In this module

EI1.7 Device and Location Signals

60-80 minutes · Module 1 · Free

Operational Objective

A conditional access policy requires compliant devices for Exchange Online access. A sign-in succeeds from a device with DeviceDetail showing operatingSystem: "Windows 11" but isCompliant: false and isManaged: false. Was the policy bypassed? Did the device fail compliance? Is the user on a personal device? The DeviceDetail and Location fields provide the device and network context that conditional access evaluates — and understanding these fields is essential for diagnosing policy behavior and detecting anomalous sign-ins.

Deliverable: The ability to extract and interpret device state, compliance status, registration type, operating system, browser details, and geographic location from sign-in logs — and use these fields for policy verification, anomaly detection, and access pattern analysis.

⏱ Estimated completion: 16 minutes

The DeviceDetail object

The DeviceDetail field in the sign-in log is a JSON object containing information about the device used for the authentication. For identity security, the critical sub-fields are:

operatingSystem — the operating system reported by the client: "Windows 11," "Windows 10," "macOS," "iOS," "Android," "Linux," or browser-derived values like "Chrome OS." This field is based on the user agent string and can be spoofed by a determined attacker, but it provides useful signal for pattern analysis. A user who normally signs in from Windows 11 suddenly appearing from Linux warrants investigation.

// EI1.7 — Device state analysis for all successful sign-ins
// Reveals which devices are managed, compliant, and registered
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| extend 
    DeviceOS = tostring(DeviceDetail.operatingSystem),
    Browser = tostring(DeviceDetail.browser),
    DeviceId = tostring(DeviceDetail.deviceId),
    IsCompliant = tostring(DeviceDetail.isCompliant),
    IsManaged = tostring(DeviceDetail.isManaged),
    TrustType = tostring(DeviceDetail.trustType)
| extend DeviceState = case(
    IsCompliant == "true", "Compliant",
    IsManaged == "true" and IsCompliant != "true", "Managed (non-compliant)",
    DeviceId != "", "Registered (unmanaged)",
    "Unregistered"
    )
| summarize 
    SignInCount = count(),
    DistinctUsers = dcount(UserPrincipalName)
    by DeviceState, DeviceOS
| order by SignInCount desc
// Review: What percentage of sign-ins come from compliant devices?
// "Unregistered" sign-ins = devices outside your management scope
// These are the sign-ins most vulnerable to token theft

Expand for Deeper Context

browser — the browser used for the authentication: "Edge 124," "Chrome 122," "Safari 17.4," "Firefox 125," etc. Like operatingSystem, this is derived from the user agent and can be spoofed, but unexpected browser changes correlate with account compromise — particularly when the attacker's browser version differs from the user's normal browser.

deviceId — the Entra ID device registration ID. This field is populated only when the device is registered with Entra ID (Entra joined, hybrid joined, or Entra registered). An empty deviceId means the device is not registered, which is significant for conditional access: policies that require device registration, compliance, or managed device status will block sign-ins from unregistered devices. If a sign-in succeeds with an empty deviceId and your policies should require device registration, you have a policy gap.

isCompliant — whether the device meets the compliance policies configured in Intune. True means the device is enrolled in Intune and meets all assigned compliance requirements (encryption enabled, antivirus running, OS version current, etc.). False means the device is enrolled but does not meet one or more compliance requirements. Null or empty means the device is not enrolled in Intune at all. For conditional access policies that require compliant devices, this is the enforcement signal.

isManaged — whether the device is managed by a device management solution (Intune or a third-party MDM). Related to but distinct from isCompliant: a managed device may not be compliant (it is enrolled but fails a compliance check), and a compliant device is always managed.

trustType — the type of device registration: "AzureAD" (Entra joined), "ServerAD" (hybrid Entra joined), "Workplace" (Entra registered), or empty (not registered). This field determines which conditional access device conditions apply. Some policies can target specifically Entra joined devices vs hybrid joined vs registered devices.

The Location object

The Location field (also accessible as LocationDetails in KQL) is a JSON object containing geographic information derived from the IP address:

city — the approximate city. Accuracy varies — major cities are typically correct, but smaller locations and mobile networks may be inaccurate.

// EI1.7 — Geographic distribution of sign-ins
// Identifies countries and cities your users authenticate from
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| extend 
    Country = tostring(LocationDetails.countryOrRegion),
    City = tostring(LocationDetails.city)
| summarize 
    SignInCount = count(),
    DistinctUsers = dcount(UserPrincipalName),
    Users = make_set(UserPrincipalName, 5)
    by Country, City
| order by SignInCount desc
// Review: Are there countries you do not expect?
// A sign-in from a country where no employee is based = investigate
// Cross-reference with named locations in conditional access (EI3)

// EI1.7 — Find sign-ins from unexpected countries
// Define your expected countries and find everything else
let expectedCountries = dynamic(["US", "GB", "CA"]);  // Replace with your countries
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| extend Country = tostring(LocationDetails.countryOrRegion)
| where Country !in (expectedCountries)
| where isnotempty(Country)
| project 
    TimeGenerated, UserPrincipalName, AppDisplayName,
    Country, City = tostring(LocationDetails.city),
    IPAddress, RiskLevelDuringSignIn,
    DeviceOS = tostring(DeviceDetail.operatingSystem)
| order by TimeGenerated desc
// Every result is a sign-in from outside your expected geography
// Not all are malicious (travel, VPN) — but all warrant review

Expand for Deeper Context

state — the state, province, or region.

countryOrRegion — the country code (two-letter ISO format: US, GB, DE, JP, etc.). This is the most reliable geographic field because IP-to-country mapping is more accurate than IP-to-city mapping.

geoCoordinates — latitude and longitude. Useful for calculating distances between sign-in locations (the foundation for impossible travel detection).

For security purposes, the country field is the most operationally useful. Most organizations have a defined set of countries where their employees operate. A sign-in from a country not in that set is a strong anomaly signal — not conclusive (users travel and VPNs exit in unexpected countries), but worth investigating, especially when combined with other risk signals.

Figure EI1.7 - Device and Location Signals

Combining device and location for security assessment

The most powerful sign-in log analysis combines device state with location to produce a trust assessment. Here are the patterns that experienced identity security engineers look for:

High trust (expected pattern): Compliant device + expected country + known IP range + low risk. This is a normal sign-in from a managed device in a familiar location. No action needed.

// EI1.7 — Trust assessment combining device and location
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| extend 
    Country = tostring(LocationDetails.countryOrRegion),
    IsCompliant = tostring(DeviceDetail.isCompliant),
    IsManaged = tostring(DeviceDetail.isManaged),
    DeviceRegistered = isnotempty(tostring(DeviceDetail.deviceId))
| extend TrustLevel = case(
    IsCompliant == "true" and Country in ("US", "GB"), "High",
    IsManaged == "true" and Country in ("US", "GB"), "Medium",
    DeviceRegistered and Country in ("US", "GB"), "Medium-Low",
    Country in ("US", "GB"), "Low (unregistered device)",
    "Investigate (unexpected country)"
    )
| where TrustLevel has "Investigate" or TrustLevel has "Low"
| project 
    TimeGenerated, UserPrincipalName, AppDisplayName,
    TrustLevel, Country, 
    DeviceOS = tostring(DeviceDetail.operatingSystem),
    RiskLevelDuringSignIn
| order by TimeGenerated desc
// Results: sign-ins that warrant attention based on combined signals
// Adapt the country list and trust criteria to your environment

Expand for Deeper Context

Medium trust (review if flagged): Managed device + expected country + new IP + low/medium risk. The device is managed but the IP is new — the user may be working from a new office or a home network. Worth noting in a baseline but not an immediate investigation trigger.

Low trust (investigate): Unregistered device + unexpected country + medium/high risk. This combination strongly suggests compromise — an unregistered device in an unexpected location with risk signals. If your conditional access policies are correctly configured, this sign-in should be blocked. If it succeeded, you have a policy gap.

Anomalous (investigate immediately): Any device + impossible travel pattern (the same user in two distant locations within minutes) + any risk level. Impossible travel is one of the strongest indicators of token theft or credential compromise. The user is physically in London — a sign-in appearing from Singapore 10 minutes later cannot be the same person.

Try it yourself

Try It — Profile Your Device Landscape

Environment: Your M365 developer tenant with Sentinel workspace.

