The below script will retire iOS device and remove the Azure AD device entry at the same time. when you retire a device from Intune it will only remove the device entry from the Intune portal but not in the Azure AD, it gets orphaned and it will remain as Azure AD Registered.
You can run this script using Azure automation or locally in an elevated powershell. if you are going to run the script locally then checkout this link where I have explained on how to store credentials in registry and to fetch them while running PS scripts.
From Azure Automation Runbook: if you are using Run As account then check out the directory role, by default while creating Azure automation account it creates the runs account with “Contributor” role. To run the below script, you need a directory highest previliege role like Global Administrator. Not sure, if we can create a custom role with a specific scope “Directory device object delete permission”.
param(
[Parameter(Mandatory=$True)]
$deviceSerial
)
$intuneAutomationCredential = Get-AutomationPSCredential -Name *********
$intuneAutomationAppId = Get-AutomationVariable -Name ********
$tenant = Get-AutomationVariable -Name **********
Connect-MSGraph -PSCredential $**************
# conditional to check the device exisstence
if(Get-IntuneManagedDevice | where {($_.serialNumber -eq "$deviceSerial")}){
# filter the device again based on serial number and management state
$device = Get-IntuneManagedDevice | where {($_.serialNumber -eq "$deviceSerial") -and ($_.managedDeviceOwnerType -eq "personal")} | Select-Object id,deviceName,complianceState,managedDeviceOwnerType,azureADDeviceId
# log the device list in a log file for reference
$devices | Out-File $logpath -Append
# loop each device, retire the device
$deviceMGMState = $device.managedDeviceOwnerType
$deviceid = $device.id
$deviceComplaint = $device.complianceState
$deviceName = $device.deviceName
$deviceAzureID = $device.azureADDeviceId
Invoke-IntuneManagedDeviceRetire -managedDeviceId $deviceid
# Halt the process for 10 sec to connect to differnet source (Azure Activedirectory)
Start-Sleep -Seconds 10
# Connect to Azure AD
Connect-AzureAD -Credential $intuneAutomationCredential
Start-Sleep -Seconds 10
# Get Azure AD Device Object ID from Azure Device ID
$GetObjID = Get-AzureADDevice | Where-Object {$_.DeviceId -eq "$deviceAzureID"} | Select-Object ObjectId
# Remove the registered device from Azure AD
Remove-AzureADDevice -ObjectId $GetObjID.ObjectId
}
Else{
Write-Host "The device you are looking for does not exist in the system" -ForegroundColor red
}
If you are running it from a local powershell:
# Stored Registry Credentials
$secureCredUserName = (Get-ItemProperty -Path HKCU:\Software\contoso\Credentials\*********AppServiceCredential).UserName
$secureCredPassword = (Get-ItemProperty -Path HKCU:\Software\contoso\Credentials\*********AppServiceCredential).Password
$securePassword = ConvertTo-SecureString $secureCredPassword
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $secureCredUserName, $securePassword
# Connect to Intune
Connect-MSGraph -PSCredential $credential
# Get the Device Serial Number
$deviceSerial
= Read-Host "Enter the Serial Number of the iOS device you wish to retire"
# conditional to check the device exisstence
if(Get-IntuneManagedDevice | where {($_.serialNumber -eq "$deviceSerial")}){
# filter the device again based on serial number and management state
$devices = Get-IntuneManagedDevice | where {($_.serialNumber -eq "$deviceSerial") -and ($_.managedDeviceOwnerType -eq "personal")} | Select-Object id,deviceName,complianceState,managedDeviceOwnerType,azureADDeviceId
# log the device list in a log file for reference
$devices | Out-File $logpath -Append
# loop each device, retire the device
Foreach($device in $devices){
$deviceMGMState = $device.managedDeviceOwnerType
$deviceid = $device.id
$deviceComplaint = $device.complianceState
$deviceName = $device.deviceName
$deviceAzureID = $device.azureADDeviceId
Invoke-IntuneManagedDeviceRetire -managedDeviceId $deviceid
# Halt the process for 10 sec to connect to differnet source (Azure Activedirectory)
Start-Sleep -Seconds 10
# Connect to Azure AD
Connect-AzureAD -Credential $intuneAutomationCredential
Start-Sleep -Seconds 10
# Get Azure AD Device Object ID from Azure Device ID
$GetObjID = Get-AzureADDevice | Where-Object {$_.DeviceId -eq "$deviceAzureID"} | Select-Object ObjectId
# Remove the registered device from Azure AD
Remove-AzureADDevice -ObjectId $GetObjID.ObjectId
}}
Else{
Write-Host "The device you are looking for does not exist in the system" -ForegroundColor red
}