Using Microsoft Sentinel and KQL to find all sign-ins that have occurred from non-joined Azure AD devices.

By Application

AppDisplayName UniqueUserSigninCount
Office 365 SharePoint Online 2
Office 365 Exchange Onlline 2

By User

UserPrincipalname SigninCount
john.smith@domain.com 2000
admin@domain.com 2000

By User and Application

UserPrincipalName AppDisplayName SigninCount
john.smith@domain.com Office 365 SharePoint Online 500
admin@domain.com Office 365 SharePoint Online 500
john.smith@domain.com Office 365 Exchange Online 1500
admin@domain.com Office 365 Exchange Online 1500