Clean Intune environment always gives us better deployment results and one of the important step to keep your environment clean is explained in this post. This is not the only one way to keep your Intune environment clean. Rather you should have regular sanity checks for your environment to make sure that you don’t have duplicate copies of policies and applications. Moreover you should take care to avoid duplicate deployments of policies and applications. Duplicate deployments of polices can cause conflicts and could result in unexpected results.
We SCCM Admins are familiar with the process of deletion and removal of a device in SCCM and Microsoft Intune. However, we are always not sure when you remove a device from SCCM then that device record will automatically get removed from On-prem Active Directory or not. The removal or deletion of a device or machine from Active Directory is not SCCM’s responsibility and this should be handled separately by on-prem Active Directory.
So how these operations are handled in modern device management world in terms of Intune SA (or SCCM Hybrid) and Azure Active Directory. In most of the cases, I have not seen that when you retire and delete a device from Intune, that device record will automatically get purged from Azure Active Directory (AAD). To have better results for your Compliance/configuration policy and application deployments in modern device management world, we should ensure that we have a clean environment with clean Azure AD. You can get better understanding of this issue from the above video tutorial.
In the above example, Intune console shows me only one device assigned against my user account. Where as if you look at my Azure AD user ID and check for the devices assigned against my account then you can see there are total of 3 devices and all the 3 devices have been shown as managed by Intune. This is not an accurate data which is getting reflected in Azure Active Directory. I’m not saying every time this scenario will happen. I’ve seen some devices automatically get removed from Intune and AAD automatically.
I suppose we should have a better accuracy/sync between Intune and Azure AD database. I don’t see a scheduled task in Azure AD to purge the deleted records from Microsoft Intune. I’m not sure whether this is coming in near future or not. To ensure better results for Intune device management policies, when you delete a device from Intune you should make sure that the device record is removed from Azure AD as well. I’m planning to post a video tutorial to show How to delete a device from Azure AD to have clean and tidy environment.