Ideally, to complete the lifecycle, registered devices should be unregistered when they aren't needed anymore. Because of lost, stolen, broken devices, or OS reinstallations you'll typically have some stale devices in your environment. As an IT admin, you probably want a method to remove stale devices, so that you can focus your resources on managing devices that actually require management.
In this article, you learn how to efficiently manage stale devices in your environment.
What is a stale device?
A stale device is a device that has been registered with Azure AD but hasn't been used to access any cloud apps for a specific timeframe. Stale devices have an impact on your ability to manage and support your devices and users in the tenant because:
Duplicate devices can make it difficult for your helpdesk staff to identify which device is currently active.
An increased number of devices creates unnecessary device writebacks increasing the time for Azure AD connect syncs.
As a general hygiene and to meet compliance, you may want to have a clean state of devices.
Stale devices in Azure AD can interfere with the general lifecycle policies for devices in your organization.
Detect stale devices
Because a stale device is defined as a registered device that hasn't been used to access any cloud apps for a specific timeframe, detecting stale devices requires a timestamp-related property. In Azure AD, this property is called ApproximateLastLogonTimestamp or activity timestamp. If the delta between now and the value of the activity timestamp exceeds the timeframe you've defined for active devices, a device is considered to be stale. This activity timestamp is now in public preview.
How is the value of the activity timestamp managed?
The evaluation of the activity timestamp is triggered by an authentication attempt of a device. Azure AD evaluates the activity timestamp when:
A Conditional Access policies requiring managed devices or approved client apps has been triggered.
Windows 10 or newer devices that are either Azure AD joined or hybrid Azure AD joined are active on the network.
Intune managed devices have checked in to the service.
If the delta between the existing value of the activity timestamp and the current value is more than 14 days (+/-5 day variance), the existing value is replaced with the new value.
How do I get the activity timestamp?
You have two options to retrieve the value of the activity timestamp:
The Activity column on the devices page in the Azure portal
The Get-AzureADDevice cmdlet
Plan the cleanup of your stale devices
To efficiently clean up stale devices in your environment, you should define a related policy. This policy helps you to ensure that you capture all considerations that are related to stale devices. The following sections provide you with examples for common policy considerations.
Caution
If your organization uses BitLocker drive encryption, you should ensure that BitLocker recovery keys are either backed up or no longer needed before deleting devices. Failure to do this may cause loss of data.
Cleanup account
To update a device in Azure AD, you need an account that has one of the following roles assigned:
Global Administrator
Cloud Device Administrator
Intune Service Administrator
In your cleanup policy, select accounts that have the required roles assigned.
Timeframe
Define a timeframe that is your indicator for a stale device. When defining your timeframe, factor the window noted for updating the activity timestamp into your value. For example, you shouldn't consider a timestamp that is younger than 21 days (includes variance) as an indicator for a stale device. There are scenarios that can make a device look like stale while it isn't. For example, the owner of the affected device can be on vacation or on a sick leave that exceeds your timeframe for stale devices.
Disable devices
It isn't advisable to immediately delete a device that appears to be stale because you can't undo a deletion if there's a false positive. As a best practice, disable a device for a grace period before deleting it. In your policy, define a timeframe to disable a device before deleting it.
MDM-controlled devices
If your device is under control of Intune or any other MDM solution, retire the device in the management system before disabling or deleting it. For more information, see the article Remove devices by using wipe, retire, or manually unenrolling the device.
System-managed devices
Don't delete system-managed devices. These devices are generally devices such as Autopilot. Once deleted, these devices can't be reprovisioned. The new Get-AzureADDevice cmdlet excludes system-managed devices by default.
Hybrid Azure AD joined devices
Your hybrid Azure AD joined devices should follow your policies for on-premises stale device management.
To clean up Azure AD:
Windows 10 or newer devices - Disable or delete Windows 10 or newer devices in your on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD.
Windows 7/8 - Disable or delete Windows 7/8 devices in your on-premises AD first. You can't use Azure AD Connect to disable or delete Windows 7/8 devices in Azure AD. Instead, when you make the change in your on-premises, you must disable/delete in Azure AD.
