Intune – Remove stale entry from Azure AD

There are options in Intune to remove stale after a period of time but that doesn’t mean it will also remove the stale device entry from Azure AD.

There are plenty of things to consider even after removing the stale entry from Azure AD. Therefore, it is recommended to go through the below article.

Ref: https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices

Recommended Approach is to first disable the device and wait for the grace period of however many days you choose before deleting the device.

Disable Azure AD Windows Devices based on Last Logon Time Stamp. lets says if you give 90 days as input then the below script will disable devices not came in contact since 90 days.

##################################################################################################################################################################################################
Connect-AzureAD
$deletionTresholdDays = 90
$deletionTreshold= (Get-Date).AddDays(-$deletionTresholdDays)

$DisableMSOLDevices = $StaledDevices = Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $deletionTreshold),($_.DeviceOSType -contains "Windows") -and ($_.DeviceTrustType -contains "AzureAD")}

Foreach($device in $DisableMSOLDevices.ObjectId){

Get-AzureADDevice -ObjectId $device | Set-AzureADDevice -AccountEnabled $False

}
##################################################################################################################################################################################################

You can even change the device platform by changing the “DeviceOSType”.

For iOS, you can say “DeviceOSType=IPhone”.

Before performing this task, first we have to identify what devices that you are going to target.

For Windows: There are different Device trust Type like “Domain Joined = Hybrid Azure AD joined”, “AzureAD = Azure AD Joined like Autopilot devices”

Hybrid Azure AD joined

$StaledDevices = Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $deletionTreshold),($_.DeviceOSType -contains "Windows") -and ($_.DeviceTrustType -contains "Domain Joined")

AzureAD Joined

$StaledDevices = Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $deletionTreshold),($_.DeviceOSType -contains "Windows") -and ($_.DeviceTrustType -contains "AzureAD")

Ref: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains

For iOS: Here is the script to remove stale (iOS device) entry by specifying delete threshold days like 90 days.

Here at this stage, I am assuming that the devices are in disabled state. Below is the actual sample script to remove iOS device Stale entry from Azure AD

With Azure Automation Account

param(
    [Parameter(Mandatory=$True)]
    $deletionTresholdDays
  )


$intuneAutomationCredential = Get-AutomationPSCredential -Name Intune-Automation-Account
$intuneAutomationAppId = Get-AutomationVariable -Name IntuneClientId
$tenant = Get-AutomationVariable -Name Tenant
Connect-AzureAD -Credential $intuneAutomationCredential

# Recommended Approach is to first disable the device and then remove from the portal.
#Specify the Treshold days 

$deletionTreshold= (Get-Date).AddDays(-$deletionTresholdDays)

#Get Devices Older Than $deletionTresholdDays

$StaledDevices = $StaledDevices = Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $deletionTreshold),($_.DeviceOSType -contains "IPhone") -and ($_.DeviceOSType -contains "IPad")}


Foreach($staled in $StaledDevices.ObjectId){

Remove-AzureADDevice -ObjectId $staled

}

Manual Way

#Specify the Treshold days

$deletionTresholdDays = " Read-host "Enter the no of days"
  
Connect-AzureAD -Credential (Get-Credential)

# Recommended Approach is to first disable the device and then remove from the portal.


$deletionTreshold= (Get-Date).AddDays(-$deletionTresholdDays)

#Get Devices Older Than $deletionTresholdDays

$StaledDevices = $StaledDevices = Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $deletionTreshold),($_.DeviceOSType -contains "IPhone") -and ($_.DeviceOSType -contains "IPad")}


Foreach($staled in $StaledDevices.ObjectId){

Remove-AzureADDevice -ObjectId $staled

}

Running this script manually creates dependency for an admin. therefore, it would be good to use Azure Runbook where you can schedule it to run every 90 days and also running the script from on-prem powershell isn’t really recommended way because if you are trying to schedule it using task scheduler then you may have to specify your credentials as plain text in the script which would lead to a secutiy issue. Therefore using azure runbook would be an ideal of implementing this script where you can have service accounts to run the script.

Published by sujithcy

Resourceful IT Professional consistently responds to a wide range of technical challenges with a specific focus on Azure Cloud and Office 365. Provide technical solutions, performance optimization, and technical improvements with a good understanding of the latest cutting-edge technologies and creative approach.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: