Track Who Modified Intune App Deployment From Audit Logs

Let’s learn who modified Intune App Deployment from audit reports. You can track and find out who createdmodified, and deleted the Intune Application deployments.

Intune Audit Logs are constructive to track who did what in your MEM environment. Audit logs include a record of activities that generate a change and show details on each event or task performed in the environment.

Once any of the actions are performed by users, you can directly visit audit logs to see recent actions. We have noticed that Audit logs in the MEM portal are very short-lived or removed immediately from the dashboard.

Patch My PC

Create, update (edit), delete, assign, and remote actions to create audit events that administrators can review for most Intune workloads. By default, auditing is enabled for all customers. It can’t be disabled.

To view or access the data from Intune audit logs, you must be in an administration role, Users will have the privilege of Global Administrator, Intune Service Administrator and Administrators assigned to an Intune role with Audit data – Read permissions.

Who Created Intune Application Deployment

You can find audit logs in the MEM Admin center portal. You can review audit logs in the monitoring group for each Intune workload 

  • Sign in to Microsoft Endpoint Manager Admin Center https://endpoint.microsoft.com/
  • Select Tenant administration > Audit logs.
Intune Audit Logs - Track Who Modified Intune App Deployment From Audit Reports 1
Intune Audit Logs – Track Who Modified Intune App Deployment From Audit Reports 1

You need to click on Filter and select the following options to get the details for created application deployment and click Apply –

  • Catagory -> Application
  • Activity -> Create MobileAppsAssignment
  • Date range -> 7 Days
Create Intune App Deployment - Track Who Modified Intune App Deployment From Audit Reports 2
Create Intune App Deployment – Track Who Modified Intune App Deployment From Audit Reports 2

The following are some of the categories available for MEM portal audit logs. You can select an item in the list to see the activity details.

Date – Date of the activities.
Initiated by (actor) – 
Who Initiated the Action? Admin or Application?
Application name – 
The API name of the application.
Activity – 
The API details with the Object ID.
Target – 
Profile Name
Category –
 Selected Actions

Create Intune App Assignment - Track Who Modified Intune App Deployment From Audit Reports 3
Create Intune App Assignment – Track Who Modified Intune App Deployment From Audit Reports 3

Here you can see the activity details for creating or modifying the application assignment.

Activity Details - Track Who Modified Intune App Deployment From Audit Reports 4
Activity Details – Track Who Modified Intune App Deployment From Audit Reports 4
Activity
Date: Fri, 24 Jun 2022 12:12:22 GMT
Name: Create MobileAppAssignment
CorrelationID: d1b151d2-9539-4d21-ae24-eb51326c797f
Category: Application
Component: MobileApp
Activity Status
Status: Success
Operation Type: Create
Activity Type: Create MobileAppAssignment
Initiated By (Actor)
Type: ItPro
Upn: [email protected]
Application: Microsoft Intune portal extension
ApplicationID: 5926fc8e-304e-4f59-8bed-58ca97cc39a4
Scope Tag(s)
Tag(s): 
Target(s)
Target
Type: MobileApp
Name: 7-Zip 19.00 (x64 edition) V2.0
ObjectID: e7c81ec9-e3e4-432a-a06b-a0a7b210890e
Target
Type: MobileAppAssignment
Name: <null>
ObjectID: 05e7bef1-de42-40c1-b437-9e8c9f260e9a_0_0
Modified Properties
Property: Target.Type
New Value: GroupAssignmentTarget
Old Value: 
Property: Settings.Type
New Value: <null>
Old Value: 
Property: Id
New Value: 05e7bef1-de42-40c1-b437-9e8c9f260e9a_0_0
Old Value: 
Property: Intent
New Value: Available
Old Value: 
Property: Target.GroupId
New Value: Test IntuneDevices - Jitesh(05e7bef1-de42-40c1-b437-9e8c9f260e9a)
Old Value: 
Property: Target.DeviceAndAppManagementAssignmentFilterId
New Value: <null>
Old Value: 
Property: Target.DeviceAndAppManagementAssignmentFilterType
New Value: None
Old Value: 
Property: Source
New Value: Direct
Old Value: 
Property: SourceId
New Value: <null>
Old Value: 
Property: DeviceManagementAPIVersion
New Value: 5022-04-14
Old Value: 

Who Deleted Application Deployment

Similarly, You can click on Filter to check the deletion of application deployment from Intune portal. Here, you need to select Filter’s options to get the details of who has deleted the application assignment.

Select the following options to get the details for Delete MobileAppAssignment and click Apply –

  • Catagory -> Application
  • Activity -> Delete MobileAppAssignment
  • Date range -> 24 Hours
Filter Activity Details - Track Who Modified Intune App Deployment From Audit Reports 5
Filter Activity Details – Track Who Modified Intune App Deployment From Audit Reports 5

You can select results in the list to see the activity details.

Date – Date of the activities.
Initiated by (actor) – 
Who Initiated the Action? Admin or Application?
Application name – 
The API name of the application.
Activity – 
The API details with the Object ID.
Target – 
Profile Name
Category –
 Selected Actions

Delete MobileAppsAssignment - Track Who Modified Intune App Deployment From Audit Reports 6
Delete Intune App Assignment – Track Who Modified Intune App Deployment From Audit Reports 6

Here you can see the activity details for the delete application deployment.

Activity Details - Track Who Modified Intune App Deployment From Audit Reports 7
Activity Details – Track Who Modified Intune App Deployment From Audit Reports 7
Activity
Date: Fri, 24 Jun 2022 12:02:19 GMT
Name: Delete MobileAppAssignment
CorrelationID: 7797354d-e709-4ae7-b9c6-0cb7f5c927ce
Category: Application
Component: MobileApp
Activity Status
Status: Success
Operation Type: Delete
Activity Type: Delete MobileAppAssignment
Initiated By (Actor)
Type: ItPro
Upn: [email protected]
Application: Microsoft Intune portal extension
ApplicationID: 5926fc8e-304e-4f59-8bed-58ca97cc39a4
Scope Tag(s)
Tag(s): 
Target(s)
Target
Type: MobileApp
Name: 7-Zip 19.00 (x64 edition) V2.0
ObjectID: e7c81ec9-e3e4-432a-a06b-a0a7b210890e
Target
Type: MobileAppAssignment
Name: <null>
ObjectID: 5d6ef719-0490-4311-ae26-f71de0086ba7_0_0
Modified Properties
Property: Target.Type
New Value: GroupAssignmentTarget
Old Value: 
Property: Settings.Type
New Value: <null>
Old Value: 
Property: Id
New Value: 5d6ef719-0490-4311-ae26-f71de0086ba7_0_0
Old Value: 
Property: Intent
New Value: Available
Old Value: 
Property: Target.GroupId
New Value: HTMD Users(5d6ef719-0490-4311-ae26-f71de0086ba7)
Old Value: 
Property: Target.DeviceAndAppManagementAssignmentFilterId
New Value: <null>
Old Value: 
Property: Target.DeviceAndAppManagementAssignmentFilterType
New Value: None
Old Value: 
Property: Source
New Value: Direct
Old Value: 
Property: SourceId
New Value: <null>
Old Value: 
Property: DeviceManagementAPIVersion
New Value: 5022-04-14
Old Value:

Intune Audit logs

Once any of the actions are performed by users, you can directly visit audit logs to see recent actions. I have also noticed that Audit logs in the MEM portal are very short-lived or removed immediately.

Intune Audit logs - Track Who Modified Intune App Deployment From Audit Reports 8
Intune Audit logs – Track Who Modified Intune App Deployment From Audit Reports 8

Author

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.