For some unknown reasons, we recently found out some of the Intune enrolled devices have the same Azure AD device Id and Intune device Id. Here are some examples for the queries we use.
Summarize by Week generated
IntuneDevices
|where TimeGenerated > ago(180d) //Gets all data generated in 180 days
| where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days
| where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID
| summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated)
// maximized TimeGenerated, group by SerialNumber, and start of week
| summarize Count=count()by WeekGenerated //summarize count by WeekGenerated
| sort by WeekGenerated // sort WeekGenerated by desc
Summarized by Week generated with JoinType
IntuneDevices
|where TimeGenerated > ago(180d) //Gets all data generated in 180 days
| where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days
| where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID
| summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated)
// maximized TimeGenerated, group by SerialNumber, and start of week
| summarize Count=count()by WeekGenerated, JoinType //summarize count by WeekGenerated and JoinType
| sort by WeekGenerated // sort WeekGenerated by desc
Visualize per week by join type
IntuneDevices
| where TimeGenerated > ago(180d) //Gets all data generated in 180 days
| where todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days
| where OS == "Windows" and DeviceId == ReferenceId //find Intune devices ID same as AAD Device ID
| summarize arg_max(TimeGenerated, *) by SerialNumber, WeekGenerated = startofweek(TimeGenerated)
// maximized TimeGenerated, group by SerialNumber, and start of week
| summarize Count=count()by WeekGenerated, JoinType //summarize count by WeekGenerated and JoinType
| where isnotempty( JoinType)
| render columnchart with (kind=unstacked, title="Devices with the same Azure AD and Intune device Id per week by join type")
Get a full list of devices that has multiple AAD Device ID or Intune Device ID
let deviceData = IntuneDevices
| where TimeGenerated > ago(180d) //Gets all data generated in 180 days
and todatetime(LastContact) > ago (30d) //Filter only devices have contact to Intune in 30 days
and OS == "Windows"
| summarize StartTime = arg_min(TimeGenerated, *), EndTime = arg_max(TimeGenerated,*) by SerialNumber, DeviceName, DeviceId, ReferenceId
| project StartTime, EndTime, LastContact, SerialNumber, DeviceName, DeviceId, ReferenceId;
let issueDevices = deviceData
| summarize count = count() by SerialNumber, DeviceName
| where ['count'] > 1;
deviceData
| where SerialNumber in (issueDevices)
| sort by SerialNumber, EndTime
