Query Details

Intune - Personal / BYOD device enrolled accessing privileged app

BYOD Accessing Privileged App

Query

let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
let privApps = dynamic([
    "Azure Portal","Microsoft Azure Management","Microsoft 365 admin center",
    "Exchange Admin Center","Microsoft Intune","Microsoft Admin Portals",
    "Azure Active Directory PowerShell","Microsoft Graph PowerShell"
]);
let byod =
    IntuneDevices
    | where TimeGenerated > ago(7d)
    | where tostring(column_ifexists("OwnerType", "")) =~ "personal"
    | summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
    | project DeviceId, DeviceName = tostring(DeviceName),
              UPN = tolower(tostring(column_ifexists("UPN", column_ifexists("UserPrincipalName", ""))));
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where AppDisplayName in~ (privApps)
| where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
| extend DeviceId = tostring(DeviceDetail.deviceId), UPN = tolower(UserPrincipalName)
| join kind=inner byod on DeviceId
| project TimeGenerated, UPN, DeviceId, DeviceName, AppDisplayName, IPAddress,
          Location=tostring(LocationDetails.countryOrRegion)
| extend AccountCustomEntity = UPN, HostCustomEntity = DeviceName, IPCustomEntity = IPAddress

Explanation

This query is designed to detect when a personal or BYOD (Bring Your Own Device) is used to access sensitive applications, which could indicate a potential security risk. Here's a simplified breakdown of what the query does:

  1. Purpose: It identifies instances where a personal device, enrolled in Intune, accesses privileged applications like Azure Portal or Microsoft Admin centers. This is often a step in potential security threats involving identity misuse or policy abuse.

  2. Severity: The alert generated by this query is considered to have a medium severity level.

  3. Data Sources: The query uses data from Intune logs (specifically, IntuneDevices) and Azure Active Directory sign-in logs.

  4. Frequency and Period: The query runs every hour and looks back over the past seven days of data.

  5. Detection Logic:

    • It first identifies personal devices enrolled in Intune within the last seven days.
    • It then checks the sign-in logs from the past hour to see if these devices accessed any of the specified privileged applications.
    • It excludes access from IP addresses that are on an allowed list (NetworkAllowlist).
  6. Output: If a match is found, it provides details such as the time of access, user principal name (UPN), device ID and name, application accessed, IP address, and location.

  7. Entity Mappings: The query maps the results to specific entities like Account, Host, and IP for easier analysis and response.

  8. Tactics and Techniques: The query is associated with tactics like Persistence and Privilege Escalation, and it references a specific MITRE ATT&CK technique (T1098.005).

Overall, this query helps security teams monitor and respond to potential unauthorized access to sensitive applications using personal devices, which could be a sign of a security breach.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneDevicesSigninLogs

Keywords

DevicesIntuneUserApplicationNetworkAccountHostIPLocation

Operators

letprojecttoscalarsummarizemake_listdynamicwhereagotostringcolumn_ifexists=~arg_maxtolowerin~notipv4_is_in_any_rangeextendjoinkind=inner

Severity

Medium

Tactics

PersistencePrivilegeEscalation

MITRE Techniques

Frequency: 1h

Period: 7d

Actions

GitHub