In one of the recent blog posts, I shared step by step guide to Setup Automatic Intune Device Cleanup Rules. The Azure AD device cleanup options were bit sketchy when I wrote that post. In this post, you will learn options to Setup Azure AD Device Cleanup Rules.
TL;DR
Introduction
I stumbled across an Azure AD session from Microsoft Ignite 2018. In this session, Microsoft announced some exciting developments about Azure AD device cleanup options.
Microsoft is trying to solve deployment and management device lifecycle issues. Microsoft understands that there is a big concern about the stale devices in Azure AD.
The following are options which Microsoft Azure AD team is working on. Both the following options are already in Public Preview.
- UX/GUI support options for Azure AD device cleanup (Azure portal?)
- PowerShell Support to delete the stale AAD device records
UX Support for Azure AD Device Cleanup
Microsoft announced (above ignite session) their plans to have UX option to support Azure AD device cleanup rules in Azure portal. I didn’t see any other announcement related to this UX option to automatically delete the stale devices from Azure AD.
There is no UX option to automatically cleanup AAD devices, unlike Intune cleanup rules. But, If you go to Azure portal and navigate to Azure AD -> Devices blade, you might be able to see a column called “Activity.” The “Activity” column entries will provide you the details of approximate last logon time stamp for a device.
Azure AD introduced a new property called ApproximateLastLogonTimestamp. If the delta between now and the value of the activity timestamp exceeds the timeframe you have defined for active devices, a device is considered to be stale. I would recommend going through Microsoft documentation to have more details.
NOTE 1 – You shouldn’t consider a timestamp that is younger than 14 days an indicator for a stale device.
NOTE 2 – Intune’s minimum value for the device cleanup rule is 90 days. So, I might keep both AAD and Intune cleanup timeframe as same. What do you think about this?
Powershell to Cleanup Azure AD Stale Devices
I’m UX/GUI lover, and I don’t want non-core technical support folks running PowerShell command to cleanup Azure AD devices. But, you don’t have any option to cleanup Azure AD devices apart from using PowerShell.
The PowerShell command let called “Get-MsolDevice” can be used to cleanup Azure AD devices.
Connect-MsolService
Connect to Azure AD using the Connect-MsolService cmdlet to get connected to Azure AD tenant.
Get-MsolDevice
Get the list of devices using the following PowerShell command Get-MsolDevice.
PS C:\WINDOWS\system32> Get-MsolDevice
cmdlet Get-MsolDevice at command pipeline position 1
Supply values for the following parameters:
Name: client
Enabled : True
ObjectId : 008ff0a7-4119-43ed-94f8-11dd7b174
DeviceId : 92f25457-3707-4c3c-9-2959031bb77f
DisplayName : CLIENT1
DeviceObjectVersion :
DeviceOsType : Windows
DeviceOsVersion : 10.0.18362.0
DeviceTrustType : Domain Joined
DeviceTrustLevel : Managed
DevicePhysicalIds : {[USER-HWID]:927-3707-4c3c-98d3-2959031bb77f:68961470402001,
[USER-GID]:92f25457-3707-4c3c-98d3-2959031bb77f:6755415348014020,
[HWID]:h:6896143802001, [GID]:g:6755418014020}
ApproximateLastLogonTimestamp : 7/4/2019 7:30:36 PM
AlternativeSecurityIds : {X509:A9BE20DBC557D6252C6DF805D8AB083BE6/YH3YZ0V78gg5AdQoJENo1hM
V05wTgpKdSvjjPKD8=}
DirSyncEnabled : True
LastDirSyncTime : 7/4/2019 7:41:27 PM
RegisteredOwners : {}
GraphDeviceObject : Microsoft.Azure.ActiveDirectory.GraphClient.Device
Get-MsolDevice -all
You can use Get-MsolDevice -all to get all the device details without any filter.
PS C:\WINDOWS\system32> Get-MsolDevice -all | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv C:\devicelist-summary.csv
- The following Powershell command can be used to export the Azure AD stale devices to excel spreadsheet.
Following is the sample of excel export. You can try running the following PowerShell command to get this result.
Get-MsolDevice -all | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv C:\devicelist-summary.csv
| DeviceId | DisplayName | DeviceTrustType | ApproximateLastLogonTimestamp |
| 92f2545-3707-4c3c-9d3-2959031bb77f | CLIENT1 | Domain Joined | 7/4/2019 19:30 |
| 898d9af-005-4188-8768-550fb408fe8e | WIN10CLIENT02 | Azure AD Joined | 2/22/2019 8:59 |
| 6b6bafd-c2bb-46cb-b6f-af5c1c45499 | WIN10CLIENT10 | Workplace Joined | 2/11/2019 10:28 |
| b6cc307-ba46-4f05-a22f-158634ae45 | DESKTOP-3G7DEFP | Azure AD Joined | 2/11/2019 11:44 |
| 60adf3-6ce8-443e-88ec-2b10733952 | WIN10CLIENT02 | Workplace Joined | 2/22/2019 8:56 |
Disable-MsolDevice
- In the following example, I’m using Deviceid property of DESKTOP-3G7DEFP to DISABLE that device from Azure AD.
Disable the Azure AD stale device using the following PowerShell command.
Disable-MsolDevice -DeviceId "b6ccb307-ba46-4f05-a22f-15938634ae45" -Force
PS C:\WINDOWS\system32> Disable-MsolDevice
cmdlet Disable-MsolDevice at command pipeline position 1
Supply values for the following parameters:
DeviceId: b6ccb307-ba46-4f05-a22f-15938s4ae45
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
Remove-MsolDevice
- In the following example, I’m using Deviceid property of DESKTOP-3G7DEFP to DELETE that device from Azure AD.
DELETE the Azure AD stale device using the following PowerShell command. Remove-MsolDevice -DeviceId “b6ccb307-ba46-4f05-a22f-15938634ae45” -Force
