Find DeviceDetail for the currently logged in user

Copper Contributor

Assuming I have an authorization token for a valid Entra/AAD user, and my back-end service has the necessary permissions to query all of Entra/AAD (including AuditLogs), how can I find the AuditLogs.SignIns entry or even just the DeviceDetail that matches the token?  Pulling apart the JWT and looking at the all the data available in the SignIns/devices data that comes back from Microsoft Graph I can't see anything obvious that matches, though there are things like `

"uniqueTokenIdentifier": "9bIweWnQ3kedo9YC_vmBAA",` (property of a SignIn) that look promising.
Actually all I really want to do is to be able to determine if the the device that the user has authenticated with has the "isManaged" or "isCompliant" flags set.
Previously I've been able to use a custom HTTP header x-ms-request-id that is present on some requests to find the appropriate SignIn, but it's not present in the requests I'm handling currently. 

 

3 Replies
The deviceID claim is readily available in the JTW, so use that? In addition, the sign-in state one gives you compliance status:

"signin_state": [
"dvc_mngd",
"dvc_cmp",
"inknownntwk",
"kmsi"
]

Here's a screenshot:

 

VasilMichev_0-1706083811890.png

 

Hmm, interesting, none of that's in the token I have (it's actually a token acquired by a Sharepoint online webpart, but it's just a request to login.microsoftonline.com/.../oauth2/v2.0/authorize which sends back a page that redirects to https://<tenant>.sharepoint.com/_forms/spfxsinglesignon.aspx#access_token=<token>). This is all it has:

"iss": "https://sts.windows.net/c1fd1e38-<tenant-id>/",
"iat": 1706077938,
"nbf": 1706077938,
"exp": 1706083137,
"acr": "1",
"aio": "ATQAy/...",
"amr": [
"pwd"
],
"appid": "d382a6b7-<not-sure?>",
"appidacr": "0",
"family_name": "User",
"given_name": "Test",
"ipaddr": "48.xxx.yy.zzz",
"name": "Test User",
"oid": "e7af4b9b-...",
"rh": "0.AUIAOB79wc_...",
"scp": "custom-scope",
"sub": "acbBL4VK....",
"tid": "c1fd1e38-<tenant-id>",
"unique_name": "email address removed for privacy reasons",
"upn": "email address removed for privacy reasons",
"uti": "FLnAb1y...",
"ver": "1.0"
}