Managed Service Provider User B2B Or GDAP Without Device Compliance Or MFA Claim Is Managing Intune
Query
IntuneAuditLogs
| extend Actor = extract_json("$.Actor", Properties, typeof(string))
| extend IsDelegatedAdmin = extract_json("$.IsDelegatedAdmin", Actor, typeof(bool))
| extend PartnerTenantId = extract_json("$.PartnerTenantId", Actor, typeof(guid))
| extend IdentityObjectId = extract_json("$.ObjectId", Actor, typeof(string))
| join kind=leftouter (IdentityInfo
| where Timestamp > ago(14d)
| where Type == "User" and AccountUpn contains "#EXT#"
| project IdentityId, AccountObjectId
| extend Guest=true)
on $left.IdentityObjectId == $right.AccountObjectId
| where IsDelegatedAdmin == true or Guest == true
| join kind=inner GraphAPIAuditEvents on $left.CorrelationId == $right.ClientRequestId
| join kind=leftouter (EntraIdSignInEvents
| project
AccountObjectId,
AccountUpn,
IPAddress,
DeviceTrustType,
AuthenticationRequirement,
IsCompliant
| distinct *)
on $left.IpAddress == $right.IPAddress and $left.AccountObjectId == $right.AccountObjectId
| where IsCompliant != 1 or AuthenticationRequirement != "multiFactorAuthentication"About this query
Explanation
This query is designed to identify potential security risks involving Managed Service Provider (MSP) or delegated admin users who are managing Microsoft Intune without meeting certain security requirements. Specifically, it looks for users who do not have device compliance or multi-factor authentication (MFA) enabled. Here's a simplified breakdown of what the query does:
-
Data Source: The query pulls data from Intune audit logs and other related logs to gather information about user activities.
-
User Identification: It identifies users who are either delegated admins or external users (B2B) by checking specific attributes in the logs.
-
Security Check: It checks whether these users have device compliance and MFA enabled. If either of these security measures is not in place, the user is flagged.
-
Join Operations: The query uses several join operations to combine data from different sources, such as identity information and sign-in events, to get a complete picture of the user's actions and security posture.
-
Filtering: It filters out users who do not meet the compliance and MFA requirements, highlighting potential security gaps.
-
Purpose: The goal is to ensure that external service providers managing Intune adhere to the organization's security standards, as bypassing these controls could lead to security vulnerabilities.
-
Security Context: The query is mapped to MITRE ATT&CK techniques related to software deployment tools and impairing defenses, indicating the potential risk of unauthorized software deployment or evasion of security measures.
Overall, this query helps organizations monitor and enforce security policies for external users managing their Intune environment, ensuring that these users comply with essential security practices.
Details

Thomas Kurth
Released: January 4, 2026
Tables
Keywords
Operators