Using Microsoft Sentinel and KQL to find all sign-ins that have occurred from non-joined Azure AD devices.
By Application
AppDisplayName |
UniqueUserSigninCount |
Office 365 SharePoint Online |
2 |
Office 365 Exchange Onlline |
2 |
By User
UserPrincipalname |
SigninCount |
john.smith@domain.com |
2000 |
admin@domain.com |
2000 |
By User and Application
UserPrincipalName |
AppDisplayName |
SigninCount |
john.smith@domain.com |
Office 365 SharePoint Online |
500 |
admin@domain.com |
Office 365 SharePoint Online |
500 |
john.smith@domain.com |
Office 365 Exchange Online |
1500 |
admin@domain.com |
Office 365 Exchange Online |
1500 |