Note
Deleting devices in your on-premises AD or Azure AD does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g. Conditional Access). Read additional information on how to remove registration on the client.
Deleting a Windows 10 or newer device only in Azure AD will re-synchronize the device from your on-premises using Azure AD connect but as a new object in "Pending" state. A re-registration is required on the device.
Removing the device from sync scope for Windows 10 or newer /Server 2016 devices will delete the Azure AD device. Adding it back to sync scope will place a new object in "Pending" state. A re-registration of the device is required.
If you are not using Azure AD Connect for Windows 10 or newer devices to synchronize (e.g. ONLY using AD FS for registration), you must manage lifecycle similar to Windows 7/8 devices.
Azure AD joined devices
Disable or delete Azure AD joined devices in the Azure AD.
Note
Deleting an Azure AD device does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g Conditional Access).
Read more on how to unjoin on Azure AD
Azure AD registered devices
Disable or delete Azure AD registered devices in the Azure AD.
Note
Deleting an Azure AD registered device in Azure AD does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g. Conditional Access).
Read more on how to remove a registration on the client
Clean up stale devices in the Azure portal
While you can clean up stale devices in the Azure portal, it's more efficient, to handle this process using a PowerShell script. Use the latest PowerShell V2 module to use the timestamp filter and to filter out system-managed devices such as Autopilot.
A typical routine consists of the following steps:
Connect to Azure Active Directory using the Connect-AzureAD cmdlet
Get the list of devices
Disable the device using the Set-AzureADDevice cmdlet (disable by using -AccountEnabled option).
Wait for the grace period of however many days you choose before deleting the device.
Remove the device using the Remove-AzureADDevice cmdlet.
Get the list of devices
To get all devices and store the returned data in a CSV file:
If you have a large number of devices in your directory, use the timestamp filter to narrow down the number of returned devices. To get all devices that haven't logged on in 90 days and store the returned data in a CSV file:
Using the same commands we can pipe the output to the set command to disable the devices over a certain age.
$dt = (Get-Date).AddDays(-90)$Devices = Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt}foreach ($Device in $Devices) {Set-AzureADDevice -ObjectId $Device.ObjectId -AccountEnabled $false}
Delete devices
Caution
The Remove-AzureADDevice cmdlet does not provide a warning. Running this command will delete devices without prompting. There is no way to recover deleted devices.
Before deleting any devices, back up any BitLocker recovery keys you may need in the future. There's no way to recover BitLocker recovery keys after deleting the associated device.
Building on the disable devices example we look for disabled devices, now inactive for 120 days, and pipe the output to Remove-AzureADDevice to delete those devices.
The timestamp is updated to support device lifecycle scenarios. This attribute isn't an audit. Use the sign-in audit logs for more frequent updates on the device.
Why should I worry about my BitLocker keys?
When configured, BitLocker keys for Windows 10 or newer devices are stored on the device object in Azure AD. If you delete a stale device, you also delete the BitLocker keys that are stored on the device. Confirm that your cleanup policy aligns with the actual lifecycle of your device before deleting a stale device.
Why should I worry about Windows Autopilot devices?
When you delete an Azure AD device that was associated with a Windows Autopilot object the following three scenarios can occur if the device will be repurposed in future:
With Windows Autopilot user-driven deployments without using pre-provisioning, a new Azure AD device will be created, but it won’t be tagged with the ZTDID.
With Windows Autopilot self-deploying mode deployments, they'll fail because an associate Azure AD device can’t be found. (This failure is a security mechanism to make sure that no “imposter” devices try to join Azure AD with no credentials.) The failure will indicate a ZTDID mismatch.
With Windows Autopilot pre-provisioning deployments, they'll fail because an associated Azure AD device can’t be found. (Behind the scenes, pre-provisioning deployments use the same self-deploying mode process, so they enforce the same security mechanisms.)
How do I know all the type of devices joined?
To learn more about the different types, see the device management overview.
What happens when I disable a device?
Any authentication where a device is being used to authenticate to Azure AD are denied. Common examples are:
Hybrid Azure AD joined device - Users might be able to use the device to sign-in to their on-premises domain. However, they can't access Azure AD resources such as Microsoft 365.
