This site describes the operation of the Intune change tracking Azure Workbook solution. Related Links:


The Intune change tracking currently includes this contents:

  • Overview
    • Intune Audit event types, An overview of different Audit event types, filtered by custom time range.
    • Intune method, An overview of the most common Audit event methods, filtered by custom time range.
    • Recent Audit events, A table of all Audit events, based on the selected time range.
    • Intune Audit event count, A count of Audit events over a fixed time. range.
  • Search profile types
    • Profile type Audit events, Table output of custom profile type audit events.
    • Search the Audit event by Correlation ID, Copy the correlationID from the query above to explore the event.
      • Value changes, Find the changed Settings Name and compare old with the new values.
    • Changes over time, This is a visualization of custom profile type changes, summarized per day.
    • Top 10 modified profiles, Find the top modified profiles by profile type.
    • Search events for profiles by a specific term, Please specify a term/name in the parameter below to search the Profile Names.
  • Device Identity
    • Device to tenant assignment, View stats for Autopilot device identity/hardware hash assignment to your tenant.
    • Find Device Identity events, Search Device Identity events by action.
    • Authenticated Identities, Pie chart about the used identities to register a hardware hash.
  • Device operations
    • Search Device operations, Find event logs for specified device actions.
    • Search event logs for a specific device, Specify the Intune Device ID to find all Audit event logs.


All of the queries can be filtered and have an impact to a custom time range. The parameter is always available at the top:



The Overview shows most important log information of your Intune environment.

Intune Audit event types

This section is helpful to understand the different Intune subjects by listing most essential profile type Audit event counts.


Intune method

This is an overview of the most used Intune methods (Create, Delete, Patch and Assign). You can furthermore filter all the methods to display specific Audit events by:

  • Assign
  • Commit
  • Create
  • Delete
  • Get
  • Modify
  • Patch
  • Update


Recent Audit events

A list of recent Intune Audit Logs, if you are looking for an actions performed recently.


Intune Audit event count

A counter of Audit event counts for fixed time spans.


Search profile types

To further investigate the profile type events, consolidate this section, which provides a lot of different information, always filtered by a profile type.

If you want to search specific Audit events by profile type, you can set this parameter and use these values:

  • Device configuration profiles
  • Apps
  • Update profiles
  • Compliance policies
  • Deployment profiles
  • Scripts
  • Proactive remediation
  • Certificate profile


Profile type Audit events


Search the Audit event by Correlation ID

If you want to understand the changed values, in particular old and new values, you can copy the Correlation ID from the table above or any other table and insert the ID to this parameter.

This currently only shows the 10 first changed values. For more details run the query.


Changes over time

Changes over time support you to get insights about when and how much Intune events where performed over time, also filtered by the profile type.


Top 10 modified profiles

This is a pie chart that shows the top ten profiles, that associated Audit events.


Search events from profiles by a specific term

If you are searching for a specific profile by name, or a term you can do this here.


Device Identity

The Device Identity is intended to conduct Autopilot device hardware hash event logs.

Device to tenant assignment

An overview count of the three different device identity actions.


Find Device Identity events

You can specifically search Device Identity Audit logs by action.

  • Upload
  • Update
  • Delete


Authenticated Identities

A pie chart of the identities that were used to register a hardware hash.


Device operations

The Device operations allow to search Intune actions performed by Intune administrator roles.

Search Device operations

Filter a query by an operation:

  • Log collection request
  • Download URL
  • Delete
  • Sync
  • Wipe
  • Update primary user
  • Clean (Fresh start/Autopilot reset)
  • Reboot
  • Defender Scan (quick/full)
  • Update Defender signature
  • Retire
  • Rename
  • Locate


Search event logs for a specific device

Here you can paste the IntuneDeviceID (from the Intune device object or query above) into the parameter. Then the query will display all Operations performed on this device.


You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.