Query Details
Intune Offboarded Accounts Active Devices
Query
id: 7b8c9d10-aaaa-4001-8001-00000000000E
name: HUNT - Disabled or offboarded accounts with active Intune devices
description: |
Cross-references IntuneDevices with Entra ID `AuditLogs` for user account disable / delete
operations. Devices still enrolled and checking in for a disabled identity are common residual
access points and should be wiped or retired.
requiredDataConnectors:
- connectorId: AzureMonitor(IntuneLogs)
dataTypes:
- IntuneDevices
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- Persistence
relevantTechniques:
- T1078
query: |
let disabled =
AuditLogs
| where TimeGenerated > ago(30d)
| where Category =~ "UserManagement"
| where OperationName has_any ("Disable account","Delete user","Soft delete user")
| mv-expand TargetResources
| extend UPN = tolower(tostring(TargetResources.userPrincipalName))
| where isnotempty(UPN)
| summarize DisabledOn = max(TimeGenerated) by UPN;
IntuneDevices
| where TimeGenerated > ago(7d)
| summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
| extend UPN = tolower(tostring(UPN))
| join kind=inner disabled on UPN
| where todatetime(LastContact) > DisabledOn
| project UPN, DeviceId, DeviceName = tostring(DeviceName), OS = tostring(OS),
OSVersion = tostring(OSVersion), LastContact, DisabledOn,
ComplianceState = tostring(CompliantState)
| order by LastContact desc
version: 1.0.0
Explanation
This query is designed to identify Intune-managed devices that are still active and associated with user accounts that have been disabled or offboarded in Entra ID (formerly known as Azure Active Directory). Here's a simple breakdown of what the query does:
-
Data Sources: It uses data from two sources:
- IntuneDevices: Information about devices managed by Intune.
- AuditLogs: Logs from Entra ID that track user account management activities.
-
Purpose: The goal is to find devices that are still enrolled and actively checking in, even though the associated user accounts have been disabled or deleted. These devices can pose a security risk as residual access points.
-
Process:
- Identify Disabled Accounts: The query first extracts user accounts that have been disabled or deleted in the past 30 days from the
AuditLogs. - Active Devices: It then looks at devices that have checked in with Intune in the past 7 days.
- Cross-Reference: By matching the user principal names (UPNs) from both datasets, it identifies devices that are still active but linked to disabled accounts.
- Filter and Display: It filters out devices that have had contact after the account was disabled and displays relevant information such as the device ID, name, operating system, last contact time, and compliance state.
- Identify Disabled Accounts: The query first extracts user accounts that have been disabled or deleted in the past 30 days from the
-
Security Context: This query is related to the "Persistence" tactic and the technique T1078, which involves valid accounts being used for persistence in a network.
-
Output: The result is a list of devices that need attention, as they may require wiping or retiring to prevent unauthorized access. The devices are sorted by the most recent contact time.
Overall, this query helps security teams identify and mitigate potential security risks associated with inactive user accounts that still have active devices in the network.
Details
David Alonso
Released: April 22, 2026
Tables
Keywords
Operators