What is it?

Intune offers a variety of configurations and functionalities, namely talking about configuration profiles, applications, scripts and also operational tasks like managing a device. (enroll, sync, delete etc.)

It can be quite a challenge to keep track of all the changes and operations, and the audit logs don't show the big picture on what is happening in Intune.

This is why I created Intune change tracking (current version: V2) - as an Azure Workbook to:

  • Richer analyzation of Intune Audit logs by providing filters and search options
  • Find Intune events at a single pane of glass
  • Grouping of information types so that you can find the relevant information faster
  • Understand how you run your Intune service find details on actions

GitHub file to Workbook source code

Here you can find guides for the Implementation and Operation of this solution:

Intune change tracking - Implementation
This site describes the implementation of the Intune change tracking Azure Workbook solution. Related Links: General information Operations guide Quick start Deploy Azure Log Analytics Workspace Configure Intune diagnostics data and send to Log Analytics Workspace Create a new Workbook and insert t…
Intune change tracking - Operation
This site describes the operation of the Intune change tracking Azure Workbook solution. Related Links: General information Implementation guide Content The Intune change tracking currently includes this contents: Overview Intune Audit event types, An overview of different Audit event types, filte…

Intune change tracking

The Intune change tracking Workbook has 4 sections:

  • Overview - General Audit event information & visualizations
  • Search profile types - Audit events for specific Intune profile types and contents
  • Device Identity - Audit event information to device to tenant assignment
  • Device opeartions - Intune administrative tasks Audit event information


The Overview shows most important log information of your Intune environment.

  • Intune Audit event types, An overview of different Audit event types, filtered by custom time range.
  • Intune method, An overview of the most common Audit event methods, filtered by custom time range.
  • Recent Audit events, A table of all Audit events, based on the selected time range.
  • Intune Audit event count, A count of Audit events over a fixed time.

Search profile types

To further investigate the profile type events, consolidate this section, which provides a lot of different information, always filtered by a profile type.

  • Profile type Audit events, Table output of custom profile type audit events.
  • Search the Audit event by Correlation ID, Copy the correlationID from the query above to explore the event.
    • Value changes, Find the changed Settings Name and compare old with the new values.
  • Changes over time, This is a visualization of custom profile type changes, summarized per day.
  • Top 10 modified profiles, Find the top modified profiles by profile type.
  • Search events for profiles by a specific term, Please specify a term/name in the parameter below to search the Profile Names.

Device Identity

The Device Identity is intended to conduct Autopilot device hardware hash event logs.

  • Device to tenant assignment, View stats for Autopilot device identity/hardware hash assignment to your tenant.
  • Find Device Identity events, Search Device Identity events by action.
  • Authenticated Identities, Pie chart about the used identities to register a hardware hash.

Device operations

The Device operations allow to search Intune actions performed by Intune administrator roles.

  • Search Device operations, Find event logs for specified device actions.
  • Search event logs for a specific device, Specify the Intune Device ID to find all Audit event logs.

Development and community edition

Intune change tracking is a free and open source Workbook by me, for the community. If you have any feedback or inputs to extend the feature set of it, please feel free to contact me or start a pull request on GitHub.

Endpoint Management with Microsoft Intune
Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!
Fundamentals Microsoft security concepts V2Learn about Microsoft’s cloud security concepts to secure your organization with Microsoft 365 and Azure built-in products and features. The way to secure your digital assets such as identities, infrastructures, platforms, apps and data. These are the offic…
Defender Suite
Enterprise security solutions, cloud-based, intelligent and automated security responses for Endpoint, Identity, Office 365 and Cloud Apps. A full protection stack. Defender for EndpointHandle threat and vulnerability events on endpoints to prevent malicious and harmful contents. Microsoft Defender:…
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.