Let’s check Intune Audit logs to track who Created Deleted Device Configuration Policy from Intune, aka MEM Portal. In this post, you will see how you can find who created or deleted the device configuration policy. Audit logs include a record of activities that generate a change in Microsoft Intune.
Create, update (edit), delete, assign, and remote actions all create audit events that administrators can review for most Intune workloads. Intune Audit Logs are constructive to track who did what in your MEM environment.
The Audit Logs will help you get answers for most of the unforeseen issues in the environment. This post will track who created or deleted device configuration profiles.
- Easily Manage Device Power Options Using Intune
- 63 Episodes Of Free Intune Training For Device Management Admins
Who can access the data from Intune Audit Logs?
Users with the following permissions can review audit logs –
- Global Administrator
- Intune Service Administrator
- Administrators assigned to an Intune role with Audit data – Read permissions
Who Created Device Configuration Policy
You can find audit logs in the Intune Admin center portal. You can review audit logs in the monitoring group for each Intune workload –
- Sign in to the https://intune.microsoft.com/
- Select Tenant administration > Audit logs.
- To filter the results, select Filter and refine the results using the following options and Select Apply.
- Category: such as Compliance, Device, and Role.
- Activity: the options listed here are restricted by the option chosen under Category.
- Date range: you can choose logs for the previous month, week, or day.
Let’s check who has created and deleted the device configuration profile. You need to click on Filter and select the following options to get the details for created device configuration policy and click Apply –
- Catagory -> DeviceConfiguration
- Activity -> Create DeviceManagementConfigurationPolicy
- Date range -> 7 Days
Once any of the actions are performed by users, you can directly visit audit logs to see recent actions. I have also noticed that Audit logs in the MEM portal are very short-lived or removed immediately.
The following are some of the categories available for MEM portal audit logs. You can select an item in the list to see the activity details.
Date – Date of the activities.
Initiated by (actor) – Who Initiated the Action? Admin or Application?
Application name – The API name of the application.
Activity – The API details with the Object ID.
Target – Profile Name
Category – Selected Actions
Activity details: Audit log
Activity
Date: Tue, 07 Dec 2021 08:51:04 GMT
Name: Create device configuration 2.0 (beta)
CorrelationID: 561f9ab9-7a1d-4ee3-b12f-93f06c4a0532
Category: DeviceConfiguration
Component: DeviceConfiguration
Activity Status
Status: Success
Operation Type: Create
Activity Type: Create DeviceManagementConfigurationPolicy
Initiated By (Actor)
Type: ItPro
Upn: [email protected]
Application: Microsoft Intune portal extension
ApplicationID: 5926fc8e-304e-4f59-8bed-58ca97cc39a4
Scope Tag(s)
Tag(s):
Target(s)
Target
Type: DeviceManagementConfigurationPolicy
Name: Manage Device Power Options - HTMD Windows 10 Devices
ObjectID: 56cec9e0-9742-43c6-ad69-f23a5c7b4885
Modified Properties
Property: Name
New Value: Manage Device Power Options - HTMD Windows 10 Devices
Old Value:
Property: Description
New Value:
Old Value:
Property: Platforms
New Value: Windows10
Old Value:
Property: SettingCount
New Value: 2
Old Value:
Property: DeviceManagementAPIVersion
New Value: 5021-10-06
Old Value: Who Deleted Device Configuration Policy
Similarly, You can click on Filter to check the deletion of device configuration profiles from Intune portal. Here, you need to select Filter’s options to get the details of who has deleted device configuration profiles.
Select the following options to get the details for created device configuration policy and click Apply –
- Catagory -> DeviceConfiguration
- Activity -> Delete DeviceManagementConfigurationPolicy
- Date range -> 1 Month
The following are some of the categories available for MEM portal audit logs. You can select an item in the list to see the activity details.
Date – Date of the activities.
Initiated by (actor) – Who Initiated the Action? Admin or Application?
Application name – The API name of the application.
Activity – The API details with the Object ID.
Target – Profile Name
Category – Selected Actions
Here you can see the activity details for the delete device management configuration profiles.
Activity details: Audit log
Activity
Date: Wed, 08 Dec 2021 12:34:36 GMT
Name: Delete device configuration 2.0 (beta)
CorrelationID: f6fb0ee1-0d30-4c7e-9d50-e262b313435f
Category: DeviceConfiguration
Component: DeviceConfiguration
Activity Status
Status: Success
Operation Type: Delete
Activity Type: Delete DeviceManagementConfigurationPolicy
Initiated By (Actor)
Type: ItPro
Upn: [email protected]
Application: Microsoft Intune portal extension
ApplicationID: 5926fc8e-304e-4f59-8bed-58ca97cc39a4
Scope Tag(s)
Tag(s):
Target(s)
Target
Type: DeviceManagementConfigurationPolicy
Name: Block Windows Updates - HTMD Devices
ObjectID: 80c117fc-1688-484f-a405-ebf86f37707a
Modified Properties
Property: Name
New Value: Block Windows Updates - HTMD Devices
Old Value:
Property: Description
New Value:
Old Value:
Property: Platforms
New Value: Windows10
Old Value:
Property: SettingCount
New Value: 1
Old Value:
Property: DeviceManagementAPIVersion
New Value: 5021-10-06
Old Value: KQL Query Devices Deleted from Intune
You can use the KQL query method to get a quick overview of deleted devices, shared by MVP Elli (IR)
IntuneAuditLogs | where TimeGenerated >= ago(31d) | where OperationName has "Delete ManagedDevice" | extend TargetDisplayNames = tostring(parse_json(tostring(parse_json(Properties).TargetDisplayNames))[0]) | extend DeviceId = tostring(todynamic(Properties).TargetObjectIds[0]) | join kind=leftouter IntuneDevices on DeviceId | project TimeGenerated, TargetDisplayNames, Identity, OperationName, DeviceIdAuthor
About Author -> Jitesh has over 5 years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10, Windows 11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.