Azure AD – Manage stale devices

A device that has been registered with Azure AD but has not been used to access any cloud apps for a specific timeframe is stale device. In a perfect world, Azure AD registered devices should be unregistered when they aren’t needed anymore..well..duh!

In the environments I manage, most of the times devices are lost, broken, forgotten in trains and taxis or have their OS reinstalled. These numbers grow fairly quickly if a process is not put in place. I had to live and learn this.

Beyond interfering with the device’s general lifecycle, these stale devices can make it hard for identifying the devices associated with the user. Plus it’s ideal to have a clean state of devices to meet various compliance requirements.

Define a policy

Similar to having policies for on-premise AD objects, it is better to define a policy of Azure AD objects.

  • Define a timeframe – It is better to pick a timeframe that follows your on-premise AD inactive objects
  • Categorize to better understand your stale device management
    • MDM-controlled devices – Retire devices in Intune or other MDM solutions before disabling or deleting it
    • System-managed devices – Don’t delete. These devices are generally devices such as Autopilot. Once deleted, these devices can’t be re-provisioned
    • Hybrid Azure AD joined devices
      • Windows 10 – Disable or delete in on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD
      • Windows 7/8 – Disable or delete in on-premises AD, Azure AD Connect can’t be used disable or delete these devices in Azure AD. Instead, these devices must be disabled/deleted in Azure AD.
    • Azure AD joined devices – Disable or delete in Azure AD
    • Azure AD registered devices – Disable or delete in Azure AD

What happens when a device is disabled?

Any authentication where a device is being used to authenticate to Azure AD are denied.

Hybrid Azure AD joined device – Users might be able to use the device to sign-in to their on-premises domain. However, they can’t access Azure AD resources such as Microsoft 365
Azure AD joined device – Users can’t use the device to sign in
Mobile devices – Users can’t access Azure AD resources such as Microsoft 365

How to remove a registration on the client?

Even after a device is disabled or deleted in the Azure portal or by using Windows PowerShell, the local state on the device will say that it’s still registered.

This operation is by design. In this case, the device doesn’t have access to resources in the cloud. Deleting an Azure AD device does not remove registration on the client. It will only prevent access to resources using device as an identity.

To remove Windows 10 device registration – Go to Settings > Accounts > Access Work or School. Select your account and select Disconnect. Device registration is per user profile

For iOS and Android, Open Microsoft Authenticator, Settings > Device Registration and select Unregister device

Detecting stale devices

The ApproximateLastLogonTimestamp or activity timestamp property in Azure AD comes in handy to detect stale devices. If the difference between now and the value of the activity timestamp exceeds the defined timeframe for active devices, a device is considered to be stale. The evaluation of the activity timestamp is triggered by an authentication attempt of a device.

Cleanup stale devices

The Azure AD portal does allow you to remove stale devices but it is better to use PowerShell. Typical steps are as follows,

  1. Connect to Azure AD using Connect-AzureAD cmdlet
  2. Get list of devices using Get-AzureADDevice (Get-AzureADDevice cmdlet excludes system-managed devices by default)
  3. Disable device using Set-AzureADDevice cmdlet (disable by using -AccountEnabled option)
  4. Define and wait for grace period depending on your environment before deleting devices
  5. Remove device using Remove-AzureADDevice cmdlet

The account updating devices in Azure AD will need one of the following roles assigned:

  • Global Administrator
  • Cloud Device Administrator
  • Intune Service Administrator

To get all devices and store the returned data in a CSV file:

Get-AzureADDevice -All:$true | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv stale-devicelist.csv -NoTypeInformation

To get all devices that haven’t logged on in 120 days and return data in a CSV file:

$sd = (Get-Date).AddDays(-120)
Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $sd} | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-olderthan-120days.csv -NoTypeInformation

Disable devices that haven’t logged on in the past 120 days:

$sd = (Get-Date).AddDays(-120)
Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $sd}
foreach ($Device in $Devices) {
Set-AzureADDevice -ObjectId $Device.ObjectId -AccountEnabled $false

Delete disabled devices that have been inactive the past 120 days. Remove-AzureADDevice will delete devices without prompting. There is no way to recover deleted devices.

$sd = (Get-Date).AddDays(-120)
$Devices = Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $sd) -and ($_.AccountEnabled -eq $false)}
foreach ($Device in $Devices) {
Remove-AzureADDevice -ObjectId $Device.ObjectId

Remember that when configured, BitLocker keys for Windows 10 devices are stored on the device object in Azure AD. If you delete a stale device, you also delete the BitLocker keys that are stored on the device. Confirm that your cleanup policy aligns with the actual lifecycle of your device before deleting a stale device.

Thank you for stopping by.✌