Intune - Compliance or configuration policy modified or deleted
Intune Policy Tampering
Query
let sensitiveOps = dynamic([
"Delete DeviceCompliancePolicy","Patch DeviceCompliancePolicy",
"Delete DeviceConfiguration","Patch DeviceConfiguration",
"Delete DeviceManagementConfigurationPolicy","Patch DeviceManagementConfigurationPolicy",
"Delete CompliancePolicyAssignment","Patch CompliancePolicyAssignment",
"Delete ConditionalAccessPolicy","Patch ConditionalAccessPolicy"
]);
IntuneAuditLogs
| where TimeGenerated > ago(1h)
| where OperationName in~ (sensitiveOps) or OperationName has_any ("Delete","Patch") and OperationName has_any ("Compliance","Configuration")
| extend Props = parse_json(tostring(Properties))
| extend TargetObjectName = tostring(Props.TargetObjectName),
TargetObjectType = tostring(Props.TargetObjectType),
ModifiedProperties = tostring(Props.ModifiedProperties)
| project TimeGenerated, Identity, OperationName, TargetObjectName, TargetObjectType, ModifiedProperties, ResultType
| extend AccountCustomEntity = tostring(Identity)Explanation
This query is designed to monitor and detect any unauthorized or suspicious changes to Intune device compliance policies, configuration profiles, or Conditional Access device filters. Here's a breakdown of what it does:
-
Purpose: It identifies modifications or deletions of important Intune policies by users who are either not privileged or have recently gained elevated access. This is crucial because attackers might try to weaken these policies to let non-compliant or rogue devices access corporate resources.
-
Severity: The alert is marked as "High" severity, indicating that any detected activity is considered a significant security risk.
-
Data Source: The query uses data from Azure Monitor, specifically focusing on Intune Audit Logs.
-
Frequency: The query runs every hour and looks back at the last hour of data to check for any suspicious activities.
-
Detection Logic:
- It defines a list of sensitive operations related to deleting or modifying compliance and configuration policies.
- It filters the Intune Audit Logs to find any operations that match these sensitive actions within the last hour.
- It extracts and displays relevant details such as the time of the operation, the identity of the user who performed it, the type of operation, and the target object involved.
-
Output: The query projects key information like the time of the operation, the user identity, the operation name, and details about the modified or deleted object. It also maps the user identity to an account entity for further analysis.
-
Security Tactics and Techniques: The query is associated with tactics like Defense Evasion and Impact, and it relates to specific techniques (T1562 and T1484) that describe how attackers might try to bypass security measures or impact system configurations.
Overall, this query helps security teams quickly identify and respond to potential security threats involving Intune policy changes.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h