HUNT - Recent Intune policy assignment / unassignment changes
Intune Policy Assignment Changes
Query
IntuneAuditLogs
| where TimeGenerated > ago(7d)
| where Category in~ ("Compliance","DeviceConfiguration","ApplicationManagement")
| where OperationName has_any ("assign","Assignment","unassign","Scope","GroupAssignment")
| extend Props = parse_json(tostring(Properties))
| extend Actor = tostring(Identity)
| extend PolicyName = tostring(Props.TargetDisplayName)
| extend PolicyType = tostring(Props.TargetObjectType)
| extend Modified = tostring(Props.ModifiedProperties)
| project TimeGenerated, Actor, OperationName, Category, PolicyType, PolicyName, Modified
| order by TimeGenerated descExplanation
This query is designed to identify recent changes in Intune policy assignments, specifically focusing on compliance, configuration, app protection, and app configuration policies. It pulls data from IntuneAuditLogs within the last seven days to detect any assignment or unassignment activities, as well as changes in scoping or group assignments. These changes can be indicative of attempts to bypass compliance by excluding certain groups or devices from policy enforcement.
Here's a breakdown of what the query does:
- Data Source: It uses data from the
IntuneAuditLogsvia the Azure Monitor connector. - Time Frame: The query looks at logs generated in the past seven days.
- Categories: It filters logs related to "Compliance", "DeviceConfiguration", and "ApplicationManagement".
- Operations: It searches for operations involving assignment, unassignment, and scope changes.
- Data Extraction: It extracts details such as the actor (who made the change), the policy name and type, and any modified properties.
- Output: The results include the time of the change, the actor, the operation performed, the category of the policy, the type and name of the policy, and what was modified.
- Sorting: The results are ordered by the time they were generated, with the most recent changes appearing first.
This query is useful for security teams to monitor and investigate potential defense evasion tactics (Technique T1562) by tracking changes in Intune policy assignments.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques