Find sign-ins from non entra managed devices over the past month using KQL

Copper Contributor

Hi we are looking to find logins from non domain joined devices using KQL but can't seem to write a query that works. I know I can find this data in defender for cloud apps but the logs limit only reaches 5000.


I was thinking something likethis 

| where createdDateTime >= ago(30d)
| where deviceTrustType !in ("Enrolled", "Managed")
| project createdDateTime, userPrincipalName, ipAddress, deviceTrustType, deviceId, appDisplayName, location


1 Reply

@Danielburt1650 How about this?

| where TimeGenerated >= ago(30d)
| where DeviceDetail.isCompliant == false
        and ResultType ==0
| extend deviceName_ = tostring(DeviceDetail.displayName)
| extend trustType_ = tostring(DeviceDetail.trustType)
| distinct deviceName_, trustType_, UserPrincipalName , IPAddress, AppDisplayName, DeviceID=tostring(DeviceDetail), Location

  Some more ideas here: Microsoft Entra security operations for devices | Microsoft Learn