There are Configuration Types and configurations where certain changes cannot be performed through Configuration Manager.
You can identify them because their checkboxes are greyed out in Configuration Manager.
Why this restriction?
While Configuration Manager can create, delete, and update most supported configurations, not all changes can be made to all configurations. This restriction often arises because Microsoft does not permit alterations to certain default configurations within every tenant. Configuration Manager backs up any supported configuration it can access from your tenant, but it might not have the capability to update or delete everything.
For example, some defaults cannot be deleted, even directly through Microsoft's portal. Alternatively, some configurations can have their properties changed or updated, but cannot be created or deleted in a tenant.
In any case, hovering over the grey checkboxes will display a red warning indicating that the action of that checkbox cannot be performed, and providing further explanation regarding the limitations.
How can I hide/unhide unchangeable configurations?
To focus on configurations you can manage, Configuration Manager provides a checkbox to hide/unhide unchangeable configurations.
In the left bar, under the "By classification:" section, you will find a checkbox labeled “Unchangeable ”.
By enabling this checkbox, all configurations will be displayed in the comparison results list.
Conversely, when the checkbox is disabled, the unchangeable configurations will not be visible.
Configurations that cannot be managed: table
The table below outlines configurations that cannot be managed from the Reconcile page. These limitations are categorized into three designations: configurations that cannot be created, deleted, or updated. While these specific terms do not appear in the application interface (nor in Azure DevOps), they are used here to clearly illustrate the operational constraints of each configuration type.
- Can’t be created: configurations that cannot be created from scratch in a tenant where they’re not present, or configurations that are already available by default in every Microsoft tenant.
Example: if a baseline tenant has a configuration marked as “Can’t be created”, it cannot be imported into a downstream tenant that does not have that configuration.
- Can’t be deleted: configurations that cannot be deleted from a tenant.
Example: if a configuration marked as "Can’t be deleted" was created directly in the M365 tenant, it cannot be removed to revert to a previous state.
- Can’t be updated: configurations that cannot be modified once they are present in Configuration Manager.
For example, If a configuration marked as "Can't be updated" was altered directly in the Microsoft 365 tenant, you cannot revert to the previous version.
Please note that the configurations listed below are the “default” ones. If a configuration not included in this list references (or is referenced by) a configuration that cannot be managed, then both configurations will be unmanageable by Configuration Manager.
| Namespace | Description | Can’t be created | Can’t be deleted | Can’t be updated |
|---|---|---|---|---|
| AadIam:EnterpriseApplicationUserSettings | Entra ID > Enterprise Applications > User Settings | X | X | |
| AadIam:EnterpriseStateRoaming | Entra ID > Devices > Enterprise State Roaming | X | X | |
| AadIam:ExternalUserGuestSettings | Entra ID > External User Guest Settings | X | X | |
| AadIam:GroupSettings | Entra ID > Group Settings | X | X | |
| AadIam:MdmApplications | Entra ID > Mobility (MDM and MAM) | X | X | |
