How can we know which device was wiped from the Tenant Admin Logs > Devices > Activity "wipe ManagedDevice"

Kristian Cardona 6 Reputation points
2022-11-21T09:45:40.613+00:00

Hi

The security team approached us to provide them with logs for a device that an Admin wiped on Azure Endpoint.

We used the Tenant Admin Logs to search for the event by date and action, but couldn't correlate it to a specific device since the log event does not include the Device ID.

We tried to search for the event from the Admin logs that we are downloading daily from Azure Graph API but it seems that the wipe activity is not being logged there.

Is there a way to find out the device ID from the Tenant Admin Logs in the case of a wipe event?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,892 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sandeep G-MSFT 7,441 Reputation points Microsoft Employee
    2022-11-22T08:07:08.28+00:00

    @Kristian Cardona

    Thank you for posting this in Microsoft Q&A platform.

    You can look at the Azure AD audit logs to get more information about the device and time stamp of delete operation.

    • You will have to login to Azure AD portal.
    • Access Azure active directory blade on the left pane
    • Now, you can click on the Devices tab on the left and then click on Audit logs.
    • In the list of Audit logs, you have to click on Activity filter on the top and select "delete device".
    • You will be able to see all the logs for deleted devices.
    • Once you click on specific logs you will be able to see the UPN of user who initiated it, also there will be device ID of the device which was deleted.

    262949-audit-logs.jpg

    Do let me know if this answers your question.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Akshay-MSFT 5,996 Reputation points Microsoft Employee
    2022-12-08T07:38:40.817+00:00

    Hello @Kristian Cardona

    • You could find them in the Tenant Admin Logs with following filters:

    268542-image.png

    • Once selected Compare the Wipe Event ObjectID with Intune device ID in the Hardware blade of the device.

    268532-image.png

    Please do let me know if you have any queries in the comments section.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.

    0 comments No comments