🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Microsoft Entra ID

How to Identify Non-Compliant Devices in Microsoft 365

Are you confident that the devices accessing your Microsoft 365 environment meet your organization's compliance standards? Devices with missing updates or disabled antivirus can fall out of compliance and put your organization at risk of data breach. Therefore, this guide will show you how to identify non-compliant devices in Microsoft Entra to revoke their access or bring them back into compliance.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Identify Non-Compliant Devices Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Directory Reader Least Privilege
Global Admin Most Privilege
  • Log in to the Microsoft Entra admin center.
  • Navigate to Entra ID»Devices»Overview and then click the Noncompliant devices tile under the ‘Alerts’ section.
  • Here, you can view a list of devices that are marked as non-compliant based on your organization's device compliance policies in Microsoft Entra ID.
Identify Non-Compliant Devices Using Microsoft Entra Admin Center
  • Note: Devices with a compliance status "N/A" will not appear under the "Non-compliant devices" tab. This status indicates the device is either not enrolled in Intune or hasn’t been evaluated against compliance policy.

List All Non-Compliant Devices in Microsoft 365 Using PowerShell

Microsoft Graph Permission Required
Device.Read.All Least Privilege
Directory.ReadWrite.All Most Privilege
  • Connect to the Microsoft Graph PowerShell module using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph –Scopes “Device.Read.All”
  • Execute the cmdlet below to retrieve all devices in Entra ID currently marked as non-compliant.
  • Windows PowerShell Windows PowerShell 
     Get-MgDevice -All -Filter "IsCompliant eq false" | Select-Object DisplayName, AccountEnabled, OperatingSystem, OperatingSystemVersion, IsManaged, RegistrationDateTime, TrustType | Format-Table
  • The cmdlet retrieves all non-compliant devices and shows their details such as display name, account status, operating system, OS version, management status, device registration date & time, and join type.
List All Non-Compliant Devices in Microsoft 365 Using PowerShell

Track Non-Compliant Devices in Entra ID with PowerShell Script

Microsoft 365 Permission Required
Global Reader Least Privilege
Global Admin Most Privilege
  • While the above PowerShell cmdlet will help you retrieve non-compliant device details from Entra ID, you need to run additional cmdlets to extract important details about the non-compliant devices.
  • Therefore, we've developed a PowerShell script that exports non-compliant device information to a CSV file with additional insights like device inactivity duration, BitLocker encryption status, model, and more.
  • To generate a report on non-compliant devices, download and run the script using the -ComplianceStatus NonCompliant parameter as shown below.
  • Windows PowerShell Windows PowerShell 
     ./GetAzureADDevicesReport.ps1 -ComplianceStatus NonCompliant
Track Non-Compliant Devices in Entra ID with PowerShell Script
GetAzureADDevicesReport.ps1
AdminDroid Entra ID Reporting Tool

Stay Ahead of Threats with In-Depth Visibility into Devices in Microsoft 365

AdminDroid’s Microsoft Entra ID reporting tool gives you a clear view of non-compliant devices across your Entra ID environment. It helps you enforce access control by showing policy-violating devices in your organization and provides the insight needed to take necessary actions.

Uncover Devices That Bypass Microsoft Intune MDM Enrollment

Utilize the unmanaged devices report to identify devices accessing your Microsoft 365 resources that aren’t managed by Intune and restrict their access to bring them into compliance before they pose any potential risk.

Clean Up Inactive Devices in Microsoft 365 to Reduce Clutter

Track inactive devices to identify those no longer in use, revoke their access, and ensure only active devices can access Microsoft 365.

Track Recently Enrolled Devices to Detect Account Compromise

Keep an eye on recently added devices to identify repeated enrollments by the same user, which may indicate a compromised user account within your organization.

Monitor Microsoft 365 Device Users to Strengthen Access Controls

Leverage the Entra ID device users report to identify user-to-device links, uncover shared device usage, and ensure access to resources is through managed devices only.

