HUNT - Non-compliant devices still accessing corporate apps
Non Compliant Access
Query
let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
let bad =
IntuneDeviceComplianceOrg
| where TimeGenerated > ago(1d)
| where ComplianceState in~ ("NonCompliant","Error","Unknown","InGracePeriod")
| summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
| project DeviceId, DeviceName = tostring(DeviceName), ComplianceState,
UPN = tolower(tostring(UPN));
SigninLogs
| where TimeGenerated > ago(1d) and ResultType == 0
| where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
| extend DeviceId = tostring(DeviceDetail.deviceId), UPN = tolower(UserPrincipalName)
| join kind=inner bad on DeviceId
| summarize SignIns = count(), Apps = make_set(AppDisplayName, 20),
IPs = make_set(IPAddress, 20)
by UPN, DeviceId, DeviceName, ComplianceState
| order by SignIns descExplanation
This query is designed to identify devices that are not compliant with corporate policies but are still successfully accessing corporate applications. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to find devices that are in a non-compliant, error, unknown, or grace period state but have successfully signed into corporate applications. This can indicate potential security gaps or compliance bypasses.
-
Data Sources:
- It uses data from Intune logs to check device compliance status.
- It uses Azure Active Directory sign-in logs to track successful sign-ins.
-
Process:
- It first retrieves a list of IP ranges that are allowed (from a watchlist called 'NetworkAllowlist').
- It then identifies devices that have been non-compliant in the last day.
- It checks for successful sign-ins (ResultType == 0) in the last day from IP addresses not in the allowed list.
- It matches these sign-ins with the non-compliant devices.
-
Output:
- The result is a list of user principal names (UPNs), device IDs, device names, and compliance states.
- It also includes the number of sign-ins, the applications accessed, and the IP addresses used.
- The results are ordered by the number of sign-ins, showing the most frequent offenders first.
-
Security Implication: This query highlights potential security issues where non-compliant devices are accessing corporate resources, suggesting a need for reviewing conditional access policies or compliance checks.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques