Intune - Stale managed device still reporting as compliant
Intune Stale Device Compliant Ghost
Query
let stale =
IntuneDevices
| where TimeGenerated > ago(14d)
| summarize LastSeen = max(todatetime(LastContact)) by DeviceId = tostring(DeviceId),
DeviceName = tostring(DeviceName),
UPN = tolower(tostring(UPN))
| where LastSeen < ago(30d);
let stillCompliant =
IntuneDeviceComplianceOrg
| where TimeGenerated > ago(1d)
| where ComplianceState =~ "Compliant"
| summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
| project DeviceId, ComplianceState, ReportedOn = TimeGenerated;
stale
| join kind=inner stillCompliant on DeviceId
| project DeviceId, DeviceName, UPN, LastSeen, ReportedOn, ComplianceState
| extend AccountCustomEntity = UPN, HostCustomEntity = DeviceNameExplanation
This query is designed to identify devices that have not checked into Intune for over 30 days but are still marked as "Compliant" in the IntuneDeviceComplianceOrg records. This situation can be exploited by attackers who use a device's Primary Refresh Token (PRT) or compliance token from a device that is no longer active. Although the real device is offline, the compliance-gated Conditional Access still accepts the token, potentially allowing unauthorized access.
Here's a simplified breakdown of the query:
-
Stale Devices Identification:
- It looks at devices that have reported to Intune within the last 14 days.
- It identifies devices that have not been in contact for over 30 days.
-
Still Compliant Devices:
- It checks for devices that have been marked as "Compliant" in the last day.
- It gathers the most recent compliance state for each device.
-
Join and Filter:
- It combines the list of stale devices with those still marked as compliant.
- The result is a list of devices that are both stale and still showing as compliant.
-
Output:
- The output includes the Device ID, Device Name, User Principal Name (UPN), last seen date, reported compliance date, and compliance state.
- It also maps these to account and host entities for further analysis.
-
Operational Details:
- The query runs every 6 hours and looks back over a 14-day period.
- It triggers an alert if any such devices are found.
The query is part of a scheduled task with a medium severity level, focusing on tactics related to Credential Access and Defense Evasion, specifically techniques T1552 and T1550. It suggests reviewing sign-in logs for the same DeviceId due to the high potential for false positives.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 6h
Period: 14d