Quick tip: Available token types for app configuration policies

This is a quick and short blog post to create awareness about the existence of token types. Token types are basically just variables that can be used within a property list of an app configuration policy in Microsoft Intune hybrid and Microsoft Intune standalone. This blog post will provide a quick overview about the available token types with example values.


The following table contains the currently available token types for Microsoft Intune hybrid and Microsoft Intune standalone. Before going through this table, it’s good to know that the {{ and }} characters are used by token types only and should not be used for other purposes.

Token type Example value
{{userprincipalname}} pvanderwoude@petervanderwoude.nl
{{mail}} pvanderwoude@petervanderwoude.nl
{{partialupn}} pvanderwoude
{{accountid}} fcc00012-123e-f479-aabe-abe2a1123b45
{{deviceid}} c7d01dd3-136f-40c5-b843-711e958c4eef
{{userid}} 2dda638e-28b7-4bdc-a4fd-70faaa811010
{{username}} Peter van der Woude
{{serialnumber}} F9FPVD86FCM5
{{serialnumberlast4digits}} FCM5

More information

For more information about iOS apps with mobile app configuration policies, in Microsoft Intune standalone and Microsoft Intune hybrid, please refer to:

15 thoughts on “Quick tip: Available token types for app configuration policies”

  1. Hi Peter, thanks for the write up. Do you know, is this also available for Intune IOS Configuration Policies – Custom Configurations? We are wanting to build an IOS SSO profile using mail as a variable in the config. e.g.


    Alternatively, any examples of how to deliver an SSO profile for IOS?

  2. Peter,
    I have had an open ticket with MS since may as this setting doesn’t work on InTune Hybrid. The token type is passed as a literal value. Have you also seen this and/or have any insight?


  3. Hi there,

    sorry to re-open this old topic, but are there any news on this?
    Struggling since weeks with a configuration profile which I want to send as a CI to our iOS devices to enable SSO (Kerberos) for our internal authentication.

    Appreciate all information.
    Thanks in advance

    • Hi Julius,
      What news are you referring to? The token types are already available in the hybrid environment. However, keep in mind that hybrid is deprecated and that these tokens are app configuration only.
      Regards, Peter

  4. Hi Peter,

    thank you for your answer.
    Yes, I also got this information and am currently trying to accomplish the needed kerberos-authentication with a built-in Intune profile.
    Still struggling with some tech-issues like missing (enrolled) devices in Intune (OS-type sometimes is “iOS” (then devices are shown in Intune) and sometimes it is “iPhone” (then they are not listed in Intune, but only as AzureAD devices).
    Way to go for me and my 4500 devices 🙂


      • Hi Peter,

        was (so far) not too big, as I learned, that if a primary user of a managed device is not part of the SCCM-Intune-sync-collection, but enrolls a device, Intune (standalone) is grabbing this device, even if no policies or similar is in place in Intune.
        By excluding (test)-users from the Intune-collection in SCCM, you can “shift” the management for this users’ device(s) over to Intune.
        This procedure is also part of the recommended migration path from hybrid to Intune standalone MDM from Microsoft via a so called “Mixed MDM authority” (see: https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/migrate-mixed-authority).

        Migrated my own user already and it looks good with KerberosSSO so far, but have some new challenges now (like connecting my existing NDES-server to allow devices/Intune to issue certificates, which are needed for Wifi, VPN and other purposes.

        Will keep you updated 🙂

  5. Hi Peter,

    I want to use e.g. the samaccountname or the mailnick as token in the iOS App Configuration Policy.
    Is it possible to use custom/create tokens that can be used in the iOS App Configuration Policy.

    Thank you


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.