Same AAD Device ID and Intune Device ID

For some unknown reasons, we recently found out some of the Intune enrolled devices have the same Azure AD device Id and Intune device Id. Here are some examples for the queries we use.

Summarize by Week generated

IntuneDevices
|where TimeGenerated > ago(180d) //Gets all data generated in 180 days
| where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days
| where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID
| summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated)
// maximized TimeGenerated, group by SerialNumber, and start of week
| summarize Count=count()by WeekGenerated //summarize count by WeekGenerated
| sort by WeekGenerated // sort WeekGenerated by desc

Summarized by Week generated with JoinType

IntuneDevices
|where TimeGenerated > ago(180d) //Gets all data generated in 180 days
| where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days
| where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID
| summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated)
// maximized TimeGenerated, group by SerialNumber, and start of week
| summarize Count=count()by WeekGenerated, JoinType //summarize count by WeekGenerated and JoinType
| sort by WeekGenerated // sort WeekGenerated by desc

Visualize per week by join type

IntuneDevices
| where TimeGenerated > ago(180d) //Gets all data generated in 180 days
| where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days
| where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID
| summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated)
// maximized TimeGenerated, group by SerialNumber, and start of week
| summarize Count=count()by WeekGenerated, JoinType //summarize count by WeekGenerated and JoinType
| where isnotempty( JoinType)
| render columnchart with (kind=unstacked, title="Devices with the same Azure AD and Intune device Id per week by join type")

Get a full list of devices that has multiple AAD Device ID or Intune Device ID

let deviceData = IntuneDevices
| where TimeGenerated > ago(180d) //Gets all data generated in 180 days
    and todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days
    and OS == "Windows"
| summarize StartTime = arg_min(TimeGenerated, *), EndTime = arg_max(TimeGenerated,*) by SerialNumber, DeviceName, DeviceId, ReferenceId
| project StartTime, EndTime, LastContact, SerialNumber, DeviceName, DeviceId, ReferenceId;
let issueDevices = deviceData
| summarize count = count() by SerialNumber, DeviceName
| where ['count'] > 1;
deviceData
| where SerialNumber in (issueDevices)
| sort by SerialNumber, EndTime

PreviousDevice OS version

Last updated 2 years ago

IntuneDevices |where TimeGenerated > ago(180d) //Gets all data generated in 180 days | where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days | where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID | summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated) // maximized TimeGenerated, group by SerialNumber, and start of week | summarize Count=count()by WeekGenerated //summarize count by WeekGenerated | sort by WeekGenerated // sort WeekGenerated by desc

IntuneDevices |where TimeGenerated > ago(180d) //Gets all data generated in 180 days | where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days | where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID | summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated) // maximized TimeGenerated, group by SerialNumber, and start of week | summarize Count=count()by WeekGenerated, JoinType //summarize count by WeekGenerated and JoinType | sort by WeekGenerated // sort WeekGenerated by desc

IntuneDevices | where TimeGenerated > ago(180d) //Gets all data generated in 180 days | where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days | where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID | summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated) // maximized TimeGenerated, group by SerialNumber, and start of week | summarize Count=count()by WeekGenerated, JoinType //summarize count by WeekGenerated and JoinType | where isnotempty( JoinType) | render columnchart with (kind=unstacked, title="Devices with the same Azure AD and Intune device Id per week by join type")

let deviceData = IntuneDevices | where TimeGenerated > ago(180d) //Gets all data generated in 180 days and todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days and OS == "Windows" | summarize StartTime = arg_min(TimeGenerated, *), EndTime = arg_max(TimeGenerated,*) by SerialNumber, DeviceName, DeviceId, ReferenceId | project StartTime, EndTime, LastContact, SerialNumber, DeviceName, DeviceId, ReferenceId; let issueDevices = deviceData | summarize count = count() by SerialNumber, DeviceName | where ['count'] > 1; deviceData | where SerialNumber in (issueDevices) | sort by SerialNumber, EndTime