Query Details
Potential User Signed Into Edge Browser From Unmanaged Or Unregistered Device
Query
SigninLogs | where TimeGenerated > ago(90d) | where ResultType == "0" //Successes only | where isempty(DeviceDetail.deviceId) //ignore already joined/registered devices | where IncomingTokenType == "primaryRefreshToken" //Edge seems to cache a PRT | where DeviceDetail.browser startswith "Edge " //See if user signed into browser on non joined/registered device | summarize count() by UserPrincipalName //BYOD Edge sign-in is perfect use-case for Edge for Business (and MDA session proxy + MAM)
Explanation
This query is analyzing sign-in logs to identify successful sign-ins (ResultType "0") that occurred in the last 90 days. It specifically looks for cases where the sign-in was done using a "primaryRefreshToken" on a device that is not already joined or registered (indicated by an empty DeviceDetail.deviceId). Additionally, it focuses on sign-ins through the Edge browser, as indicated by the browser name starting with "Edge ". The query then counts the number of such sign-ins for each user (UserPrincipalName). This analysis is useful for identifying scenarios where users are signing into the Edge browser on personal devices (BYOD), which could be a good opportunity to implement Edge for Business solutions, along with session proxy and mobile application management (MAM) strategies.
Details
Jay Kerai
Released: September 8, 2025
Tables
Keywords
Operators