Detect Rooted and Jailbroken Devices to Protect Against Threats

Protect your organization by identifying rooted devices in Entra ID that can allow malicious apps to bypass security and cause data breaches.

Track and Manage All Devices in Microsoft Entra ID

Check all devices connected to Entra ID to verify that no unauthorized device is accessing organizational resources, which helps you maintain control and protect sensitive data across your environment.

As a whole, AdminDroid’s Microsoft Entra management tool equips you with actionable insights into devices and their activities. But it doesn’t stop there, it also offers comprehensive reporting and management capabilities for key elements like users, groups, and more within your Entra ID environment.

Explore a full range of reporting options
Download Live Demo

Important Tips

Minimize risk from BYOD approaches by enforcing Conditional Access rules that block unmanaged devices from accessing Microsoft 365 apps.

Use Microsoft Secure Score recommendations for devices to strengthen your organization’s defenses against device-based attacks.

Enforce MFA for device registration to restrict unauthorized device enrollments and reduce the risk of compromised accounts gaining access to Entra ID.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while managing non-compliant devices in Microsoft 365.

Error Get-MgAuditLogSignIn : Invalid filter clause: The child type 'DeviceDetail.IsCompliant' in a cast was not an entity type. Casts can only be performed on entity types.

This error occurs when you try to retrieve sign-in logs using the Get-MgAuditLogSignIn cmdlet and apply a filter that references a nested property with a dot (.) like, DeviceDetail.IsCompliant. Microsoft Graph OData queries does not support dot notation for nested properties.

Fix To resolve the issue, use a slash (/) instead of a dot (.) in the filter syntax to query the property. 
Get-MgAuditLogSignIn -Filter "DeviceDetail/IsCompliant eq false"

Error Get-MgAuditLogSignIn : Calling principal does not have required MSGraph permissions AuditLog.Read.All.

This error occurs when you don't have the required permissions to view M365 sign-in events using Microsoft Graph PowerShell.

Fix To resolve this error, run the following cmdlet to connect with Microsoft Graph using necessary permission that allow Entra sign-in log access. 
Connect-MgGraph -Scopes "AuditLog.Read.All"

Error .\GetEntraDevicesReport.ps1: File C:\Windows\System32\GetEntraDevicesReport.ps1 cannot be loaded. The file C:\Windows\System32\GetEntraDevicesReport.ps1 is not digitally signed. You cannot run this script on the current system.

This error occurs when the system execution policy prevents unsigned PowerShell scripts from running.

Fix To fix this error, change the execution policy for the current user with the cmdlet below so that local scripts can run without restriction. 
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted

Error Get-MgAuditLogSignIn: One or more errors occurred.

This error typically occurs when you have multiple versions of the Microsoft Graph PowerShell module installed.

Fix To resolve this error, uninstall all versions of Microsoft Graph module installed on your system. Then, install a newer version of MS Graph module using the following cmdlets. 
Get-Module Microsoft.Graph* -ListAvailable | Where {$_.Name -ne "Microsoft.Graph.Authentication"} | Select-Object Name -Unique | Foreach-Object { 
$Module = $_ 
Get-Module $Module.Name -ListAvailable | Foreach-Object { 
Uninstall-Module $Module.Name -RequiredVersion $_.Version 
} 
} 
Get-Module "Microsoft.Graph.Authentication" -ListAvailable | Foreach-Object{ 
Uninstall-Module "Microsoft.Graph.Authentication" -RequiredVersion $_.Version 
} 
Install-Module Microsoft.Graph
Microsoft Entra ID
Frequently Asked Questions

Identify Potential Threats and Mitigate Risks by Tracking Non-Compliant Devices in Microsoft 365

How to monitor non-compliant device sign-ins in Microsoft Entra ID?
How to create a device compliance policy in Microsoft Intune?
How to configure Conditional Access policy for device compliance in Entra ID?
What are the available actions for non-compliant devices in Microsoft Intune?

