Query Details
Intune Devices Visualize Device Join Typeby Week
Query
//Visualize the join type (Azure AD joined, Azure AD registered or Hybrid joined) of your MEM/Intune devices per week
//Data connector required for this query - Intune data sent to Sentinel workspace
IntuneDevices
//Gets all data generated in 180 days
| where TimeGenerated > ago(180d)
//Optionally filter only devices have contact to Intune in 30 days
| where todatetime(LastContact) > ago (30d)
| summarize arg_max(TimeGenerated, *) by DeviceName, startofweek(TimeGenerated)
| where OS == "Windows"
| summarize JoinSummary=count()by JoinType, startofweek(TimeGenerated)
| where isnotempty(JoinType)
| render columnchart
with (
kind=unstacked,
ytitle="Device Count",
xtitle="Week",
title="Device count by join type per week") Explanation
This query visualizes the join type (Azure AD joined, Azure AD registered, or Hybrid joined) of MEM/Intune devices per week. It requires a data connector to Intune data sent to the Sentinel workspace. The query filters the data to include only devices that have had contact with Intune in the last 30 days and have an operating system of Windows. It then summarizes the data by the join type and week, counting the number of devices for each join type. The resulting visualization is a column chart showing the device count by join type per week.
Details
Matt Zorich
Released: June 17, 2022
Tables
IntuneDevices
Keywords
Devices,Intune,User
Operators
| where| summarize| by| ago| todatetime| isnotempty| render| with| kind| ytitle| xtitle| title