# Same AAD Device ID and Intune Device ID For some unknown reasons, we recently found out some of the Intune enrolled devices have the same Azure AD device Id and Intune device Id. Here are some examples for the queries we use. ### Summarize by Week generated ``` IntuneDevices |where TimeGenerated > ago(180d) //Gets all data generated in 180 days | where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days | where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID | summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated) // maximized TimeGenerated, group by SerialNumber, and start of week | summarize Count=count()by WeekGenerated //summarize count by WeekGenerated | sort by WeekGenerated // sort WeekGenerated by desc ``` ![](/files/HZgDQj2ypJMRgMZOBlRd) ### Summarized by Week generated with JoinType ``` IntuneDevices |where TimeGenerated > ago(180d) //Gets all data generated in 180 days | where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days | where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID | summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated) // maximized TimeGenerated, group by SerialNumber, and start of week | summarize Count=count()by WeekGenerated, JoinType //summarize count by WeekGenerated and JoinType | sort by WeekGenerated // sort WeekGenerated by desc ``` ![](/files/w5xRpkObikEuI8fvkx4D) ### Visualize per week by join type ``` IntuneDevices | where TimeGenerated > ago(180d) //Gets all data generated in 180 days | where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days | where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID | summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated) // maximized TimeGenerated, group by SerialNumber, and start of week | summarize Count=count()by WeekGenerated, JoinType //summarize count by WeekGenerated and JoinType | where isnotempty( JoinType) | render columnchart with (kind=unstacked, title="Devices with the same Azure AD and Intune device Id per week by join type") ``` ![](/files/HpGZDSHU10KjFXaEPn66) ### Get a full list of devices that has multiple AAD Device ID or Intune Device ID ``` let deviceData = IntuneDevices | where TimeGenerated > ago(180d) //Gets all data generated in 180 days and todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days and OS == "Windows" | summarize StartTime = arg_min(TimeGenerated, *), EndTime = arg_max(TimeGenerated,*) by SerialNumber, DeviceName, DeviceId, ReferenceId | project StartTime, EndTime, LastContact, SerialNumber, DeviceName, DeviceId, ReferenceId; let issueDevices = deviceData | summarize count = count() by SerialNumber, DeviceName | where ['count'] > 1; deviceData | where SerialNumber in (issueDevices) | sort by SerialNumber, EndTime ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sandyzeng.gitbook.io/kql/microsoft-endpoint-manager/device-inventory/same-aad-device-id-and-intune-device-id.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.