Devices Randomly added to group in Intune by Service Principal

Ahmed Sh 100 Reputation points
2024-08-21T07:04:56.17+00:00

Some devices are added to being added to a group in Intune randomly, Sometimes this group is a disk encryption scoped policy group which causes the devices to double encrypt if already encrypted and cause a bitlocker recovery screen upon restart.

This can also be solved by removing the encryption. However why does it happen.

While "add member to group" activity in audit logs usually shows a user "admin" culprit, Some users are added using a Service Principal which corresponds to "Microsoft Intune" application with no user culprit and no further context. Both Azure Audit an Compliance audit show the same results.

In some instances if we go back far enough, We can find a user adding a device to the group and no remove device from group event then later the device gets added to the group in another event by Microsoft Intune, Which is kind of strange.

Any idea why or how this can be checked further?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,950 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 47,616 Reputation points Microsoft Vendor
    2024-08-22T01:53:08.42+00:00

    @Ahmed Sh, Thanks for posting in Q&A. For the affected device group, is it a dynamic group? If this is a dynamic group, it will automatically add the device into the group based on an expression you create.

    https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership

    Meanwhile, please also check if any admin using graph API to add the device into the affected group.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Ahmed Sh 100 Reputation points
    2024-08-22T06:25:41.5+00:00

    @Crystal-MSFT Thanks for your reply, Please note that this is indeed an assigned membership group not dynamic.

    No admins are using Graph API as there is a clear process for this purpose, However, even if, Such action should be trackable.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.