M365 audit log incorrectly reflects compliant/managed status of devices in sign-in events
Summary
When comparing the Entra ID SignInLogs and M365 Audit log for a same sign-in, the DeviceProperties
values for IsCompliant
and IsCompliantAndManaged
seem wrong in the M365 log.
Examples
Below are example of 3 configurations:
- Example 1: compliant and managed (Compliant=True, Managed=True)
- Example 2: compliant, but not managed (Compliant=True, Managed=False)
- Example 3: not compliant, but managed (Compliant=False, Managed=True)
For each, abbreviated events from the Entra ID SignInLogs and Microsoft 365 Audit log are compared.
The events are from the same sign-in, as shown by the event ID (properties.id
/IntraSystemId
).
Example 1: compliant and managed
Device status:
- Compliant: True
- Managed: True
Entra ID SignInLogs:
{
"category": "SignInLogs",
"properties": {
"id": "363489d0-ad51-4574-a405-93d0388c3400",
"deviceDetail": {
"isCompliant": true,
"isManaged": true,
✅ The Entra ID event is as expected.
Microsoft 365 Audit log:
{
"Operation": "UserLoggedIn",
"IntraSystemId": "363489d0-ad51-4574-a405-93d0388c3400",
"DeviceProperties": [
{
"Name": "IsCompliant",
"Value": "True"
},
{
"Name": "IsCompliantAndManaged",
"Value": "True"
},
✅ The M365 event is as expected.
Example 2: compliant, but not managed
Device status:
- Compliant: True
- Managed: False
Entra ID SignInLogs:
{
"category": "SignInLogs",
"properties": {
"id": "3514ec83-0454-4494-8f05-0651fbb1e500",
"deviceDetail": {
"isCompliant": true,
👀 Note: properties.deviceDetail.isManaged
is not present (equivalent to False
).
✅ The Entra ID event is as expected.
Microsoft 365 Audit log:
{
"Operation": "UserLoggedIn",
"IntraSystemId": "3514ec83-0454-4494-8f05-0651fbb1e500",
"DeviceProperties": [
{
"Name": "IsCompliantAndManaged",
"Value": "True"
},
👀 Note: DeviceProperties[Name=IsCompliant]
is not present (equivalent to False
).
⚠️ Unexpected:
-
DeviceProperties[Name=IsCompliant]
should be present, and haveValue=True
. -
DeviceProperties[Name=IsCompliantAndManaged]
should not be present, or haveValue=False
.
Expected Microsoft 365 Audit log:
{
"Operation": "UserLoggedIn",
"IntraSystemId": "363489d0-ad51-4574-a405-93d0388c3400",
"DeviceProperties": [
+ {
+ "Name": "IsCompliant",
+ "Value": "True"
+ },
- {
- "Name": "IsCompliantAndManaged",
- "Value": "True"
- },
Example 3: not compliant, but managed
Device status:
- Compliant: False
- Managed: True
Entra ID SignInLogs:
{
"category": "SignInLogs",
"properties": {
"id": "4f7cf3ee-cebd-4918-966d-622f65891300",
"deviceDetail": {
"isManaged": true,
👀 Note: properties.deviceDetail.isCompliant
is not present (equivalent to False
).
✅ The Entra ID event is as expected.
Microsoft 365 Audit log:
{
"Operation": "UserLoggedIn",
"IntraSystemId": "4f7cf3ee-cebd-4918-966d-622f65891300",
"DeviceProperties": [
{
"Name": "IsCompliant",
"Value": "True"
},
👀 Note: DeviceProperties[Name=IsCompliantAndManaged]
is not present (equivalent to False
).
⚠️ Unexpected: DeviceProperties[Name=IsCompliant]
should not be present, or have Value=False
.
Expected Microsoft 365 Audit log:
{
"Operation": "UserLoggedIn",
"IntraSystemId": "363489d0-ad51-4574-a405-93d0388c3400",
"DeviceProperties": [
- {
- "Name": "IsCompliant",
- "Value": "True"
- },
Hypothese
It appears that the M365 logs say that device
-
IsCompliant
when it is in fact managed, regardless of whether it is compliant; -
IsCompliantAndManaged
when it is compliant, regardless of whether it is managed.
Note that this issue has been observed on multiple tenants.