1. How to monitor non-compliant device sign-ins in Microsoft Entra ID?

Even if a device is marked as non-compliant, it can still sign in to your organization and access Microsoft 365 apps unless Conditional Access policies are properly configured. Therefore, regularly auditing sign-ins from non-compliant devices strengthens device-based access controls and supports compliance with regulations like GDPR and HIPAA.

You can follow the methods given below to get all non-compliant devices sign-ins in Microsoft 365.

Track non-compliant device sign-ins using Microsoft Entra admin center

  • Navigate to the Sign-in logs section in the Microsoft Entra admin center.
  • Click on the desired sign-in event to open the Activity Details panel.
  • Then, select the Device Info tab to check whether the signed-in device is marked as compliant or non-compliant.
user-sign-in-from-non-compliant-device

Note: By default, the logs display sign-in activity from the past 24 hours. However, you can customize the date range to view activity from up to the last 30 days.

Audit user sign-ins from non-compliant devices using PowerShell

In the Entra admin center, you need to manually review each entry in the sign-in logs. These logs also include compliant device sign-ins, making it time-consuming to isolate non-compliant ones.

To simplify this, connect to Microsoft Graph PowerShell using the Connect-MgGraph cmdlet with the "AuditLog.Read.All" scope. Then, run the following cmdlet to view user sign-ins from non-compliant devices.

Get-MgAuditLogSignIn -Filter "DeviceDetail/IsCompliant eq false" | ForEach-Object {
     [PSCustomObject]@{  
           CreatedDateTime = $.CreatedDateTime;  
           UserPrincipalName = $.UserPrincipalName;  
           AppDisplayName = $.AppDisplayName;  
           ResourceDisplayName = $.ResourceDisplayName;  
           DeviceName = $.DeviceDetail.DisplayName;  
           IsManaged = $.DeviceDetail.IsManaged;  
           OS = $.DeviceDetail.OperatingSystem;  
           TrustType = $.DeviceDetail.TrustType  
     }  
} | Format-Table
list-non-compliant-device-sign-ins-with-powershell

The above PowerShell cmdlet retrieves each non-compliant device sign-in with details such as sign-in time, signed-in user, application name, resource name, device name, device management status, OS with version, and device trust type.

Skip the manual effort of identifying sign-ins from non-compliant devices with AdminDroid!

  • Simply click the Alert option (🔔) in the non-compliant device sign-in report to set up notifications for any sign-in attempts from unhealthy devices across your tenant.
  • Handy Tip: Use the Threshold property in alert policies to get notified whenever multiple failed sign-in attempts from non-compliant devices happen within a short time.
admindroid-alert-for-non-compliant-device-login

2. How to create a device compliance policy in Microsoft Intune?

Intune Compliance policies provide a foundation for enforcing device security by allowing you to define rules for OS versions, password strength, and more. These policies help protect Microsoft 365 resources by restricting access from non-compliant devices. Admins can configure automated actions, such as blocking non-compliant devices, to prevent unauthorized access to Microsoft 365 resources.

Steps to create a device compliance policy in Microsoft Intune

To create a device compliance policy in Microsoft Intune, follow the below steps:

  • Log in to the Microsoft Intune admin center.
  • Go to Devices under Manage devices, select Compliance, and then click Create policy.
  • Select the desired Platform and Profile type and click Create.
  • On the Basics tab, enter a Name and Description for the policy, then click Next.
  • Under the Compliance settings tab, expand categories such as System Security, Device Health, and Device Properties to view and configure the necessary settings, then click Next.
windows-device-compliance-policy-settings

Note: You can also define additional compliance rules by uploading a discovery script and validating a JSON rules file with your custom compliance settings on supported Platforms.

