KQL Search

Query Details

HomeAI ToolsDevice Query

Managed Service Provider User B2B Or GDAP Without Device Compliance Or MFA Claim Is Managing Intune

Query

# *Managed Service Provider User (B2B or GDAP) without Device Compliance or MFA claim is managing Intune*

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title | Link |
| --- | --- | --- |
| T1072 | Software Deployment Tools | <https://attack.mitre.org/techniques/T1072/> |
| T1562 | Impair Defenses | <https://attack.mitre.org/techniques/T1562/> |

### Description

This detection monitors Managed Service Provider (MSP) and delegated admin access (GDAP) users managing Intune without enforcing device compliance or multi-factor authentication (MFA) claims. This is a critical security control to ensure that external service providers meet your organization's security baseline. Disabling or bypassing compliance policies is a form of defense evasion.
**Important:** Before enabling this detection, verify your current MSP/GDAP providers and ensure they support [cross-tenant access](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview) policy configurations. Providers that cannot meet these security requirements should either be whitelisted with appropriate justification or removed from your trusted service provider list.
Mapped to MITRE ATT&CK **T1072 - Software Deployment Tools**, as Intune MSPs typically have broad deployment capabilities.

Blog: <https://medium.com/@kurtli_thomas/detecting-threats-when-attackers-exploit-management-tools-microsoft-intune-71823956630d>

### Author

- **Name: Thomas Kurth**
- **Github: <https://github.com/ThomasKur/Sentinel-And-DefenderXDR>**
- **LinkedIn: <https://www.linkedin.com/in/thomas-kurth-a86b7851/>**
- **Medium: <https://medium.com/@kurtli_thomas>**

## Defender XDR

Mapping Proposal:

- Impacted Assets
  - AadUserId > Column: AccountObjectId
- Related Evidence
  - IP > Column: IpAddress

Potential Remediation Action: None

```KQL
IntuneAuditLogs 
| extend Actor = extract_json("$.Actor", Properties, typeof(string))
| extend IsDelegatedAdmin = extract_json("$.IsDelegatedAdmin", Actor, typeof(bool))
| extend PartnerTenantId = extract_json("$.PartnerTenantId", Actor, typeof(guid))
| extend IdentityObjectId = extract_json("$.ObjectId", Actor, typeof(string))
| join kind=leftouter (IdentityInfo
    | where Timestamp > ago(14d)
    | where Type == "User" and AccountUpn contains "#EXT#"
    | project IdentityId, AccountObjectId
    | extend Guest=true)
    on $left.IdentityObjectId == $right.AccountObjectId
| where IsDelegatedAdmin == true or Guest == true
| join kind=inner GraphAPIAuditEvents on $left.CorrelationId == $right.ClientRequestId
| join kind=leftouter (EntraIdSignInEvents
    | project
        AccountObjectId,
        AccountUpn,
        IPAddress,
        DeviceTrustType,
        AuthenticationRequirement,
        IsCompliant
    | distinct *)
    on $left.IpAddress == $right.IPAddress and $left.AccountObjectId == $right.AccountObjectId
| where IsCompliant != 1 or AuthenticationRequirement != "multiFactorAuthentication"
```

Explanation

This query is designed to identify potential security risks involving Managed Service Provider (MSP) or delegated admin users who are managing Microsoft Intune without meeting certain security requirements. Specifically, it looks for users who do not have device compliance or multi-factor authentication (MFA) enabled. Here's a simplified breakdown of what the query does:

  1. Data Source: The query pulls data from Intune audit logs and other related logs to gather information about user activities.

  2. User Identification: It identifies users who are either delegated admins or external users (B2B) by checking specific attributes in the logs.

  3. Security Check: It checks whether these users have device compliance and MFA enabled. If either of these security measures is not in place, the user is flagged.

  4. Join Operations: The query uses several join operations to combine data from different sources, such as identity information and sign-in events, to get a complete picture of the user's actions and security posture.

  5. Filtering: It filters out users who do not meet the compliance and MFA requirements, highlighting potential security gaps.

  6. Purpose: The goal is to ensure that external service providers managing Intune adhere to the organization's security standards, as bypassing these controls could lead to security vulnerabilities.

  7. Security Context: The query is mapped to MITRE ATT&CK techniques related to software deployment tools and impairing defenses, indicating the potential risk of unauthorized software deployment or evasion of security measures.

Overall, this query helps organizations monitor and enforce security policies for external users managing their Intune environment, ensuring that these users comply with essential security practices.

Details

Thomas Kurth profile picture

Thomas Kurth

Released: January 4, 2026

Tables

IntuneAuditLogsIdentityInfoGraphAPIAuditEventsEntraIdSignInEvents

Keywords

ManagedServiceProviderUserDeviceComplianceMFAIntuneActorAdminPartnerTenantIdentityObjectAccountTimestampTypeGuestGraphAPIAuditEventsEntraIdSignInEventsIPAddressDeviceTrustAuthenticationRequirement

Operators

IntuneAuditLogsextendextract_jsontypeofjoinkindleftouterwhereTimestampagoprojectcontainson$left$righttrueinnerdistinct!=

Actions