Intune - Possible refresh token / PRT reuse accessing Intune resource
Refresh Token Reuse Intune
Query
let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
let intuneResources = dynamic([
"Microsoft Intune","Microsoft Intune API","Device Management",
"Windows 365","Microsoft Graph"
]);
let baseline =
AADNonInteractiveUserSignInLogs
| where TimeGenerated between (ago(14d) .. ago(1h))
| summarize KnownIPs = make_set(IPAddress, 500), KnownASNs = make_set(tostring(AutonomousSystemNumber), 50)
by UPN = tolower(UserPrincipalName);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
| where ResourceDisplayName has_any (intuneResources)
| extend UPN = tolower(UserPrincipalName), ASN = tostring(AutonomousSystemNumber)
| extend AuthDetails = tostring(AuthenticationDetails)
| where AuthDetails !has "Multifactor" // token used without fresh MFA
| join kind=leftouter baseline on UPN
| where isnull(KnownIPs) or (not(set_has_element(KnownIPs, IPAddress)) and not(set_has_element(KnownASNs, ASN)))
| project TimeGenerated, UPN, IPAddress, ASN, ResourceDisplayName, AppDisplayName,
UserAgent, Location=tostring(parse_json(tostring(LocationDetails)).countryOrRegion)
| extend AccountCustomEntity = UPN, IPCustomEntity = IPAddressExplanation
This query is designed to detect suspicious activity related to the use of refresh tokens or Primary Refresh Tokens (PRTs) in accessing Intune or Device Management resources. Here's a simplified breakdown:
-
Purpose: The query identifies instances where a user accesses Intune resources without recent Multi-Factor Authentication (MFA) from an IP address or Autonomous System Number (ASN) that hasn't been previously associated with that user. This could indicate token theft and unauthorized access.
-
Severity: The alert generated by this query is considered high severity because it may indicate credential theft and unauthorized access.
-
Data Source: It uses data from Azure Active Directory's non-interactive user sign-in logs.
-
Frequency and Period: The query runs every hour and looks back over the past 14 days to establish a baseline of known IPs and ASNs for each user.
-
Detection Logic:
- It first establishes a list of known IP addresses and ASNs for each user over the past 14 days.
- It then checks for any new sign-ins in the last hour.
- It filters out sign-ins that were successful (ResultType == 0) and not from allowed IP ranges.
- It focuses on sign-ins to specific Intune-related resources.
- It checks if these sign-ins occurred without recent MFA.
- It flags sign-ins from IPs or ASNs not previously associated with the user.
-
Output: The query outputs details like the time of access, user principal name (UPN), IP address, ASN, resource accessed, application name, user agent, and location.
-
Entity Mapping: It maps the user and IP address to entities for further investigation.
-
Version and Status: The query is version 1.0.0 and is currently available as a scheduled task.
In summary, this query helps identify potential unauthorized access to Intune resources by detecting anomalies in token usage patterns, which could suggest credential theft.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 14d