Matching SharePoint machine ID to Intune

Brass Contributor

I am looking at some sharepoint logs for an alert but I cannot tell if the machine being used is one that is managed by our Intune or not. The machine ID from the sharepoint logs does not correspond to any format in Intune.

 

Is it possible to match these in some way or figure out if the machine is managed from SharePoint logs?

11 Replies
I don't have an example in front of me. But I think these ID's should be Azure AD devices IDs.

@Thijs Lecomte I was hoping that but it doesn't appear to be the case from what I can tell. I have a machine ID like this 547f88ef-15d4-407d-88bd-75d0edf8c7bc but my Azure AD / Intune device has an ID in a similar format that is completely different.

 

None of my devices appear to match this string.

Could you share the analytics query which throws the alert?
That way, I can check where the ID is coming from

@Thijs Lecomte Here is the query:

OfficeActivity
| where TimeGenerated > ago(15m)
| where OfficeWorkload == "SharePoint"
| where Operation in ("FileDeleted", "FileSyncDownloadedFull", "FolderDeleted", "FileDownloaded")
| summarize count() by bin(TimeGenerated, 15m), Operation, UserId, Site_Url, ClientIP
| where count_ > 100
| extend AccountCustomEntity = UserId
| extend IPCustomEntity = ClientIP
| extend URLCustomEntity = Site_Url

The info generated here is the same as what I can see in the Audit Logs in Security and Compliance center. 

 

Basically we're alerting for excessive downloads or deletions that might indicate malicious activity.

@endakelly 

 

You have made a really interesting point. I just searched for this information in my own environment, but couldn't find anything.

 

@Rod_Trent  any chance you can chime in and give us some more insights into how we can correlate machineID from the Sharepoint logs to an AAD device?

According to my research this is the Onedrive Machine ID, but I don't think there is a way to correlate it to AAD/Intune https://hansbrender.com/2020/01/15/the-onedrive-device-id/

The plot thickens on this one. So I was investigating another incident this morning and copied the machine id and checked it against Intune. Looking at the hardware properties for the users machines I found an attribute called UDID which is a perfect match 😄

 

Problem is, this attribute is not exposed in the graph api from what I can see so far using the https://graph.microsoft.com/v1.0/users/UPN/managedDevices query (same with beta).

 

This device was a Mac and this attribute looks to be unique to them. No attributes for Windows have matching Machine IDs.

 

Machine ID is only an attribute on the FileSyncDownloadedFull operation which isn't a massive deal but it would be nice to be able to correlate Machine IDs with FileDelete and FolderDelete operations too so you can be sure if a mass delete happened from a managed device or not.

 

Is it possible to have this UDID attribute exposed to the graph api or is there another query I should be using?

I have been looking into this as well.
https://github.com/MicrosoftDocs/azure-docs/issues/55589


I haven't found anything with it, I have opened up a support case

@Thijs Lecomte did you ever get a reply to the support ticket?

Yeah, there is currently no way...
I have launched a UserVoice and I am also in contact with a Sharepoint PM.
https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/40902784-ma...