Query Details

Managed Service Provider User B2B Or GDAP Without Device Compliance Or MFA Claim Is Managing Intune

Query

IntuneAuditLogs 
| extend Actor = extract_json("$.Actor", Properties, typeof(string))
| extend IsDelegatedAdmin = extract_json("$.IsDelegatedAdmin", Actor, typeof(bool))
| extend PartnerTenantId = extract_json("$.PartnerTenantId", Actor, typeof(guid))
| extend IdentityObjectId = extract_json("$.ObjectId", Actor, typeof(string))
| join kind=leftouter (IdentityInfo
    | where Timestamp > ago(14d)
    | where Type == "User" and AccountUpn contains "#EXT#"
    | project IdentityId, AccountObjectId
    | extend Guest=true)
    on $left.IdentityObjectId == $right.AccountObjectId
| where IsDelegatedAdmin == true or Guest == true
| join kind=inner GraphAPIAuditEvents on $left.CorrelationId == $right.ClientRequestId
| join kind=leftouter (EntraIdSignInEvents
    | project
        AccountObjectId,
        AccountUpn,
        IPAddress,
        DeviceTrustType,
        AuthenticationRequirement,
        IsCompliant
    | distinct *)
    on $left.IpAddress == $right.IPAddress and $left.AccountObjectId == $right.AccountObjectId
| where IsCompliant != 1 or AuthenticationRequirement != "multiFactorAuthentication"

About this query

Explanation

This query is designed to identify potential security risks involving Managed Service Provider (MSP) or delegated admin users who are managing Microsoft Intune without meeting certain security requirements. Specifically, it looks for users who do not have device compliance or multi-factor authentication (MFA) enabled. Here's a simplified breakdown of what the query does:

  1. Data Source: The query pulls data from Intune audit logs and other related logs to gather information about user activities.

  2. User Identification: It identifies users who are either delegated admins or external users (B2B) by checking specific attributes in the logs.

  3. Security Check: It checks whether these users have device compliance and MFA enabled. If either of these security measures is not in place, the user is flagged.

  4. Join Operations: The query uses several join operations to combine data from different sources, such as identity information and sign-in events, to get a complete picture of the user's actions and security posture.

  5. Filtering: It filters out users who do not meet the compliance and MFA requirements, highlighting potential security gaps.

  6. Purpose: The goal is to ensure that external service providers managing Intune adhere to the organization's security standards, as bypassing these controls could lead to security vulnerabilities.

  7. Security Context: The query is mapped to MITRE ATT&CK techniques related to software deployment tools and impairing defenses, indicating the potential risk of unauthorized software deployment or evasion of security measures.

Overall, this query helps organizations monitor and enforce security policies for external users managing their Intune environment, ensuring that these users comply with essential security practices.

Details

Thomas Kurth profile picture

Thomas Kurth

Released: January 4, 2026

Tables

IntuneAuditLogsIdentityInfoGraphAPIAuditEventsEntraIdSignInEvents

Keywords

ManagedServiceProviderUserDeviceComplianceMFAIntuneActorAdminPartnerTenantIdentityObjectAccountTimestampTypeGuestGraphAPIAuditEventsEntraIdSignInIPAddressTrustAuthenticationRequirement

Operators

IntuneAuditLogsextendextract_jsontypeofjoinkindleftouterwhereTimestampagoprojectcontainson$left$righttrueinnerdistinct!=

MITRE Techniques

Actions

GitHub