HUNT - Disabled or offboarded accounts with active Intune devices
Intune Offboarded Accounts Active Devices
Query
let disabled =
AuditLogs
| where TimeGenerated > ago(30d)
| where Category =~ "UserManagement"
| where OperationName has_any ("Disable account","Delete user","Soft delete user")
| mv-expand TargetResources
| extend UPN = tolower(tostring(TargetResources.userPrincipalName))
| where isnotempty(UPN)
| summarize DisabledOn = max(TimeGenerated) by UPN;
IntuneDevices
| where TimeGenerated > ago(7d)
| summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
| extend UPN = tolower(tostring(UPN))
| join kind=inner disabled on UPN
| where todatetime(LastContact) > DisabledOn
| project UPN, DeviceId, DeviceName = tostring(DeviceName), OS = tostring(OS),
OSVersion = tostring(OSVersion), LastContact, DisabledOn,
ComplianceState = tostring(CompliantState)
| order by LastContact descExplanation
This query is designed to identify Intune-managed devices that are still active and associated with user accounts that have been disabled or offboarded in Entra ID (formerly known as Azure Active Directory). Here's a simple breakdown of what the query does:
-
Data Sources: It uses data from two sources:
- IntuneDevices: Information about devices managed by Intune.
- AuditLogs: Logs from Entra ID that track user account management activities.
-
Purpose: The goal is to find devices that are still enrolled and actively checking in, even though the associated user accounts have been disabled or deleted. These devices can pose a security risk as residual access points.
-
Process:
- Identify Disabled Accounts: The query first extracts user accounts that have been disabled or deleted in the past 30 days from the
AuditLogs. - Active Devices: It then looks at devices that have checked in with Intune in the past 7 days.
- Cross-Reference: By matching the user principal names (UPNs) from both datasets, it identifies devices that are still active but linked to disabled accounts.
- Filter and Display: It filters out devices that have had contact after the account was disabled and displays relevant information such as the device ID, name, operating system, last contact time, and compliance state.
- Identify Disabled Accounts: The query first extracts user accounts that have been disabled or deleted in the past 30 days from the
-
Security Context: This query is related to the "Persistence" tactic and the technique T1078, which involves valid accounts being used for persistence in a network.
-
Output: The result is a list of devices that need attention, as they may require wiping or retiring to prevent unauthorized access. The devices are sorted by the most recent contact time.
Overall, this query helps security teams identify and mitigate potential security risks associated with inactive user accounts that still have active devices in the network.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques