Query Details
Device Visualize The Join Type
Query
// Visualize the join type (Azure AD joined, Azure AD registered or Hybrid joined) of your MEM/Intune devices per week
// See here: https://github.com/reprise99/Sentinel-Queries/blob/main/Intune/IntuneDevices-VisualizeDeviceJoinTypebyWeek.kql
IntuneDevices
| where todatetime(LastContact) > ago (30d) // Filter only devices the have contacted Intune in the last 30 days
| summarize arg_max(TimeGenerated, *) by DeviceName, startofweek(TimeGenerated)
| where OS == "Windows"
| summarize JoinSummary=count()by JoinType, startofweek(TimeGenerated)
| where isnotempty(JoinType)
| render columnchart
with (
kind=unstacked,
ytitle="Device Count",
xtitle="Week",
title="Device Number by join type per week")
Explanation
This query is designed to create a visual representation (specifically a column chart) of the different types of device join statuses (Azure AD joined, Azure AD registered or Hybrid joined) for devices managed by Microsoft Endpoint Manager (MEM) or Intune. The data is displayed on a weekly basis.
The query first filters out devices that have not contacted Intune in the last 30 days. Then, it further narrows down the data to only include devices running the Windows operating system. The chart displays the number of devices for each join type per week.
Details
Ugur Koc
Released: July 11, 2022
Tables
IntuneDevices
Keywords
IntuneDevices,LastContact,TimeGenerated,DeviceName,OS,JoinType,DeviceCount,Week,DeviceNumber,JoinType
Operators
todatetime()ago()summarize()arg_max()where()count()isnotempty()render()startofweek()with()