M365 audit log incorrectly reflects compliant/managed status of devices in sign-in events

Grégoire CLERMONT 0 Reputation points
2024-10-14T16:28:43.5433333+00:00

Summary

When comparing the Entra ID SignInLogs and M365 Audit log for a same sign-in, the DeviceProperties values for IsCompliant and IsCompliantAndManaged seem wrong in the M365 log.

Examples

Below are example of 3 configurations:

  • Example 1: compliant and managed (Compliant=True, Managed=True)
  • Example 2: compliant, but not managed (Compliant=True, Managed=False)
  • Example 3: not compliant, but managed (Compliant=False, Managed=True)

For each, abbreviated events from the Entra ID SignInLogs and Microsoft 365 Audit log are compared.
The events are from the same sign-in, as shown by the event ID (properties.id/IntraSystemId).

Example 1: compliant and managed

Device status:

  • Compliant: True
  • Managed: True

Entra ID SignInLogs:

{
    "category": "SignInLogs",
    "properties": {
        "id": "363489d0-ad51-4574-a405-93d0388c3400",
        "deviceDetail": {
            "isCompliant": true,
            "isManaged": true,

✅ The Entra ID event is as expected.

Microsoft 365 Audit log:

{
    "Operation": "UserLoggedIn",
    "IntraSystemId": "363489d0-ad51-4574-a405-93d0388c3400",
    "DeviceProperties": [
        {
            "Name": "IsCompliant",
            "Value": "True"
        },
        {
            "Name": "IsCompliantAndManaged",
            "Value": "True"
        },

✅ The M365 event is as expected.

Example 2: compliant, but not managed

Device status:

  • Compliant: True
  • Managed: False

Entra ID SignInLogs:

{
    "category": "SignInLogs",
    "properties": {
        "id": "3514ec83-0454-4494-8f05-0651fbb1e500",
        "deviceDetail": {
            "isCompliant": true,

👀 Note: properties.deviceDetail.isManaged is not present (equivalent to False).

✅ The Entra ID event is as expected.

Microsoft 365 Audit log:

{
    "Operation": "UserLoggedIn",
    "IntraSystemId": "3514ec83-0454-4494-8f05-0651fbb1e500",
    "DeviceProperties": [
        {
            "Name": "IsCompliantAndManaged",
            "Value": "True"
        },

👀 Note: DeviceProperties[Name=IsCompliant] is not present (equivalent to False).
⚠️ Unexpected:

  • DeviceProperties[Name=IsCompliant] should be present, and have Value=True.
  • DeviceProperties[Name=IsCompliantAndManaged] should not be present, or have Value=False.

Expected Microsoft 365 Audit log:

{
    "Operation": "UserLoggedIn",
    "IntraSystemId": "363489d0-ad51-4574-a405-93d0388c3400",
    "DeviceProperties": [
+       {
+           "Name": "IsCompliant",
+           "Value": "True"
+       },
-       {
-           "Name": "IsCompliantAndManaged",
-           "Value": "True"
-       },

Example 3: not compliant, but managed

Device status:

  • Compliant: False
  • Managed: True

Entra ID SignInLogs:

{
    "category": "SignInLogs",
    "properties": {
        "id": "4f7cf3ee-cebd-4918-966d-622f65891300",
        "deviceDetail": {
            "isManaged": true,

👀 Note: properties.deviceDetail.isCompliant is not present (equivalent to False).
✅ The Entra ID event is as expected.

Microsoft 365 Audit log:

{
    "Operation": "UserLoggedIn",
    "IntraSystemId": "4f7cf3ee-cebd-4918-966d-622f65891300",
    "DeviceProperties": [
        {
            "Name": "IsCompliant",
            "Value": "True"
        },

👀 Note: DeviceProperties[Name=IsCompliantAndManaged] is not present (equivalent to False).
⚠️ Unexpected: DeviceProperties[Name=IsCompliant] should not be present, or have Value=False.

Expected Microsoft 365 Audit log:

{
    "Operation": "UserLoggedIn",
    "IntraSystemId": "363489d0-ad51-4574-a405-93d0388c3400",
    "DeviceProperties": [
-       {
-           "Name": "IsCompliant",
-           "Value": "True"
-       },

Hypothese

It appears that the M365 logs say that device

  • IsCompliant when it is in fact managed, regardless of whether it is compliant;
  • IsCompliantAndManaged when it is compliant, regardless of whether it is managed.

Note that this issue has been observed on multiple tenants.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,078 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,226 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,217 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,176 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,069 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.