Intune reporting with Log Analytics: list local admin accounts on your devices and who added them

In this post I will show you how to create a report of local admin found on your devices using Intune, PowerShell and Log Analytics.

The solution

This will resume in few steps:

- Creating a Proactive Remediation sript

- This script will be executed on your devices

- It will check if there are local admin account

- If yes it will check who added them and when

- It will send info to Log Analytics

Sometimes the report won't display when local admin account has been added. Indeed the script will check for each account if there is a corresponding event report 4732 . 

This event log is located in Security event which is often purge.

The Power BI way

You can see on my post there, how to do the same with Power BI.

Get the files

Click on the below GitHub picture to get required below files:

- LocalAdmin_Workbook.json

- Detection_script.ps1

How it looks like ?

The Log Analytics will display below information:

- A Pie chart with number of devices with and without local admin account(s)

- A grid about devices with local admin account(s)

The grid will display:

- Device name

- User name

- Device model

- Number of local admin account

- Name of local admin account

- When they have been added

The Log Analytics will look like as below:

Log Analytics information

In order to create this report we will need some information relative to the Log Analytics workspace.

See below required info:

- Workspace ID

- Primary key

- Name of the custom log to create or update

In this example, the custom log is named: LocalAdminReport.

To get those information go to Log Analytics Workspace > Agents management

You will find both Workspace ID and Primary key.

Then we will proceed as below:

1. Open the file Detection_script.ps1

2. Fill below variables:

- $CustomerID: workspace ID

- $ShareKey: Primary key

Adding authorized account

The detection script will check if there are some local admin account on your devices.

You may have configured some local admin group or account on your devices.

For instance we can imagine below needs:

- Local admin group allowing your help desk to do task with privileges

- Local admin account Administrator

- Azure AD roles for 

You can configure the script to bypass those accounts and not displayed them in  the report.

This will allow you to list only not wanted local admin accounts.

To add authorized account(s) proceed as below:

1. Search variable $Authorized_Accounts

2. Add account, group, SID there

3. Separates each one with a ";"

4. See below an example:

Creating the Proactive Remediation package

1. Go to the Microsoft Endpoint Manager admin center

2. Go to Reports

3. Go to Endpoint Analytics

4. Go to Proactive Remediations

5. Click on Create script package

6. Type a name

7. Click on Next

8. Click on Detection script file

9. Browse the script Detection_script.ps1

10. Click on Next

11. Select the group 

12. In the Schedule part, choose when the package should be run.

13. Click on Apply

14. Click on Next

15. Click on Create

Log Analytics workbook

In this part we will create the report.

1. Go to the Azure portal

2. Go to Log Analytics workspace

3. Go to workbook

4. Click on New

5. Go to Advanced editor

6. Search line  "fallbackResourceIds": [

7. Above this part add content from LocalAdmin_Workbook.json

8. If you have changed the name of the local admin report, replace it in the json with yours