This Repository was created to document the possible values of the Microsoft Graph Device Property "systemLabels", since the official Documentation is not quite clear.
What we do know is that the Property is read-only and used by Microsoft internally.
From Entra ID dynamic Group Rules for devices
Note
systemlabels is a read-only attribute that cannot be set with Intune.
In hope that Cunninghams Law is true, I thought it might be a good idea for someone to try and keep a public collection.
| Value | Use / Appearance | Submitter | Verified |
|---|---|---|---|
| AzureResource | Windows VMs in Azure enabled with Microsoft Entra sign-in | Author | Conditional Access Documentation, Token Protection Documentation, not seen in the wild yet |
| M365Managed | Devices managed using Microsoft Managed Desktop | Author | Conditional Acces Documentation, not seen in the wild yet |
| MultiUser | Shared devices | Author | Conditional Acces Documentation, not seen in the wild yet |
| CloudPC | Cloud PCs that are Microsoft Entra Joined (Probably Windows 365) | Author | Token Protection Documentation, not seen in the wild yet |
| AzureVirtualDesktop | Azure Virtual Desktop Machines that are Microsoft Entra Joined | Author | Token Protection Documentation, not seen in the wild yet |
| MicrosoftPowerAutomate | Power Automate hosted machine groups, Microsofts very own click Robots | Author | Token Protection Documentation, not seen in the wild yet |
| ...? |
If you would like to add more values or have a description corrected (or maybe even direct me to a complete official documentation), please raise a GitHub Issue (or a pull request) with a screenshot of the new Value and a guess as to what the usage might be.
If you would like to find out what the values in your Environments are, I have provided an example Script that pulls from your Environment
- PowerShell Modules
- Microsoft.Graph.Authentication
- GraphAPI Permissions on the Graph PowerShell, or A Custom Enterprise App
- Device.Read.All
- If Using Delegate Permission
- User with Global Reader or a Role that can show Devices
- A privileged Auth / Global Admin to Consent to the API Permissions
The Scipt mirrors most Authentication Flows of Connect-MgGraph. By default it will ask for the credentials interactively.
.\informationCollector -tenantId "..." -clientId "..."
.\informationCollector -tenantId "..." -clientId "..." -certificateThumbprint "..."
# Will Prompt you for the Secret of your App ID - consider using a certificate
.\informationCollector -tenantId "..." -clientId "..." -useSecret
# Will go though the Device Code flow, should be used by default in for Example Cloud Shell
.\informationCollector -deviceCodeBy Default you will get a short List of all systemLabels found in your Environment with a single Example Devicy displayName.
If you want the script to return a full list of all Devices with the associated labels, use .\informationCollector -fullList
This should also be used in environments with a lot of Devices to skip the simplification, since reducing the List requires parsing all returned entries.