Intune Audit Logs Track Who Created Deleted Device Configuration Policy

Let’s check Intune Audit logs to track who Created Deleted Device Configuration Policy from Intune, aka MEM Portal. In this post, you will see how you can find who created or deleted the device configuration policy. Audit logs include a record of activities that generate a change in Microsoft Intune.

Create, update (edit), delete, assign, and remote actions all create audit events that administrators can review for most Intune workloads. Intune Audit Logs are constructive to track who did what in your MEM environment.

The Audit Logs will help you get answers for most of the unforeseen issues in the environment. This post will track who created or deleted device configuration profiles.

Who can access the data from Intune Audit Logs?

Users with the following permissions can review audit logs –

Patch My PC
  • Global Administrator
  • Intune Service Administrator
  • Administrators assigned to an Intune role with Audit data – Read permissions

Who Created Device Configuration Policy

You can find audit logs in the Intune Admin center portal. You can review audit logs in the monitoring group for each Intune workload

  • Sign in to the https://intune.microsoft.com/
  • Select Tenant administration > Audit logs.
Intune Audit logs - Intune Audit Logs Track Who Created Deleted Device Configuration Policy
Intune Audit logs – Intune Audit Logs Track Who Created Deleted Device Configuration Policy
  • To filter the results, select Filter and refine the results using the following options and Select Apply.
    • Category: such as ComplianceDevice, and Role.
    • Activity: the options listed here are restricted by the option chosen under Category.
    • Date range: you can choose logs for the previous month, week, or day.
Intune Audit Logs Track Who Created Deleted Device Configuration Policy
Intune Audit Logs Track Who Created Deleted Device Configuration Policy

Let’s check who has created and deleted the device configuration profile. You need to click on Filter and select the following options to get the details for created device configuration policy and click Apply

Adaptiva
  • Catagory -> DeviceConfiguration
  • Activity -> Create DeviceManagementConfigurationPolicy
  • Date range -> 7 Days
Intune Audit Logs Track Who Created Deleted Device Configuration Policy
Intune Audit Logs Track Who Created Deleted Device Configuration Policy

Once any of the actions are performed by users, you can directly visit audit logs to see recent actions. I have also noticed that Audit logs in the MEM portal are very short-lived or removed immediately.

The following are some of the categories available for MEM portal audit logs. You can select an item in the list to see the activity details.

Date – Date of the activities.
Initiated by (actor) –
Who Initiated the Action? Admin or Application?
Application name –
The API name of the application.
Activity –
The API details with the Object ID.
Target –
Profile Name
Category –
Selected Actions

Intune Audit Logs Track Who Created Deleted Device Configuration Policy
Intune Audit Logs Track Who Created Deleted Device Configuration Policy

Activity details: Audit log
Activity
Date: Tue, 07 Dec 2021 08:51:04 GMT
Name: Create device configuration 2.0 (beta)
CorrelationID: 561f9ab9-7a1d-4ee3-b12f-93f06c4a0532
Category: DeviceConfiguration
Component: DeviceConfiguration
Activity Status
Status: Success
Operation Type: Create
Activity Type: Create DeviceManagementConfigurationPolicy
Initiated By (Actor)
Type: ItPro
Upn: [email protected]
Application: Microsoft Intune portal extension
ApplicationID: 5926fc8e-304e-4f59-8bed-58ca97cc39a4
Scope Tag(s)
Tag(s): 
Target(s)
Target
Type: DeviceManagementConfigurationPolicy
Name: Manage Device Power Options - HTMD Windows 10 Devices
ObjectID: 56cec9e0-9742-43c6-ad69-f23a5c7b4885
Modified Properties
Property: Name
New Value: Manage Device Power Options - HTMD Windows 10 Devices
Old Value: 
Property: Description
New Value: 
Old Value: 
Property: Platforms
New Value: Windows10
Old Value: 
Property: SettingCount
New Value: 2
Old Value: 
Property: DeviceManagementAPIVersion
New Value: 5021-10-06
Old Value: 

Who Deleted Device Configuration Policy

Similarly, You can click on Filter to check the deletion of device configuration profiles from Intune portal. Here, you need to select Filter’s options to get the details of who has deleted device configuration profiles.

Select the following options to get the details for created device configuration policy and click Apply

  • Catagory -> DeviceConfiguration
  • Activity -> Delete DeviceManagementConfigurationPolicy
  • Date range -> 1 Month
Intune Audit Logs Track Who Created Deleted Device Configuration Policy
Intune Audit Logs Track Who Created Deleted Device Configuration Policy

The following are some of the categories available for MEM portal audit logs. You can select an item in the list to see the activity details.

Date – Date of the activities.
Initiated by (actor) –
Who Initiated the Action? Admin or Application?
Application name –
The API name of the application.
Activity –
The API details with the Object ID.
Target –
Profile Name
Category –
Selected Actions

Intune Audit Logs Track Who Created Deleted Device Configuration Policy
Intune Audit Logs Track Who Created Deleted Device Configuration Policy

Here you can see the activity details for the delete device management configuration profiles.

Intune Audit Logs Track Who Created Deleted Device Configuration Policy
Intune Audit Logs Track Who Created Deleted Device Configuration Policy
Activity details: Audit log
Activity
Date: Wed, 08 Dec 2021 12:34:36 GMT
Name: Delete device configuration 2.0 (beta)
CorrelationID: f6fb0ee1-0d30-4c7e-9d50-e262b313435f
Category: DeviceConfiguration
Component: DeviceConfiguration
Activity Status
Status: Success
Operation Type: Delete
Activity Type: Delete DeviceManagementConfigurationPolicy
Initiated By (Actor)
Type: ItPro
Upn: [email protected]
Application: Microsoft Intune portal extension
ApplicationID: 5926fc8e-304e-4f59-8bed-58ca97cc39a4
Scope Tag(s)
Tag(s): 
Target(s)
Target
Type: DeviceManagementConfigurationPolicy
Name: Block Windows Updates - HTMD Devices
ObjectID: 80c117fc-1688-484f-a405-ebf86f37707a
Modified Properties
Property: Name
New Value: Block Windows Updates - HTMD Devices
Old Value: 
Property: Description
New Value: 
Old Value: 
Property: Platforms
New Value: Windows10
Old Value: 
Property: SettingCount
New Value: 1
Old Value: 
Property: DeviceManagementAPIVersion
New Value: 5021-10-06
Old Value: 

KQL Query Devices Deleted from Intune

You can use the KQL query method to get a quick overview of deleted devices, shared by MVP Elli (IR)

IntuneAuditLogs | where TimeGenerated >= ago(31d) | where OperationName has "Delete ManagedDevice" | extend TargetDisplayNames = tostring(parse_json(tostring(parse_json(Properties).TargetDisplayNames))[0]) | extend DeviceId = tostring(todynamic(Properties).TargetObjectIds[0]) | join kind=leftouter IntuneDevices on DeviceId | project TimeGenerated, TargetDisplayNames, Identity, OperationName, DeviceId

Author

About Author -> Jitesh has over 5 years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10, Windows 11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.