Query Details

HUNT - Non-compliant devices still accessing corporate apps

Non Compliant Access

Query

let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
let bad =
    IntuneDeviceComplianceOrg
    | where TimeGenerated > ago(1d)
    | where ComplianceState in~ ("NonCompliant","Error","Unknown","InGracePeriod")
    | summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
    | project DeviceId, DeviceName = tostring(DeviceName), ComplianceState,
              UPN = tolower(tostring(UPN));
SigninLogs
| where TimeGenerated > ago(1d) and ResultType == 0
| where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
| extend DeviceId = tostring(DeviceDetail.deviceId), UPN = tolower(UserPrincipalName)
| join kind=inner bad on DeviceId
| summarize SignIns = count(), Apps = make_set(AppDisplayName, 20),
            IPs = make_set(IPAddress, 20)
          by UPN, DeviceId, DeviceName, ComplianceState
| order by SignIns desc

Explanation

This query is designed to identify devices that are not compliant with corporate policies but are still successfully accessing corporate applications. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to find devices that are in a non-compliant, error, unknown, or grace period state but have successfully signed into corporate applications. This can indicate potential security gaps or compliance bypasses.

  2. Data Sources:

    • It uses data from Intune logs to check device compliance status.
    • It uses Azure Active Directory sign-in logs to track successful sign-ins.
  3. Process:

    • It first retrieves a list of IP ranges that are allowed (from a watchlist called 'NetworkAllowlist').
    • It then identifies devices that have been non-compliant in the last day.
    • It checks for successful sign-ins (ResultType == 0) in the last day from IP addresses not in the allowed list.
    • It matches these sign-ins with the non-compliant devices.
  4. Output:

    • The result is a list of user principal names (UPNs), device IDs, device names, and compliance states.
    • It also includes the number of sign-ins, the applications accessed, and the IP addresses used.
    • The results are ordered by the number of sign-ins, showing the most frequent offenders first.
  5. Security Implication: This query highlights potential security issues where non-compliant devices are accessing corporate resources, suggesting a need for reviewing conditional access policies or compliance checks.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneDeviceComplianceOrgSigninLogs

Keywords

DevicesIntuneUserComplianceAppsNetworkIPAddressTimeGeneratedDeviceNameComplianceStateUPNDeviceIdUserPrincipalNameSignInsAppDisplayName

Operators

letprojecttoscalarsummarizemake_listwherein~arg_maxtoloweragoandnotipv4_is_in_any_rangetostringextendjoinkind=innermake_setbyorder bydesc

Tactics

DefenseEvasion

MITRE Techniques

Actions

GitHub