  • On the 'Actions for noncompliance' tab, add actions like sending notification emails, or locking/retiring devices, and set schedules, then click Next. To send emails to end user, you need to create a Notification message template by clicking Create notification under Devices»Manage devices»Compliance»Notifications.
  • For Linux devices, use the 'Scope tags' tab, select tags to help filter policies to specific groups based on the predefined scope tags. You can create scope tags under Tenant administration»Roles»Scope tags.
  • On the 'Assignments' tab, click Add groups, and assign the policy to user or device groups, then click Next. For Linux devices, compliance policies support only device group assignments, not user-based assignments.
  • On the 'Review + create' tab, review all settings, and click Create to finalize the policy.
intune-device-compliance-policy-creation

By deploying compliance policies in Microsoft Intune MDM, organizations define the minimum-security standards devices must meet to be trusted. To further strengthen security, you can configure Conditional Access in Entra ID to allow access only from healthy devices.

3. How to configure Conditional Access policy for device compliance in Entra ID?

When users work remotely or use personal devices to access organizational resources, just having a compliance policy alone isn’t enough to control access. A compliance policy only marks whether a device meets the requirements, but it doesn’t prevent a non-compliant device from signing in.

That is where device-based Conditional Access policy come in. This helps fortify your device enrollment process and ensures that only compliant devices can access your organizational resources.

Steps to enforce device compliance with Conditional Access policy in Microsoft Entra ID

  • Navigate to the Overview tab under Entra ID»Conditional Access in the Microsoft Entra admin center.
  • Click ‘Create new policy’ and enter a name for the policy.
  • Under the 'Assignments' section, select Users and choose All users under Include tab.
  • Then, in the Exclude tab, make sure to exclude your emergency access or break-glass accounts to prevent them from being locked out.
  • Next, for Target resources, select All resources (formerly 'All cloud apps') under Include tab.
  • In the 'Access controls' section, click Grant and ensure Grant access is selected.
  • Then, choose 'Require device to be marked as compliant' option and click Select.
  • Set Enable policy to ‘Report-only’ mode, then click Create to save and apply the policy for evaluation.
  • After reviewing the policy impact in report-only mode, switch Enable policy to On. This will actively enforce the policy and block non-compliant devices from signing in to your organization.
conditional-access-policy-for-device-compliance

While Intune policies define which devices are compliant, Conditional Access enhances this control by enforcing access restriction. Once the policy is configured, it works alongside compliance rules to prompt users to bring their devices into compliance or block access until requirements are met.

Note: To require device compliance with a Conditional Access policy, you must have a compliance policy in Microsoft Intune and at least one device marked as compliant. This prevents all users from being locked out if every device is initially marked as non-compliant.

4. What are the available actions for non-compliant devices in Microsoft Intune?

If a device fails to meet compliance, Microsoft Intune automatically marks it as noncompliant with a schedule of zero days (0) by default. This allows Conditional Access policies to block the device immediately. However, you can configure the following actions in one or more instances to run again later if the device remains noncompliant.

  • Send Email to End User Configure Intune to notify users of noncompliance via email using a predefined message template. The message can include your organization's logo, contact details, and localized content. Emails are sent from microsoft-noreply@microsoft.com to the address listed in the user profile. This action is supported across all Intune platforms.
  • Remotely Lock the Non-compliant Device Enable a remote lock to secure the device while prompting the user to enter their PIN or password. This prevents unauthorized access and gives the user a chance to restore compliance. Available on Android, iOS/iPadOS, and macOS.
  • Send Push Notification to End User Trigger a system-generated push notification through the Company Portal or Intune app to inform users of their non-compliant status. While helpful for raising awareness, push delivery depends on the device’s notification settings and may not be suitable for urgent communication. Supported on Android and iOS/iPadOS.
  • Add Device to Retire List Add the non-compliant device to a list of pending retirements. Once manually retired by an admin, the device is unregistered from Intune and company data is removed. This action applies to Android, iOS/iPadOS, macOS, and Windows 10/11.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Microsoft Entra ID
How to Identify Non-Compliant Devices in Microsoft 365
Microsoft Entra ID Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo