Let’s learn who modified Intune App Deployment from audit reports. You can track and find out who created, modified, and deleted the Intune Application deployments.
Intune Audit Logs are constructive to track who did what in your MEM environment. Audit logs include a record of activities that generate a change and show details on each event or task performed in the environment.
Once any of the actions are performed by users, you can directly visit audit logs to see recent actions. We have noticed that Audit logs in the MEM portal are very short-lived or removed immediately from the dashboard.
Create, update (edit), delete, assign, and remote actions to create audit events that administrators can review for most Intune workloads. By default, auditing is enabled for all customers. It can’t be disabled.
To view or access the data from Intune audit logs, you must be in an administration role, Users will have the privilege of Global Administrator, Intune Service Administrator and Administrators assigned to an Intune role with Audit data – Read permissions.
- Intune Device Action Status Report | Endpoint Manager
- 63 Episodes Of Free Intune Training For Device Management Admins
- Intune Logs Event IDs IME Logs Details for Windows Client Side Troubleshooting
Who Created Intune Application Deployment
You can find audit logs in the MEM Admin center portal. You can review audit logs in the monitoring group for each Intune workload –
- Sign in to Microsoft Endpoint Manager Admin Center https://endpoint.microsoft.com/
- Select Tenant administration > Audit logs.
You need to click on Filter and select the following options to get the details for created application deployment and click Apply –
- Catagory -> Application
- Activity -> Create MobileAppsAssignment
- Date range -> 7 Days
The following are some of the categories available for MEM portal audit logs. You can select an item in the list to see the activity details.
Date – Date of the activities.
Initiated by (actor) – Who Initiated the Action? Admin or Application?
Application name – The API name of the application.
Activity – The API details with the Object ID.
Target – Profile Name
Category – Selected Actions
Here you can see the activity details for creating or modifying the application assignment.
Activity
Date: Fri, 24 Jun 2022 12:12:22 GMT
Name: Create MobileAppAssignment
CorrelationID: d1b151d2-9539-4d21-ae24-eb51326c797f
Category: Application
Component: MobileApp
Activity Status
Status: Success
Operation Type: Create
Activity Type: Create MobileAppAssignment
Initiated By (Actor)
Type: ItPro
Upn: [email protected]
Application: Microsoft Intune portal extension
ApplicationID: 5926fc8e-304e-4f59-8bed-58ca97cc39a4
Scope Tag(s)
Tag(s):
Target(s)
Target
Type: MobileApp
Name: 7-Zip 19.00 (x64 edition) V2.0
ObjectID: e7c81ec9-e3e4-432a-a06b-a0a7b210890e
Target
Type: MobileAppAssignment
Name: <null>
ObjectID: 05e7bef1-de42-40c1-b437-9e8c9f260e9a_0_0
Modified Properties
Property: Target.Type
New Value: GroupAssignmentTarget
Old Value:
Property: Settings.Type
New Value: <null>
Old Value:
Property: Id
New Value: 05e7bef1-de42-40c1-b437-9e8c9f260e9a_0_0
Old Value:
Property: Intent
New Value: Available
Old Value:
Property: Target.GroupId
New Value: Test IntuneDevices - Jitesh(05e7bef1-de42-40c1-b437-9e8c9f260e9a)
Old Value:
Property: Target.DeviceAndAppManagementAssignmentFilterId
New Value: <null>
Old Value:
Property: Target.DeviceAndAppManagementAssignmentFilterType
New Value: None
Old Value:
Property: Source
New Value: Direct
Old Value:
Property: SourceId
New Value: <null>
Old Value:
Property: DeviceManagementAPIVersion
New Value: 5022-04-14
Old Value: Who Deleted Application Deployment
Similarly, You can click on Filter to check the deletion of application deployment from Intune portal. Here, you need to select Filter’s options to get the details of who has deleted the application assignment.
Select the following options to get the details for Delete MobileAppAssignment and click Apply –
- Catagory -> Application
- Activity -> Delete MobileAppAssignment
- Date range -> 24 Hours
You can select results in the list to see the activity details.
Date – Date of the activities.
Initiated by (actor) – Who Initiated the Action? Admin or Application?
Application name – The API name of the application.
Activity – The API details with the Object ID.
Target – Profile Name
Category – Selected Actions
Here you can see the activity details for the delete application deployment.
Activity
Date: Fri, 24 Jun 2022 12:02:19 GMT
Name: Delete MobileAppAssignment
CorrelationID: 7797354d-e709-4ae7-b9c6-0cb7f5c927ce
Category: Application
Component: MobileApp
Activity Status
Status: Success
Operation Type: Delete
Activity Type: Delete MobileAppAssignment
Initiated By (Actor)
Type: ItPro
Upn: [email protected]
Application: Microsoft Intune portal extension
ApplicationID: 5926fc8e-304e-4f59-8bed-58ca97cc39a4
Scope Tag(s)
Tag(s):
Target(s)
Target
Type: MobileApp
Name: 7-Zip 19.00 (x64 edition) V2.0
ObjectID: e7c81ec9-e3e4-432a-a06b-a0a7b210890e
Target
Type: MobileAppAssignment
Name: <null>
ObjectID: 5d6ef719-0490-4311-ae26-f71de0086ba7_0_0
Modified Properties
Property: Target.Type
New Value: GroupAssignmentTarget
Old Value:
Property: Settings.Type
New Value: <null>
Old Value:
Property: Id
New Value: 5d6ef719-0490-4311-ae26-f71de0086ba7_0_0
Old Value:
Property: Intent
New Value: Available
Old Value:
Property: Target.GroupId
New Value: HTMD Users(5d6ef719-0490-4311-ae26-f71de0086ba7)
Old Value:
Property: Target.DeviceAndAppManagementAssignmentFilterId
New Value: <null>
Old Value:
Property: Target.DeviceAndAppManagementAssignmentFilterType
New Value: None
Old Value:
Property: Source
New Value: Direct
Old Value:
Property: SourceId
New Value: <null>
Old Value:
Property: DeviceManagementAPIVersion
New Value: 5022-04-14
Old Value:Intune Audit logs
Once any of the actions are performed by users, you can directly visit audit logs to see recent actions. I have also noticed that Audit logs in the MEM portal are very short-lived or removed immediately.
By usign the filter you can select a time range to go back up to a year.