| AadIam:PasswordResetPolicies | Entra ID > Password Reset | X | X | |
| AadIam:UserSettings | Entra ID > User Settings | X | X | |
| AzureManagement:Subscriptions:ResourceGroups:Providers:Microsoft:Storage:StorageAccounts | Azure > Resource Groups > Storage Accounts | X | X | X |
| ExchangeOnline:AcceptedDomain | Microsoft 365 > Exchange > Mail Flow > Accepted Domains | X | X | |
| ExchangeOnline:AdminAuditLogConfig | Microsoft 365 > Exchange > Admin Audit Log Config | X | X | |
| ExchangeOnline:AtpPolicyForO365 | Microsoft 365 > Security & Compliance > Threat Management > Policy > Global Settings | X | X | |
| ExchangeOnline:CASMailboxPlan | Microsoft 365 > Exchange > CAS Mailbox Plan | X | X | |
| ExchangeOnline:DistributionGroupMember | Microsoft 365 > Exchange > Distribution Groups > Members | X | ||
| ExchangeOnline:DkimSigningConfig | Microsoft 365 > Exchange > DomainKeys Identified Mail Signing Config | X | ||
| ExchangeOnline:ExternalInOutlook | Microsoft 365 > Exchange > Tag External Emails | X | X | |
| ExchangeOnline:HostedConnectionFilterPolicy | Microsoft 365 > Security & Compliance > Hosted Connection Filter Policies | X | X | |
| ExchangeOnline:IRMConfiguration | Microsoft 365 > Exchange > IRM Configuration | X | X | |
| ExchangeOnline:MailboxPermission | Microsoft 365 > Exchange > Mailboxes > Permissions | X | ||
| ExchangeOnline:MailboxPlan | Microsoft 365 > Exchange > Mailbox Plans | X | X | |
| ExchangeOnline:OrganizationConfig | Microsoft 365 > Exchange > Organization Config | X | X | |
| ExchangeOnline:TransportConfig | Microsoft 365 > Exchange > Transport Config | X | X | |
| MSGraph:Admin:Sharepoint:Settings | SharePoint > Settings | X | X | |
| MSGraph:AdministrativeUnits:Members:Ref | Entra ID > Administrative Units > Members | X | ||
| MSGraph:Applications:PasswordCredentials | Entra ID > App Registrations > Secrets | X | X | X |
| MSGraph:Applications:TokenLifetimePolicies:Ref | Entra ID > App Registrations > Token Lifetime Policies | X | ||
| MSGraph:DeviceAppManagement:MobileApps:Assignments | Intune > Apps | X | ||
| MSGraph:DeviceManagement | Intune > Devices > Compliance Policies > Compliance Policy Settings | X | X | |
| MSGraph:DeviceManagement:DeviceConfiguration:Assignments | Intune > Devices > Configuration Profiles > Assignments | X | ||
| MSGraph:DeviceManagement:GroupPolicyConfigurations:Assignments | Intune > Devices > Configuration Profiles (Profile Type = Administrative Templates) > Assignments | X | ||
| MSGraph:DeviceManagement:GroupPolicyDefinitions | Intune > Devices > Configuration Profiles (Profile Type = Administrative Templates) | X | X | |
| MSGraph:DeviceManagement:GroupPolicyUploadedDefinitionFiles | Intune > Devices > Configuration Profiles (Import ADMX) | X | X | |
| MSGraph:DeviceManagement:Intents:Settings | Intune > Endpoint Security > Settings | X | X | |
| MSGraph:DeviceManagement:RoleScopeTags:Assignments | Intune > Tenant Administration > Roles > Scope Tags > Assignments | X | ||
| MSGraph:DeviceManagement:Templates | Intune > Endpoint Security > Security Baselines | X | X | X |
| MSGraph:DeviceManagement:WindowsAutopilotDeploymentProfiles:Assignments | Intune > Devices > Windows Autopilot Deployment | X | ||
| MSGraph:Directory:AttributeSets | Entra ID > Custom Security Attributes | X | ||
| MSGraph:Directory:CustomSecurityAttributeDefinitions | Entra ID > Custom Security Attributes | X | ||
| MSGraph:Directory:CustomSecurityAttributeDefinitions:AllowedValues | Entra ID > Custom Security Attributes > Allowed Values | X | ||
| MSGraph:Directory:OnPremisesSynchronization | Entra ID > Password Reset > On-premises Integration | X | X | |
| MSGraph:DirectoryRoles | Entra ID > Roles and Administrators | X | X | |
| MSGraph:Groups:GroupLifecyclePolicies | Entra ID > Groups > Expiration | X | ||
| MSGraph:Groups:Members:Ref | Entra ID > Groups > Members | X | ||
| MSGraph:Groups:Owners:Ref | Entra ID > Groups > Owners | X | ||
| MSGraph:IdentityGovernance:EntitlementManagement:ConnectedOrganizations:ExternalSponsors:Ref | Entra ID > Identity Governance > Connected Organizations > External Sponsors | X | ||
| MSGraph:IdentityGovernance:EntitlementManagement:ConnectedOrganizations:InternalSponsors:Ref | Entra ID > Identity Governance > Connected Organizations > Internal Sponsors | X | ||
| MSGraph:IdentityProtection:Settings:Notifications | Entra ID > Security > Identity Protection > Users at Risk Detected Alerts | X | X | |
| MSGraph:Licenses:Assignments | Entra ID > Licenses > All Products | X | ||
| MSGraph:Organization | Entra ID > Organization (Company Branding) | X | X | |
| MSGraph:Policies:AuthenticationFlowsPolicy | Entra ID > Users > User Settings > External Users | X | X | |
| MSGraph:Policies:AuthenticationMethodsPolicy | Entra ID > External Collaboration Settings | X | X | |
| MSGraph:Policies:AuthenticationMethodsPolicy:AuthenticationMethodConfigurations | Entra ID > External Collaboration Settings > Authentication Method Configurations | X | X | |
| MSGraph:Policies:AuthorizationPolicy | Entra ID > Authorization Policies | X | X | |
| MSGraph:Policies:CrossTenantAccessPolicy | Entra ID > External Identities > Cross-tenant Access Settings > Microsoft Cloud Settings | X | X | |
| MSGraph:Policies:CrossTenantAccessPolicy:Default | Entra ID > External Identities > Cross-tenant Access Settings > Default Settings | X | X | |
| MSGraph:Policies:DeviceRegistrationPolicy | Entra ID > Devices > Device Settings | X | ||
| MSGraph:Policies:FeatureRolloutPolicies:AppliesTo:Ref | Entra ID > Feature Rollout > Applies to | X | ||
| MSGraph:Policies:RoleManagementPolicies | Entra ID > Privileged Identity Management > Policies and Rules | X | X | X |
| MSGraph:Policies:RoleManagementPolicies:Rules | Entra ID > Privileged Identity Management > Policies and Rules > Rules | X | X | |
| MSGraph:RoleManagement:Directory:RoleAssignments | Entra ID > Roles and Administrators | X | ||
| MSGraph:ServicePrincipals:HomeRealmDiscoveryPolicies:Ref | Entra ID > Enterprise Applications > Home Realm Discovery Policies | X | ||
| O365Portal:Reports:ProductivityScoreCustomerOption | M365 Admin Center > Settings > Org Settings > Adoption Score | X | X | |
| O365Portal:Services:Apps:VivaInsights | Microsoft 365 Admin Center > Settings > Org Settings > Services > Microsoft Viva Insights (Formerly MyAnalytics) | X | X | |
| O365Portal:Settings:Apps:OfficeForms | M365 Admin Center > Settings > Org Settings > Microsoft Forms | X | X | |
| O365Portal:Settings:Security:ActivityBasedTimeout | M365 Admin Center > Settings > Org Settings > Security & Privacy > Idle Session Timeout | X | X | |
| SecurityAndCompliance:AuditConfigurationPolicy | Microsoft 365 > Security & Compliance > Audit Configuration Policy | X | ||
| SecurityAndCompliance:DlpSensitiveInformationType | Microsoft 365 > Security & Compliance > DLP Sensitive Information Types | X | X | |
| SharePoint:TenantProperties | SharePoint Admin Center > Settings and Policies | X | X | |
| Teams:CsTeamsClientConfiguration | Microsoft 365 > Teams > Org-wide Settings > Teams Settings | X | X | |
| Teams:CsTeamsMeetingConfiguration | Microsoft 365 > Teams > Meetings > Meeting Settings | X | X | |
| Teams:CsTenantFederation | Microsoft 365 > Teams > Users > External Access | X | X |