Intune - Rogue device registration from suspicious user agent / tool
Rogue Device Registration Tooling
Query
let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
let suspiciousUA = dynamic([
"AADInternals","roadtx","roadtools","goroadtools",
"Python-requests","Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)"
]);
let suspiciousApps = dynamic([
"Microsoft Intune Company Portal","Microsoft Authentication Broker",
"Azure Active Directory PowerShell","Microsoft Graph PowerShell",
"Microsoft Intune"
]);
union isfuzzy=true
(SigninLogs
| where TimeGenerated > ago(1h)
| extend LocationDetails = todynamic(tostring(LocationDetails))
| project TimeGenerated, UserPrincipalName, AppDisplayName, ResourceDisplayName,
UserAgent, IPAddress, LocationDetails, ResultType,
AuthenticationRequirement, ConditionalAccessStatus),
(AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| extend LocationDetails = todynamic(tostring(column_ifexists("LocationDetails", dynamic({}))))
| project TimeGenerated, UserPrincipalName, AppDisplayName, ResourceDisplayName,
UserAgent, IPAddress, LocationDetails, ResultType,
AuthenticationRequirement, ConditionalAccessStatus)
| where ResultType == 0
| where AppDisplayName in~ (suspiciousApps) or ResourceDisplayName has_any ("Device Registration","Intune")
| where UserAgent has_any (suspiciousUA) or isempty(UserAgent)
| where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
| project TimeGenerated, UserPrincipalName, AppDisplayName, ResourceDisplayName,
UserAgent, IPAddress, Location=tostring(parse_json(tostring(LocationDetails)).countryOrRegion),
AuthenticationRequirement, ConditionalAccessStatus
| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddressExplanation
This query is designed to detect potentially malicious device registration or mobile device management (MDM) enrollment activities in Microsoft Intune. It specifically looks for suspicious user agents or client strings that are often associated with offensive tools like AADInternals, ROADtools, and others. These strings might appear in sign-in logs when attackers attempt to forge or replay device-bound tokens.
Here's a simplified breakdown of the query:
-
Purpose: The query aims to identify unauthorized or rogue device registrations by detecting suspicious user agents or applications used during the registration process.
-
Severity: The alert generated by this query is considered high severity, indicating a significant security risk.
-
Data Sources: It uses data from Azure Active Directory, specifically the SigninLogs and AADNonInteractiveUserSignInLogs.
-
Frequency: The query runs every hour and looks back at the past hour's data.
-
Detection Logic:
- It checks for specific suspicious user agents and applications.
- It filters out any IP addresses that are within an allowed range (using a watchlist).
- It focuses on successful sign-in attempts (ResultType == 0) related to device registration or Intune.
- It flags entries where the user agent is suspicious or missing.
-
Output: The query outputs details like the time of the event, user principal name, application name, resource name, user agent, IP address, and location. It also maps these details to entities for further investigation.
-
Tactics and Techniques: The query is associated with tactics like Credential Access and Persistence, and techniques such as T1528 (Steal Application Access Token) and T1098.005 (Device Registration).
Overall, this query helps security teams identify and respond to potential threats involving unauthorized device registrations in their environment.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h