Intune - Personal / BYOD device enrolled accessing privileged app
BYOD Accessing Privileged App
Query
let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
let privApps = dynamic([
"Azure Portal","Microsoft Azure Management","Microsoft 365 admin center",
"Exchange Admin Center","Microsoft Intune","Microsoft Admin Portals",
"Azure Active Directory PowerShell","Microsoft Graph PowerShell"
]);
let byod =
IntuneDevices
| where TimeGenerated > ago(7d)
| where tostring(column_ifexists("OwnerType", "")) =~ "personal"
| summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
| project DeviceId, DeviceName = tostring(DeviceName),
UPN = tolower(tostring(column_ifexists("UPN", column_ifexists("UserPrincipalName", ""))));
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where AppDisplayName in~ (privApps)
| where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
| extend DeviceId = tostring(DeviceDetail.deviceId), UPN = tolower(UserPrincipalName)
| join kind=inner byod on DeviceId
| project TimeGenerated, UPN, DeviceId, DeviceName, AppDisplayName, IPAddress,
Location=tostring(LocationDetails.countryOrRegion)
| extend AccountCustomEntity = UPN, HostCustomEntity = DeviceName, IPCustomEntity = IPAddressExplanation
This query is designed to detect when a personal or BYOD (Bring Your Own Device) is used to access sensitive applications, which could indicate a potential security risk. Here's a simplified breakdown of what the query does:
-
Purpose: It identifies instances where a personal device, enrolled in Intune, accesses privileged applications like Azure Portal or Microsoft Admin centers. This is often a step in potential security threats involving identity misuse or policy abuse.
-
Severity: The alert generated by this query is considered to have a medium severity level.
-
Data Sources: The query uses data from Intune logs (specifically, IntuneDevices) and Azure Active Directory sign-in logs.
-
Frequency and Period: The query runs every hour and looks back over the past seven days of data.
-
Detection Logic:
- It first identifies personal devices enrolled in Intune within the last seven days.
- It then checks the sign-in logs from the past hour to see if these devices accessed any of the specified privileged applications.
- It excludes access from IP addresses that are on an allowed list (NetworkAllowlist).
-
Output: If a match is found, it provides details such as the time of access, user principal name (UPN), device ID and name, application accessed, IP address, and location.
-
Entity Mappings: The query maps the results to specific entities like Account, Host, and IP for easier analysis and response.
-
Tactics and Techniques: The query is associated with tactics like Persistence and Privilege Escalation, and it references a specific MITRE ATT&CK technique (T1098.005).
Overall, this query helps security teams monitor and respond to potential unauthorized access to sensitive applications using personal devices, which could be a sign of a security breach.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1h
Period: 7d