Exercise: Run the device state analysis query from above. Answer these questions:

1. What percentage of sign-ins are from compliant devices vs unregistered devices? In a developer tenant without Intune configured, most sign-ins will show as unregistered — this is expected. 2. What operating systems appear in your sign-in data? 3. Run the geographic distribution query. What countries show up? If you signed in from a VPN during the lab setup (EI0.9), you may see unexpected countries. 4. If you have access to a mobile device, sign in to Outlook from your phone and then check the sign-in log. Note the DeviceDetail differences between your desktop and mobile sign-ins.

This exercise establishes your personal device and location baseline — the reference point for recognizing anomalies in future modules.

⚠ Compliance Myth: "IP geolocation tells us exactly where a sign-in came from"

The myth: The sign-in log shows the user signed in from Moscow. The user claims they were in London. The geolocation proves they are lying.

The reality: IP geolocation determines where the IP address is registered, not where the person is physically located. VPN services, corporate proxies, and mobile network gateways all produce IP addresses that geolocate to their exit point, not the user's physical location. A user in London using a VPN with a Russian exit node will produce a sign-in that geolocates to Russia. Conversely, an attacker in Russia using a VPN with a London exit node will produce a sign-in that geolocates to London. IP geolocation is a useful signal for identifying unexpected patterns, but it is not forensic evidence of physical location. The IR course covers how to correlate geolocation with other evidence for investigation-grade conclusions.

📋 Investigation Artifact — Device and Location Query Templates

Add these to your identity security query library:

Device and Location Analysis Queries

1. Device compliance breakdown:

SigninLogs | where TimeGenerated > ago(24h) | where ResultType == 0 | extend IsCompliant = tostring(DeviceDetail.isCompliant) | summarize count() by IsCompliant

2. Unregistered devices accessing sensitive apps:

SigninLogs | where TimeGenerated > ago(24h) | where ResultType == 0 | where isempty(tostring(DeviceDetail.deviceId)) | where AppDisplayName in ("Office 365 Exchange Online", "Office 365 SharePoint Online") | summarize count() by UserPrincipalName, AppDisplayName

3. Country distribution:

SigninLogs | where TimeGenerated > ago(7d) | where ResultType == 0 | extend Country = tostring(LocationDetails.countryOrRegion) | summarize count(), dcount(UserPrincipalName) by Country | order by count_ desc

4. Sign-ins from unexpected countries (full query in subsection above)

5. Trust level assessment (full query in subsection above)

Compliance mapping: Device and location monitoring supports SOC 2 CC6.1 (Logical Access), ISO 27001 A.11.2 (Equipment Security), and NIST CSF PR.AC-3 (Remote Access Management).

Decision point

You are reviewing NE's Entra ID security posture. You find 4 accounts with Global Administrator role, but NE's policy says maximum 2. The extra 2 were added during the AiTM incident for emergency response and never removed. Do you remove them?

Remove them — but through the proper process, not unilaterally. Notify the account owners that their emergency GA assignment is being revoked, confirm they have their standard role assignments restored, and document the removal with the rationale ('emergency assignment during INC-NE-2026-0227-001, no longer required'). Then add a PIR action item: 'Implement PIM time-limited role assignments for future incident response — emergency GA assignments auto-expire after 8 hours rather than persisting indefinitely.' The stale emergency assignment is a governance failure, not a technical failure — the fix is procedural.

NE's Entra ID security audit reveals: 4 Global Administrators (policy says 2), 23 users with Global Reader from a completed project, a break-glass account with no monitoring rule, and 3 guest accounts with no expiry date. Which finding is the highest priority?

The 4 Global Administrators — 2 extra GAs doubles the attack surface.

The break-glass account with no monitoring rule. The 4 GAs and stale Global Readers are governance issues that should be remediated — but they are existing conditions, not active threats. The unmonitored break-glass account is a critical detection gap: if the break-glass account is compromised or misused, the SOC has no alert. A break-glass account is excluded from CA policies by design — it is the most powerful and least restricted account in the tenant. Without monitoring, its compromise or misuse is invisible. Deploy the monitoring rule (any sign-in to the break-glass account = Severity 1 alert) before addressing the other findings.

The 23 stale Global Readers — this is the largest number of affected accounts.

The 3 guest accounts — external accounts without expiry are the highest risk.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
The Defense Design Method — the six-step framework applied to every identity control you'll build
EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain

Unlock the full course with Premium See Full Syllabus

← Previous Next →