Custom Templates

Create your own policy and user templates tailored to your organization’s specific requirements. Custom templates support parameterization, versioning, and drift detection.

Creating Custom Policy Templates

Export from Existing Policy

Export a working policy from a reference tenant as a template. The export process captures all settings and creates parameterized versions of tenant-specific values.

Navigate to the source policy in a tenant
Click Export as Template
Configure parameter mappings
Save to template library

Create from Scratch

Build templates manually using the JSON configuration editor. Define all settings and parameters directly.


{
  "name": "Windows Compliance - Standard",
  "type": "deviceCompliancePolicy",
  "platform": "windows10",
  "settings": {
    "osMinimumVersion": "{{minOsVersion}}",
    "bitLockerEnabled": "{{requireEncryption}}",
    "secureBootEnabled": true,
    "codeIntegrityEnabled": true
  },
  "parameters": {
    "minOsVersion": {
      "type": "string",
      "default": "10.0.19045"
    },
    "requireEncryption": {
      "type": "boolean",
      "default": true
    }
  }
}

Template Parameters

Templates support parameterization for deployment-time customization:

Parameter	Type	Description	Default
`minOsVersion`	string	Minimum required OS version	10.0.19045
`requireEncryption`	boolean	Require device encryption	true
`gracePeriodDays`	number	Non-compliance grace period	3
`targetGroups`	array	Groups to assign policy	All Users

Creating Custom User Templates

Template Configuration


{
  "name": "Sales Representative",
  "description": "Standard configuration for sales team members",
  "licenses": [
    {
      "skuId": "SPE_E3",
      "disabledPlans": ["YAMMER_ENTERPRISE", "SWAY"]
    },
    {
      "skuId": "POWER_BI_PRO"
    }
  ],
  "groups": [
    { "id": "{{salesTeamGroupId}}", "role": "member" },
    { "id": "{{allEmployeesGroupId}}", "role": "member" },
    { "id": "{{crmUsersGroupId}}", "role": "member" }
  ],
  "attributes": {
    "department": "Sales",
    "companyName": "{{tenantCompanyName}}",
    "usageLocation": "{{defaultUsageLocation}}"
  },
  "settings": {
    "forcePasswordChange": true,
    "mfaRequired": true
  }
}

Dynamic Parameters

Parameter	Description	Example
`{{department}}`	User’s department from input	Engineering
`{{tenantDomain}}`	Target tenant’s primary domain	contoso.com
`{{manager.upn}}`	Selected manager’s UPN	jane@contoso.com
`{{defaultUsageLocation}}`	Tenant default location	US

Template Versioning

Templates are versioned to track changes and ensure consistency:

Version	Changes	Author	Date
v2.1 (current)	Added TPM requirement	admin@msp.com	Jan 15, 2026
v2.0	Updated minimum OS version	admin@msp.com	Dec 1, 2025
v1.0	Initial release	admin@msp.com	Sep 15, 2025

Template Deployment

Select Template — Choose template from library. View settings preview and version information.
Configure Parameters — Set values for template parameters. Use defaults or customize for target tenant.
Select Target Tenants — Choose one or more tenants for deployment. Parameter values can vary per tenant.
Configure Assignments — Map to groups in target tenants. Select include and exclude groups.
Deploy — Execute deployment. Policies are created in target tenants with tracking for rollback.

Drift Detection

Monitor deployed policies for configuration drift from templates:

Contoso Corp — In sync
Fabrikam Inc — 2 drifted settings
Northwind LLC — In sync

Drift Resolution

Sync to template — Override tenant changes with template values
Update template — Incorporate tenant changes into template
Ignore drift — Mark as intentional deviation

Apply Template to Existing Users

Align existing users with template standards:

Full Apply — Replace all user settings with template values. Removes licenses and groups not in template, adds missing ones.
Additive Apply — Add missing template items without removing existing settings. Preserves current licenses and groups.
Selective Apply — Choose which template components to apply (licenses only, groups only, attributes only).

Template Compliance

Monitor user compliance with assigned templates:

User	Template	Status	Issues
john.smith@contoso.com	Sales Representative	Compliant	—
emily.jones@contoso.com	Standard Employee	Drifted	Missing: E3 license
mike.chen@contoso.com	Frontline Worker	Drifted	Extra: Power BI Pro

Best Practices

Start with built-in templates — Built-in templates follow Microsoft best practices and are regularly updated
Use parameters for tenant-specific values — Avoid hardcoding values that differ between tenants (group IDs, domain names)
Version templates with meaningful notes — Document what changed in each version for audit and troubleshooting
Enable drift detection for critical policies — Monitor security-critical policies for unauthorized changes
Create role-based templates — Organize templates by job function rather than department for broader applicability
Review templates periodically — Update templates when license offerings change or organizational needs evolve

API Reference

GET /api/automation/policy-templates — List all policy templates
POST /api/automation/policy-templates — Create new policy template
GET /api/automation/policy-templates/:id/versions — Get template version history
POST /api/automation/policy-templates/:id/deploy — Deploy template to tenants
GET /api/automation/policy-templates/:id/drift — Check for configuration drift
POST /api/automation/user-templates/:id/apply — Apply template to users
GET /api/automation/user-templates/:id/compliance — Check user compliance with template