By: Janusz Gal – Sr Product Manager | Microsoft Intune
Azure Log Analytics gives Intune admins a flexible way to create custom reports from diagnostic data, especially when you need longer history or tailored calculations that go beyond what the Microsoft Intune admin center’s built-in reports provide. By using the Intune diagnostic data you’re already collecting, you can customize reporting for your organization’s unique requirements. In this post, you’ll walk through the steps to create a 30-day device compliance trend report. The resultant report can be run automatically, used in dashboards, or even further customized for a longer period or with additional data.
Before we begin, if you haven’t configured a Log Analytics workspace in your tenant, review the following detailed information on the pre-requisites and costs on Microsoft Learn: Route logs to Azure Monitor using Microsoft Intune.
In the Microsoft Intune admin center, navigate to Reports > Diagnostic settings, and add a new Diagnostic setting policy to send data to a Log Analytics workspace.
Figure 1 Reports > Diagnostic settings, used to configure new or existing diagnostic settings.
For a device compliance trend report, ensure the Devices log category is selected:
Figure 2 Reports > Diagnostic settings > Selected configuration; Devices log selected.
After configuring the setting, navigate to Reports > under Azure monitor, Log Analytics.
Figure 3 Reports > Log Analytics; used to query log Analytics workspaces.
In the New Query window, enter the following query:
IntuneDevices
| where TimeGenerated > ago(30d)
| summarize
Total = count(),
Compliant = countif(CompliantState == "Compliant"),
NonCompliant = countif(CompliantState == "Noncompliant"),
InGracePeriod = countif(CompliantState == "InGracePeriod"),
NotEvaluated = countif(CompliantState == "Not Evaluated" or CompliantState == ""),
ConfigManager = countif(CompliantState == "ConfigManager")
by bin(TimeGenerated, 1d)
| extend ComplianceRate = round(100.0 * Compliant / Total, 2)
| order by TimeGenerated asc
This query will return daily device compliance trends over the past 30 days, from the IntuneDevice table.
Figure 4 Reports > Log Analytics; results after running query.
Select Chart > Chart type > Stacked Area to show a visual of the trending device state over time.
Figure 5 Reports > Log Analytics > Chart > Stacked Area.
If you’d like to create other reports but aren’t sure of the schema, one trick you can use is to run the following query in the above Log Analytics workspace to get all the column names:
IntuneDevices
| getschema
Then to get all the values from those columns, you can modify the query to return the distinct values from a specific column such as CompliantState:
IntuneDevices
| distinct CompliantState
Now that you have the query created in Log Analytics, you can save it to run anytime, pin it to a dashboard, or even create a new alert rule to let you know if compliance has gone below a certain threshold.
To pin it as a dashboard, on the Query pane select the ellipsis (…) > Pin to > Azure dashboard.
Figure 6 Reports > Log Analytics; pin query to dashboard flow.
Then select the dashboard you’d like to use.
Figure 7 Reports > Log Analytics; select dashboard to pin.
Once pinned, simply navigate to Dashboard within the Intune admin center, and you’ll see the query pinned on the selected dashboard.
Figure 8 Dashboard showing Log Analytics query.
To show more than the past 24-hours, select the Customize Tile button and select Override the dashboard time settings at the tile level, with Timespan set to Past 30 days.
Figure 9 Dashboard > Selected Query > Customize Tile button.
If you’d like to always see the data in a chart form, select the edit icon on the pinned dashboard item and append the following to the end of the query:
| render areachart with (kind=stacked)
Figure 10 Dashboard > Selected query > Edit > modified query to show chart.
After clicking Apply, the dashboard shows the following:
Figure 11 Dashboard showing updated historical device compliance query as a stacked area chart.
You’ve now seen end-to-end how to turn Intune diagnostic data into a 30-day device compliance trend report with diagnostic data and Log Analytics. From here, the next step is to operationalize it - save the query, extend the timeframe, join in additional diagnostic tables, or set an alert so you’re notified when compliance drops below your threshold. Better yet, see if you can pick one reporting gap your team is living with today and build it using this pattern. With the right tooling, Intune data can be shaped into views and insights that reflect your organization’s unique needs.
Let us know if you have any questions by leaving a comment below or reach out on X @IntuneSuppTeam!
