Intune - MDM enrollment or check-in failure spike per user
Intune Operational Failure Spike
Query
let threshold = 15;
IntuneOperationalLogs
| where TimeGenerated > ago(30m)
| where Result =~ "Failure" or tostring(OperationName) has_any ("Enrollment","CheckIn","Sync")
| extend Props = parse_json(tostring(Properties))
| extend UPN = tolower(coalesce(tostring(Props.Upn), tostring(Props.UserPrincipalName), tostring(column_ifexists("Identity", ""))))
| extend Reason = tostring(coalesce(tostring(column_ifexists("ResultReason", "")), tostring(Props.ResultReason)))
| where isnotempty(UPN)
| summarize Failures = count(),
Operations = make_set(OperationName, 20),
Reasons = make_set(Reason, 20),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UPN
| where Failures >= threshold
| extend AccountCustomEntity = UPNExplanation
This query is designed to detect unusual spikes in failures related to Intune enrollment or check-in for individual users. Here's a simplified breakdown:
-
Purpose: It identifies when a single user experiences an abnormal increase in failures during Intune enrollment or check-in processes. This could suggest potential security issues like unauthorized enrollment attempts or testing for weak configurations.
-
Severity: The alert is considered medium severity.
-
Data Source: It uses data from IntuneOperationalLogs, which are part of Azure Monitor's Intune logs.
-
Frequency and Duration: The query runs every 30 minutes and looks at data from the past 6 hours.
-
Trigger Condition: The alert triggers if there are more than 15 failures for a user within the specified time frame.
-
Analysis: The query checks for failure results in operations related to "Enrollment," "CheckIn," or "Sync." It collects details like the number of failures, types of operations, reasons for failures, and the time range of these events.
-
Output: If the number of failures exceeds the threshold, it flags the user (identified by their User Principal Name) as a potential issue.
-
Security Context: The query is associated with tactics like Initial Access and Reconnaissance and techniques such as T1078 (Valid Accounts) and T1595 (Active Scanning).
-
Entity Mapping: It maps the detected user to an account entity for further investigation.
Overall, this query helps in identifying potential security threats by monitoring for unusual patterns in Intune-related failures for individual users.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 30m
Period: 6h