Query Details
Audit Show Deleted Devices
Query
// Show devices that have been deleted from Intune and who initiated that. IntuneAuditLogs | where OperationName has "Delete ManagedDevice" | extend User = tostring(todynamic(Properties).Actor.UPN) | extend DeviceId = tostring(todynamic(Properties).TargetObjectIds[0]) | join kind=leftouter IntuneDevices on DeviceId // DeviceName from IntuneDevices | distinct TimeGenerated, User, DeviceName | sort by TimeGenerated desc
Explanation
This query is designed to display a list of devices that have been removed from Intune, along with the user who initiated the deletion. It first filters the audit logs to only include operations where a managed device was deleted. It then extracts the user and device ID from the properties of these operations.
The query then joins this data with the IntuneDevices table to get the device name. It ensures that each entry in the result is unique by using the 'distinct' keyword on the time the operation was generated, the user, and the device name. Finally, it sorts the results in descending order based on the time the operation was generated.
Details
Ugur Koc
Released: July 27, 2022
Tables
IntuneAuditLogsIntuneDevices
Keywords
IntuneAuditLogs,OperationName,DeleteManagedDevice,User,Properties,Actor,UPN,DeviceId,TargetObjectIds,IntuneDevices,DeviceName,TimeGenerated
Operators
IntuneAuditLogswherehasextendtostringtodynamicjoinkind=leftouterIntuneDevicesondistinctTimeGeneratedUserDeviceNamesort bydesc.