KQL Search

Query Details

Intune Policy Assignment Changes

Query

id: 7b8c9d10-aaaa-4001-8001-00000000000F
name: HUNT - Recent Intune policy assignment / unassignment changes
description: |
  Surfaces recent Intune policy assignment changes from IntuneAuditLogs — Compliance, Configuration,
  App Protection and App Configuration policies. Scoping changes are a common precursor to
  compliance bypass because they exclude target groups/devices from enforcement.
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneAuditLogs
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562
query: |
  IntuneAuditLogs
  | where TimeGenerated > ago(7d)
  | where Category in~ ("Compliance","DeviceConfiguration","ApplicationManagement")
  | where OperationName has_any ("assign","Assignment","unassign","Scope","GroupAssignment")
  | extend Props = parse_json(tostring(Properties))
  | extend Actor       = tostring(Identity)
  | extend PolicyName  = tostring(Props.TargetDisplayName)
  | extend PolicyType  = tostring(Props.TargetObjectType)
  | extend Modified    = tostring(Props.ModifiedProperties)
  | project TimeGenerated, Actor, OperationName, Category, PolicyType, PolicyName, Modified
  | order by TimeGenerated desc
version: 1.0.0

Explanation

This query is designed to identify recent changes in Intune policy assignments, specifically focusing on compliance, configuration, app protection, and app configuration policies. It pulls data from IntuneAuditLogs within the last seven days to detect any assignment or unassignment activities, as well as changes in scoping or group assignments. These changes can be indicative of attempts to bypass compliance by excluding certain groups or devices from policy enforcement.

Here's a breakdown of what the query does:

  1. Data Source: It uses data from the IntuneAuditLogs via the Azure Monitor connector.
  2. Time Frame: The query looks at logs generated in the past seven days.
  3. Categories: It filters logs related to "Compliance", "DeviceConfiguration", and "ApplicationManagement".
  4. Operations: It searches for operations involving assignment, unassignment, and scope changes.
  5. Data Extraction: It extracts details such as the actor (who made the change), the policy name and type, and any modified properties.
  6. Output: The results include the time of the change, the actor, the operation performed, the category of the policy, the type and name of the policy, and what was modified.
  7. Sorting: The results are ordered by the time they were generated, with the most recent changes appearing first.

This query is useful for security teams to monitor and investigate potential defense evasion tactics (Technique T1562) by tracking changes in Intune policy assignments.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneAuditLogs

Keywords

IntunePolicyAssignmentUnassignmentChangesComplianceConfigurationAppProtectionAppConfigurationDevicesGroupsEnforcementLogsTimeCategoryOperationNameIdentityPropertiesActorPolicyNamePolicyTypeModified

Operators

IntuneAuditLogswhereagoin~has_anyextendparse_jsontostringprojectorder bydesc

Actions