Find Out Who Sent The Remote Commands

Hi, 

To find out who sent remote commands in Microsoft Intune, you can use the activity logs available in the admin interface. Here are the steps:

1. Go to Activity Logs

• Open the Microsoft Intune Admin Center
• Navigate to Tenant administration > Audit logs.

2. Filter the Logs

• Use the filtering option to search for specific events, such as:
  • Category: "Device actions"
  • Activity: The specific action, e.g., "Reset passcode" or "Wipe device."
  • Target: The device or user affected by the action.
• You can also specify a date range to narrow your search.

3. Check Who Sent the Command

• In the logs, you will find information about who initiated the action. This is displayed under the field Initiated by or similar.
• It includes:
  • The username or email address of the administrator.
  • The time the command was sent.
  • 

     

4. Alternative: Logs from the Device

• If it concerns a specific device, you can:
  • Go to Devices > Select the device > Device actions.
  • Check the details of actions performed on that device.

5. Export Logs (If Needed)

• For more advanced analysis, export the logs and review them in Excel or a SIEM solution (Security Information and Event Management).

6. If Logs Are Missing

• Ensure that logging is enabled in your tenant. Go to Azure Active Directory > Audit logs for more extensive audit data.
• If your organization uses Microsoft Defender for Endpoint, additional insights might be available there.

By following these steps, you can identify which technician or administrator sent the remote command.

I hope this will help you.