KQL Search

Query Details

BYOD Accessing Privileged App

Query

id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d510
name: Intune - Personal / BYOD device enrolled accessing privileged app
description: |
  Detects when a device whose ownership is "personal" (BYOD) is enrolled and subsequently
  used to access a privileged / sensitive application (e.g. Azure Portal, Microsoft Admin,
  Exchange Admin). Often the final step in identity → device-trust → policy-abuse chains.
severity: Medium
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneDevices
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
queryFrequency: 1h
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Persistence
  - PrivilegeEscalation
relevantTechniques:
  - T1098.005
query: |
  let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
  let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
  let privApps = dynamic([
      "Azure Portal","Microsoft Azure Management","Microsoft 365 admin center",
      "Exchange Admin Center","Microsoft Intune","Microsoft Admin Portals",
      "Azure Active Directory PowerShell","Microsoft Graph PowerShell"
  ]);
  let byod =
      IntuneDevices
      | where TimeGenerated > ago(7d)
      | where tostring(column_ifexists("OwnerType", "")) =~ "personal"
      | summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
      | project DeviceId, DeviceName = tostring(DeviceName),
                UPN = tolower(tostring(column_ifexists("UPN", column_ifexists("UserPrincipalName", ""))));
  SigninLogs
  | where TimeGenerated > ago(1h)
  | where ResultType == 0
  | where AppDisplayName in~ (privApps)
  | where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
  | extend DeviceId = tostring(DeviceDetail.deviceId), UPN = tolower(UserPrincipalName)
  | join kind=inner byod on DeviceId
  | project TimeGenerated, UPN, DeviceId, DeviceName, AppDisplayName, IPAddress,
            Location=tostring(LocationDetails.countryOrRegion)
  | extend AccountCustomEntity = UPN, HostCustomEntity = DeviceName, IPCustomEntity = IPAddress
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: HostCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect when a personal or BYOD (Bring Your Own Device) is used to access sensitive applications, which could indicate a potential security risk. Here's a simplified breakdown of what the query does:

  1. Purpose: It identifies instances where a personal device, enrolled in Intune, accesses privileged applications like Azure Portal or Microsoft Admin centers. This is often a step in potential security threats involving identity misuse or policy abuse.

  2. Severity: The alert generated by this query is considered to have a medium severity level.

  3. Data Sources: The query uses data from Intune logs (specifically, IntuneDevices) and Azure Active Directory sign-in logs.

  4. Frequency and Period: The query runs every hour and looks back over the past seven days of data.

  5. Detection Logic:

    • It first identifies personal devices enrolled in Intune within the last seven days.
    • It then checks the sign-in logs from the past hour to see if these devices accessed any of the specified privileged applications.
    • It excludes access from IP addresses that are on an allowed list (NetworkAllowlist).

  6. Output: If a match is found, it provides details such as the time of access, user principal name (UPN), device ID and name, application accessed, IP address, and location.

  7. Entity Mappings: The query maps the results to specific entities like Account, Host, and IP for easier analysis and response.

  8. Tactics and Techniques: The query is associated with tactics like Persistence and Privilege Escalation, and it references a specific MITRE ATT&CK technique (T1098.005).

Overall, this query helps security teams monitor and respond to potential unauthorized access to sensitive applications using personal devices, which could be a sign of a security breach.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneDevicesSigninLogs

Keywords

DevicesIntuneUserApplicationNetworkAccountHostIPLocation

Operators

letprojecttoscalarsummarizemake_listdynamicwhereagotostringcolumn_ifexists=~arg_maxtolowerin~notipv4_is_in_any_rangeextendjoinkind=inner

Actions