Signin Logs Potential Compliant Device Bypass Attempt
Query
// https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
let query_period = 1h;
// let _SuccessResultTypes = toscalar(
// _GetWatchlist("ResultType-SignInLogsErrorCodes")
// | where Notes has_all ("[Success]", "[Complete]") and isnotempty(ResultDescription)
// | summarize make_list(ResultType)
// );
// let expected_resource_serviceprincipal_ids = dynamic([]);
SigninLogs
| where TimeGenerated > ago(query_period)
| where AppId == "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" // Microsoft Intune Company Portal
and ResourceIdentity == "00000003-0000-0000-c000-000000000000" // Microsoft Graph
| where isempty(tostring(DeviceDetail["deviceId"]))
// | where ResultType in (_SuccessResultTypes)
| join kind=rightsemi (
SigninLogs
| where TimeGenerated > ago(query_period)
) on CorrelationId
| summarize
arg_min(CreatedDateTime, *),
ResultTypes = array_sort_asc(make_set(ResultType)),
AppIds = array_sort_asc(make_set(AppId)),
ResourceIdentities = array_sort_asc(make_set(ResourceIdentity)),
ResourceServicePrincipalIds = array_sort_asc(make_set(ResourceServicePrincipalId))
by CorrelationId, UserId, IPAddress
// | where not(
// ResultTypes has_all ("50097", "50129") // ResultTypes related to Entra registered (Workplace join)
// and AppIds has "29d9ed98-a469-4536-ade2-f981bc1d605e" // Microsoft Authentication Broker
// and ResourceIdentities has_any (expected_resource_serviceprincipal_ids) // ResourceDisplayName empty and ResourceIdentity == ResourceServicePrincipalId // might be custom by tenant
// and ResourceServicePrincipalIds has_any (expected_resource_serviceprincipal_ids) // ResourceDisplayName empty and ResourceIdentity == ResourceServicePrincipalId // might be custom by tenant
// )
| project-reorder
CreatedDateTime,
Category,
UserPrincipalName,
UserDisplayName,
IPAddress,
AutonomousSystemNumber,
Location,
ResultType,
ResultDescription,
AppDisplayName,
ResourceDisplayName,
ClientAppUsed,
UserAgent,
DeviceDetail,
AuthenticationRequirement,
ConditionalAccessStatus,
ConditionalAccessPolicies,
AppId,
ResourceIdentity,
ResourceServicePrincipalId,
HomeTenantId,
ResourceTenantId,
UserType,
UserId,
OriginalRequestId,
CorrelationIdExplanation
This KQL query is designed to analyze sign-in logs, specifically focusing on Microsoft Intune Company Portal interactions with Microsoft Graph. Here's a simplified breakdown of what the query does:
-
Time Frame: It looks at sign-in logs from the past hour (
query_period = 1h). -
Filter Criteria:
- It filters logs where the application ID is for the Microsoft Intune Company Portal.
- It checks interactions with Microsoft Graph (identified by a specific
ResourceIdentity). - It specifically looks for logs where the
deviceIdis empty, indicating that the device information is not available.
-
Join Operation:
- It performs a semi-join with the same set of sign-in logs to ensure that only logs with matching
CorrelationIdare considered.
- It performs a semi-join with the same set of sign-in logs to ensure that only logs with matching
-
Summarization:
- It summarizes the data by
CorrelationId,UserId, andIPAddress. - For each group, it finds the earliest log entry (
arg_min(CreatedDateTime, *)). - It collects and sorts unique
ResultType,AppId,ResourceIdentity, andResourceServicePrincipalIdvalues.
- It summarizes the data by
-
Projection:
- It reorders the columns to project specific fields like
CreatedDateTime,UserPrincipalName,IPAddress,ResultType,AppDisplayName, and others for easier analysis.
- It reorders the columns to project specific fields like
-
Commented Out Sections:
- There are several commented-out sections that suggest additional filtering or conditions that could be applied, such as filtering based on specific
ResultTypesrelated to device registration or specific application IDs.
- There are several commented-out sections that suggest additional filtering or conditions that could be applied, such as filtering based on specific
Overall, the query is designed to identify and analyze sign-in attempts to Microsoft Graph via the Intune Company Portal where device information is missing, potentially highlighting compliance or configuration issues.
Details

Jose Sebastián Canós
Released: January 8, 2025
Tables
SigninLogs
Keywords
SigninLogsDevicesIntuneUserMicrosoftGraph
Operators
lettoscalar_GetWatchlisthas_allisnotemptysummarizemake_listdynamicagoisemptytostringjoinarg_minarray_sort_ascmake_setbyproject-reorder