Azure AD joined device - Users can't use the device to sign in.
Mobile devices - User can't access Azure AD resources such as Microsoft 365.
Next steps
Devices managed with Intune can be retired or wiped, for more information see the article Remove devices by using wipe, retire, or manually unenrolling the device.
To get an overview of how to manage device in the Azure portal, see managing devices using the Azure portal
If you want to delete stale devices from Intune, you can configure the cleanup rules to automatically delete the devices based on the last check-in date. With auto cleanup rules, you can get rid of inactive, orphaned, or obsolete devices that have not checked in recently.
Sign in to the Microsoft Endpoint Manager admin center. In the Devices pane, select All devices. Select the name of the device that you want to retire. In the pane that shows the device name, select Retire.
To disable a device, you need to go to All users and groups blade in the Azure portal here. Select All Users and select the Devices option from that blade. This will give a list of devices and from that list, you can select one device and click on delete.
In the Azure portal, select Resource groups from the portal menu and select the resource group that contains your app service and app service plan. Select Delete resource group to delete the resource group and all the resources. This command might take several minutes to run.
The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.
Go to the Intune pane, choose Devices, and select Device cleanup rules to see a new law. When setting this Intune Device Cleanup Rule to Yes, Intune deletes devices based on the custom number of days you specify. Delete Devices based on last check-in Date – YES.
Disabling a device prevents a device from successfully authenticating with Azure AD, thereby preventing the device from accessing your Azure AD resources that are guarded by device CA or using your WH4B credentials.
Type the Remove-AzureADDevice cmdlet to remove a device from Azure Active Directory (AD). This command removes the specified windows device from Azure AD Join. Remove-AzureADDevice -ObjectId "99a1915d-298f-42d1-93ae-71646b85e2fa" -ObjectId Specifies the object ID of a device in Azure AD.
Administrators can secure and further control these Azure AD registered devices using Mobile Device Management (MDM) tools like Microsoft Intune. MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, and security software kept updated.
Deleting "User Azure AD registered" devices will block user from logging in to e.g. Office Portal. We have a Hybrid environment and the user authenticates with the local Active Directory (AD). Unfortunately a few devices are now automatically azure ad registered in the Azure Active Directory (AAD).
Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.
In the admin center, go to Troubleshooting + support > Select user. Choose a user > Select. Under Enrollment failures, select a row to view more details about the failure and recommended remediation steps.
First, open Settings (you can do this using the Windows+I keyboard shortcut) and type Remove. Select Add or remove programs. If the device or driver package that you wish to remove appears in the list of programs, select uninstall.
While an Azure VM is in the “Stopped (Deallocated)” state, you will not be charged for the VM compute resources. However, you will still need to pay for any OS and data storage disks attached to the VM.
Azure Active Directory Domain Services (Azure AD DS), part of Microsoft Entra, enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers.
This issue occurs when an administrator removes or deletes a user from Azure AD, before deleting their enrolled device in Microsoft Intune. Once the user is removed from Azure AD, the Intune information for that user becomes unavailable and the UPN for their enrolled device shows None.
Cause. This issue can occur if the device was either deleted or disabled in Azure Active Directory (AD), and the action was not initiated for the device itself.
Open Settings, and then select Accounts.Select Access work or school, and then select Connect.On the Set up a work or school account screen, select Join this device to Azure Active Directory.
Android. In the Settings of the Device Magic Android app, click the 3 dots on this top right-hand corner of the screen. Then click "Leave Organization". You will be prompted with a pop-up message asking you to confirm if you would like to remove your device from the organization.
Tip: The main difference between deactivating and deleting a user is that a deactivated user can be reactivated while deleting a user is permanent. Keep in mind that if a user is deleted from the account and then needs to be added back to the account, they will be added as a brand new user.
Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time. During the retention period, you can restore a soft-deleted container and its contents to the container's state at the time it was deleted.
All that does is remove the device as being associated with your online Microsoft Account. It does not affect your ability to continue to sign into your MS account on the PC or any of it's features.
