KQL - Sign-ins From Non-Joined Devices

Using KQL to find all sign-ins that have occurred from non-joined Azure AD devices.

Using Microsoft Sentinel and KQL to find all sign-ins that have occurred from non-joined Azure AD devices.

By Application

AppDisplayName	UniqueUserSigninCount
Office 365 SharePoint Online	2
Office 365 Exchange Onlline	2

By User

UserPrincipalname	SigninCount
john.smith@domain.com	2000
admin@domain.com	2000

By User and Application

UserPrincipalName	AppDisplayName	SigninCount
john.smith@domain.com	Office 365 SharePoint Online	500
admin@domain.com	Office 365 SharePoint Online	500
john.smith@domain.com	Office 365 Exchange Online	1500
admin@domain.com	Office 365 Exchange Online	1500