Policy to Disable Camera using Intune and Graph API
Let’s learn how to create a policy to Disable the camera using Graph API. I will use Graph Explorer, a handy browser-based tool for running your Graph calls to automate the task. The API call can be made using the graph explorer. You could also use the Postman or Powershell to automate it. When you go to Graph Explorer, you will get a webpage like the one below.
NOTE! You may need to log in to Graph Explorer using your credentials if it's your first time.
You can use the Microsoft Graph API endpoint below to Create a Policy to Disable Camera in Microsoft Intune.
HTTP Methods | Description |
---|---|
GET | GET method is to retrieve data from the server simply |
POST | The POST HTTP request method sends data to the server for processing. |
PUT | The PUT method completely replaces a resource identified with a given URL. |
DELETE | The DELETE method removes or deletes a resource from a server. |
https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations
You must have enough permission to run the above endpoint. I have created a table below with permission details.
Permission | Description | AdminConsentRequired |
---|---|---|
DeviceManagementConfiguration.ReadWrite.All | Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups without a signed-in user. | Yes |
You should use the POST request method for the endpoint since you are Sending Data to APIs. Change the request method from GET to POST and paste the JSON code below into the request body.
- Add Microsoft Store Apps to Intune using Microsoft Graph API
- Automate Intune App Deployment using Microsoft Graph API and PowerShell
{
"@odata.type": "#microsoft.graph.windows10CustomConfiguration",
"displayName": "Disable use of Camera",
"description": "Policy to disable camera usage",
"omaSettings": [
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Disable use of Camera",
"description": "Disables the camera on the device",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Camera/AllowCamera",
"value": "0"
}
]
}
The value should be “0” if you want to disable the Camera settings. You can change it to “1” when enabling them. Also, note the omaUri that I used in this example. Camera devices will be enabled if you enable or don’t configure this policy setting. If you disable this property setting, Camera devices will be disabled.
Once you click the Run query button, the graph explorer will return a response message. You will receive a success message with the text created—201. Note down the id
for further use.
- Disable Allow Use of Camera Setting Policy using Intune
- Allow Camera Access on Windows 365 Cloud PC
- Enable Disable Hidden Camera Privacy Indicator in Windows
- Prevent Enabling Lock Screen Camera Using Intune
Well, per the response message, the policy has been created successfully. Sign in to the Microsoft Intune Admin portal and verify the configuration profile.
Get the Security Group ID using Graph API
As discussed above, we will assign the app to a security group in Intune. Hence, you need the Security Group’s groupid to deploy the Intune Camera Settings using Graph API. Let’s learn how to get Security Group’s groupid.
- Sign in back to Graph Explorer with your admin account.
- Replace the Graph URL with the following endpoint.
https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'HTMD - Test Computers'&$select=id,displayName
Within seconds of clicking Run query, you will receive a success message with the text OK- 200. Make a note of the id for further use.
Assign a Configuration Profile to the Security Group using Graph API
Well, I have done enough testing, and it is good to deploy the Configuration Profile I created to disable the camera on my test machines. The test machines are added to the security group, and I have it’s unique id
to automate the deployment.
- Sign in back to Graph Explorer with your admin account.
- Replace the Graph URL with the following endpoint. Replace the
{profile-id}
with the actual profile ID.
https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{profile-id}/assignments
You should use the POST request method for the endpoint since you are Sending Data to APIs. Change the request method from GET to POST and paste the JSON code below into the request body. Make sure to replace the groupId
with the id
that you noted above.
{
"@odata.type": "#microsoft.graph.deviceConfigurationAssignment",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "48bd6547-dc18-498e-8143-11c49a818836"
}
}
You will receive a response as soon as you click on Run query. Let’s sign in to the Microsoft Intune Admin portal and verify the policy assignment. Select the configuration profile you deployed to check the assignment status from properties.
- Time to use Microsoft Graph Device Management PS Module Instead of MS Graph Intune Module.
- Best Guide to Install Microsoft Graph PowerShell Modules
I hope this article will be a valuable resource for you and your organization. Thank you for being so patient in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
About the Author: Sujin Nelladath, a Microsoft Graph MVP with over ten years of experience in SCCM device management and Automation solutions, writes and shares his experiences with Microsoft device management technologies, Azure, and PowerShell automation.