Intune reporting with Log Analytics: list local admin accounts on your devices and who added them

2 A+ A-

In this post I will show you how to create a report of local admin found on your devices using Intune, PowerShell and Log Analytics.

The solution

This will resume in few steps:

- Creating a remediation script

- Script is executed on all devices

- Checks if  local admin account are found

- If yes, checks who added them and when

- Send info to Log Analytics

Sometimes the report won't display when local admin account has been added. Indeed the script will check for each account if there is a corresponding event report 4732 . 

This event log is located in Security event which is often purge.

The Power BI way

You can see on my post there, how to do the same with Power BI.

Get the files

Click on the below GitHub picture to get required below files:

- LocalAdmin_Workbook.json

- Detection_script.ps1

How it looks like ?

The Log Analytics will display below information about devices with local admin account found.

Devices with local admin status

It shows a pie chart with devices count with and without local admin account

Devices with local admin overview

It shows a table with all devices that have local admin account(s).

It displays device name, user name, count of local admin account found on the device, device model, serial number.

Devices with local admin details

It shows a table with all devices that have local admin account(s) with more details about account(s).

It displays all info about local admin account(s) found. You will see for information local admin account name, creation date, who created this account...

Log Analytics information

In order to create this report we will need some information relative to the Log Analytics workspace.

See below required info:

- Workspace ID

- Primary key

- Name of the custom log to create or update

In this example, the custom log is named: LocalAdminReport.

To get those information go to Log Analytics Workspace > Agents management

You will find both Workspace ID and Primary key.

Then we will proceed as below:

1. Open the file Detection_script.ps1

2. Fill below variables:

- $CustomerID: workspace ID

- $ShareKey: Primary key

Authorized account

The detection script will check if there are some local admin account on your devices.

You may have configured some local admin group or account on your devices.

For instance we can imagine below needs:

- Local admin group allowing your help desk to do task with privileges

- Local admin account Administrator

- Azure AD roles for 

You can configure the script to bypass those accounts and not displayed them in  the report.

This will allow you to list only not wanted local admin accounts.

To add authorized account(s) proceed as below:

1. Search variable $Authorized_Accounts

2. Add account, group, SID there

3. Separates each one with a ";"

4. See below an example:

Creating remediation script

1. Go to the Microsoft Endpoint Manager admin center

2. Go to Devices

3. Go to Remediations

4. Click on Create script package

5. Type a name

6. Click on Next

7. Click on Detection script file

8. Browse the script Detection_script.ps1

9. Select run as 64

10. Click on Next

11. Select the group 

12. In the Schedule part, choose when the package should be run.

13. Click on Apply

14. Click on Next

15. Click on Create

Log Analytics workbook

In this part we will create the report.

1. Go to the Azure portal

2. Go to Log Analytics workspace

3. Go to workbook

4. Click on New

5. Go to Advanced editor

6. Search line  "fallbackResourceIds": [

7. Above this part add content from LocalAdmin_Workbook.json

8. If you have changed the name of the local admin report, replace it in the json with yours

slider 256963072752621221

Enregistrer un commentaire

2 commentaires

ujalanachtman a dit…

Harrah's Cherokee Casino & Hotel - MapYRO
Harrah's Cherokee 안산 출장안마 Casino & Hotel is situated 파주 출장안마 near 태백 출장샵 Harrah's 부산광역 출장마사지 Cherokee Casino & Hotel and offers gaming, live 충주 출장안마 entertainment, restaurants.

zolabus a dit…

Thanks is it correct that even if i authorize the AAD Sids I still see them in the report?

Accueil item



Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French