Collect, analyze, and act on telemetry data from your cloud and hybrid environments. Azure Monitor supports your operations at scale by helping you maximize the performance and availability of your resources and proactively identify problems.
Go to Accounts in the Settings app. Click Access work or school in the list of options on the left. If the device is joined to AAD, or 'connected' in Microsoft parlance, you should see the connection to your AAD domain listed.
If the device was disabled in Azure, the administrator will need to re-enable the device. The admin can go to Azure Active Directory > Devices > select the checkmark next to the device > Enable in the Azure portal. If the device is deleted in Azure AD, you need to re-register the device.
After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. After that 30-day window passes, the permanent deletion process is automatically started and can't be stopped.
When users are deleted from Azure Active Directory (Azure AD), they are moved to a "deleted" state and no longer appear in the user list. However, they are not completely removed, and they can be recovered within 30 days.
Windows. Press Ctrl+F5. In most browsers, pressing Ctrl+F5 will force the browser to retrieve the webpage from the server instead of loading it from the cache. Firefox, Chrome, Opera, and Internet Explorer all send a “Cache-Control: no-cache” command to the server.
Press: Ctrl + Shift + Del. 3. If done correctly, the below image should pop up. Click Temporary Internet files, Cookies, and History (or any other options you would like to delete), and press Delete.
The four basic types of organizational resources are human, monetary, raw materials and Capital. Organizational resources are combined, used, and transformed into finished products during the production process.
Paymo. Paymo is a resource management tool that helps users stay on top of tasks, track time and bill clients all in one place with a big focus on time management. It has built-in time tracking and invoicing capabilities helping to allocate resources accordingly across your projects.
As per this and this Azure documents, Azure Service Manager (ASM) is the old control plane of Azure responsible for creating, managing, deleting VMs and performing other control plane operations whereas Azure Resource Manager (ARM) is the latest control plane of Azure responsible for creating, managing, deleting VMs ...
The All resources screen in the Azure portal includes a link to open a Resource Graph query that is scoped to the current filtered view. To run a Resource Graph query: Select Open query.In Azure Resource Graph Explorer, select Run query to see the results.
In addition, Azure offers four different forms of cloud computing: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and serverless functions.
An Azure resource is a billable entity, such as a virtual machine instance or storage account.A service is what is needed to perform a task, which could be one or more resources.
In Microsoft Endpoint Manager, select Devices in the left navigation pane. In the Microsoft Managed Desktop section, select Devices. In the Microsoft Managed Desktop Devices workspace, select the devices you want to delete. Select Device actions, and then select Delete Device which opens a fly-in to remove the devices.
“In Android, go to Settings, then Apps or Applications. You'll see how much space your apps are using. Tap on any app then tap Storage. Tap "Clear storage" and "Clear cache" for any apps that are using a lot of space.
Disabling a device prevents it from authenticating via Azure AD. This prevents it from accessing your Azure AD resources that are protected by device-based Conditional Access and from using Windows Hello for Business credentials.
Once hard deleted, objects cannot be recovered. Instead you need to recreate and reconfigure. E.g. If you accidentally delete a device object, there is no option to recover it.
The Retire action removes app data, settings, and Intune managed email profiles from the device. The device will still show up in Intune until the device ultimately checks in. If you want to remove stale devices immediately, use the Delete action instead.
removing your account from the device will prevent access to your microsoft services (one drive etc), this is what the reset does. unlinking the device from the account will mean that the device does not affect your microsoft store device limit and keeps your account tidy.
Once you forget a device, the phone will not show it in the list of devices on Bluetooth. To Unforget the device, you need to reset the network settings. To do that, open your phone's Settings and then scroll down to “System.” From the System tab, you will see “Reset Options” from where you should reset the phone.
If you lose an Android phone or tablet, or Wear OS watch, you can find, lock, or erase it. If you've added a Google Account to your device, Find My Device is automatically turned on.
Click Connected to MESA AD domain then click Info. Note: If the Info button does not appear on your device, your device has not been successfully enrolled.
Introduction: My name is Carlyn Walter, I am a lively, glamorous, healthy, clean, powerful, calm, combative person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
