Intune – Retire Managed Device and Remove stale entry from Azure AD

The below script will retire iOS device and remove the Azure AD device entry at the same time. when you retire a device from Intune it will only remove the device entry from the Intune portal but not in the Azure AD, it gets orphaned and it will remain as Azure AD Registered. 

You can run this script using Azure automation or locally in an elevated powershell. if  you are going to run the script locally then checkout this link where I have explained on how to store credentials in registry and to fetch them while running PS scripts.

From Azure Automation Runbook: if you are using Run As account then check out the directory role, by default while creating Azure automation account it creates the runs account with “Contributor” role. To run the below script, you need a directory highest previliege role like Global Administrator. Not sure, if we can create a custom role with a specific scope “Directory device object delete permission”.

param(
    [Parameter(Mandatory=$True)]
    $deviceSerial
)


$intuneAutomationCredential = Get-AutomationPSCredential -Name *********
$intuneAutomationAppId = Get-AutomationVariable -Name ********
$tenant = Get-AutomationVariable -Name **********

Connect-MSGraph -PSCredential $**************

# conditional to check the device exisstence
if(Get-IntuneManagedDevice | where {($_.serialNumber -eq "$deviceSerial")}){

# filter the device again based on serial number and management state

$device = Get-IntuneManagedDevice | where {($_.serialNumber -eq "$deviceSerial") -and ($_.managedDeviceOwnerType -eq "personal")} | Select-Object id,deviceName,complianceState,managedDeviceOwnerType,azureADDeviceId

# log the device list in a log file for reference
$devices | Out-File $logpath -Append

# loop each device, retire the device

$deviceMGMState = $device.managedDeviceOwnerType
$deviceid = $device.id
$deviceComplaint = $device.complianceState
$deviceName = $device.deviceName
$deviceAzureID = $device.azureADDeviceId 
Invoke-IntuneManagedDeviceRetire -managedDeviceId $deviceid

# Halt the process for 10 sec to connect to differnet source (Azure Activedirectory)
Start-Sleep -Seconds 10

# Connect to Azure AD

Connect-AzureAD -Credential $intuneAutomationCredential


Start-Sleep -Seconds 10

# Get Azure AD Device Object ID from Azure Device ID
$GetObjID = Get-AzureADDevice | Where-Object {$_.DeviceId -eq "$deviceAzureID"} | Select-Object ObjectId 

# Remove the registered device from Azure AD
Remove-AzureADDevice -ObjectId $GetObjID.ObjectId

}

Else{
Write-Host "The device you are looking for does not exist in the system" -ForegroundColor red

}

If you are running it from a local powershell:

# Stored Registry Credentials
$secureCredUserName = (Get-ItemProperty -Path HKCU:\Software\contoso\Credentials\*********AppServiceCredential).UserName
$secureCredPassword = (Get-ItemProperty -Path HKCU:\Software\contoso\Credentials\*********AppServiceCredential).Password
$securePassword = ConvertTo-SecureString $secureCredPassword
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $secureCredUserName, $securePassword

# Connect to Intune

Connect-MSGraph -PSCredential $credential

# Get the Device Serial Number
$deviceSerial
 = Read-Host "Enter the Serial Number of the iOS device you wish to retire"



# conditional to check the device exisstence
if(Get-IntuneManagedDevice | where {($_.serialNumber -eq "$deviceSerial")}){

# filter the device again based on serial number and management state

$devices = Get-IntuneManagedDevice | where {($_.serialNumber -eq "$deviceSerial") -and ($_.managedDeviceOwnerType -eq "personal")} | Select-Object id,deviceName,complianceState,managedDeviceOwnerType,azureADDeviceId

# log the device list in a log file for reference
$devices | Out-File $logpath -Append

# loop each device, retire the device

Foreach($device in $devices){ 
$deviceMGMState = $device.managedDeviceOwnerType
$deviceid = $device.id
$deviceComplaint = $device.complianceState
$deviceName = $device.deviceName
$deviceAzureID = $device.azureADDeviceId 
Invoke-IntuneManagedDeviceRetire -managedDeviceId $deviceid

# Halt the process for 10 sec to connect to differnet source (Azure Activedirectory)
Start-Sleep -Seconds 10

# Connect to Azure AD

Connect-AzureAD -Credential $intuneAutomationCredential


Start-Sleep -Seconds 10

# Get Azure AD Device Object ID from Azure Device ID
$GetObjID = Get-AzureADDevice | Where-Object {$_.DeviceId -eq "$deviceAzureID"} | Select-Object ObjectId 

# Remove the registered device from Azure AD
Remove-AzureADDevice -ObjectId $GetObjID.ObjectId

}}

Else{
Write-Host "The device you are looking for does not exist in the system" -ForegroundColor red

}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: