I am looking at some sharepoint logs for an alert but I cannot tell if the machine being used is one that is managed by our Intune or not. The machine ID from the sharepoint logs does not correspond to any format in Intune. Is it possible to match these in some way or figure out if the machine is managed from SharePoint logs?

I have been looking into this as well.https://github.com/MicrosoftDocs/azure-docs/issues/55589I haven't found anything with it, I have opened up a support case

Yeah, there is currently no way...I have launched a UserVoice and I am also in contact with a Sharepoint PM.https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/40902784-machine-id-correlation

I don't have an example in front of me. But I think these ID's should be Azure AD devices IDs.

Thijs Lecomte I was hoping that but it doesn't appear to be the case from what I can tell. I have a machine ID like this 547f88ef-15d4-407d-88bd-75d0edf8c7bc but my Azure AD / Intune device has an ID in a similar format that is completely different. None of my devices appear to match this string.

Could you share the analytics query which throws the alert?That way, I can check where the ID is coming from

Matching SharePoint machine ID to Intune

Thijs Lecomte
Bronze Contributor
May 25, 2020
I don't have an example in front of me. But I think these ID's should be Azure AD devices IDs.
- endakelly
  Brass Contributor
  May 25, 2020
  Thijs Lecomte I was hoping that but it doesn't appear to be the case from what I can tell. I have a machine ID like this 547f88ef-15d4-407d-88bd-75d0edf8c7bc but my Azure AD / Intune device has an ID in a similar format that is completely different.
  
  None of my devices appear to match this string.
  - Thijs Lecomte
    Bronze Contributor
    May 25, 2020
    Could you share the analytics query which throws the alert?
    That way, I can check where the ID is coming from
endakelly
Brass Contributor
May 28, 2020
The plot thickens on this one. So I was investigating another incident this morning and copied the machine id and checked it against Intune. Looking at the hardware properties for the users machines I found an attribute called UDID which is a perfect match 😄

Problem is, this attribute is not exposed in the graph api from what I can see so far using the https://graph.microsoft.com/v1.0/users/UPN/managedDevices query (same with beta).

This device was a Mac and this attribute looks to be unique to them. No attributes for Windows have matching Machine IDs.

Machine ID is only an attribute on the FileSyncDownloadedFull operation which isn't a massive deal but it would be nice to be able to correlate Machine IDs with FileDelete and FolderDelete operations too so you can be sure if a mass delete happened from a managed device or not.

Is it possible to have this UDID attribute exposed to the graph api or is there another query I should be using?
- Thijs Lecomte
  Bronze Contributor
  Jun 04, 2020
  I have been looking into this as well.
  https://github.com/MicrosoftDocs/azure-docs/issues/55589
  
  I haven't found anything with it, I have opened up a support case
  - endakelly
    Brass Contributor
    Jun 04, 2020
    I submitted an idea to the graph uservoice as well https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/40585561-expose-macos-udid-via-api

Forum Discussion

Matching SharePoint machine ID to Intune

Share

Resources