Remove stale devices in azure Add the Graph PowerShell V2 Removing devices from Intune does not remove them from AAD, its two different devices so to speak. Jun 27, 2025 · Learn how to remove stale devices from your database of registered devices in Microsoft Entra ID. Nov 3, 2024 · IntroductionIntroduction Managing devices in Microsoft Intune is crucial to keeping your organization’s environment secure and efficient. Note that the script uses a beta / unsupported Intune Graph API endpoint and method to retrieve a token. May 26, 2025 · Hi all, I'm trying to clean up stale device records in Azure Entra ID, and I’ve run into a problem with a printer-class object that appears in the Azure Entra admin center but cannot be deleted via GUI or scripting. For more information, see clean up stale devices in the Azure portal. It authenticates with an Azure AD App Registration and retrieves all devices in Azure AD. Learn how to manage and remove stale devices using Microsoft Entra PowerShell. 3) Removing the device from sync scope for Windows 10/Server 2016 devices will delete the Azure AD device. . Apr 16, 2024 · How do I set up the policy in Intune or Entra ID to automatically delete and remove stale computers with activity older than 6 months? or any PowerShell script that I can safely run regularly to remove any Device in Entra ID with no activity for more… is used to manage stale Azure AD device accounts and WILL NOT delete Hybrid Azure AD joined devices. This script will automatically remove stale intune devices for you based on a configurable number of days the device was not active. All, Directory. Over time, however, inactive or obsolete devices can clutter up your Intune portal, making it challenging to manage effectively. ” The “Activity” column entries will provide you the details of approximate last logon timestamp for a device. Todays script is really simple, but it does Mar 28, 2023 · I have a single device that is not found in our Azure AD, but shows up in the device list. Note that the script uses a beta / unsupported Intune Graph API endpoint and method to retrieve a token. Stale devices have an impact on your ability to manage and support your devices and users in the tenant because: Duplicate devices can make it difficult for your helpdesk staff to identify which device is currently active. However, there may be instances in which it is necessary to remove Intune-managed devices manually. Microsoft recommends cleaning up stale devices after 90 days, but does not provide a service option or automation to do so. Based on my researching, we can configure Device Cleanup rules in Intune to automatically remove devices that haven’t checked in for several days. Oct 8, 2022 · We have recently written this PowerShell magic by following the Microsoft documentation. Intune device cleanup rule For this reason I created a tiny PowerShell snippet to create a report with all devices which didn’t contact your Azure AD tenant since Feb 11, 2025 · Note Microsoft recommends that administrators use PowerShell to remove duplicate or stale devices from Microsoft Entra ID. To generate a powerful Excel report with the stale/disabled/deleted devices. Jul 25, 2023 · Azure Active Directory, or Azure AD in full, is Microsoft’s cloud-based identity and access management solution. This guide covers detection, cleanup processes, and best practices for efficient device management and compliance. Oct 14, 2024 · What are Intune Clean-up rules? Intune cleanup rules are a powerful feature designed to automatically remove inactive and stale device records from your Intune environment. List of Azure AD Stale Device Navigate to Azure AD -> Devices blade, you might be able to see a column called “ Activity. A stale device is one that hasn’t accessed any cloud applications for a specified period. Therefore, here’s another runbook you may run to just report on your inactive devices, or to automatically (and optionally periodically) clean up inactive devices in Jul 16, 2024 · I have a very large number of stale devices that need to be deleted. Tagging – Add a custom attribute or tag devices as “stale_pending” to review first. If you delete a stale device, you also delete the BitLocker keys that are stored on the device. This script identifies stale devices in Azure AD by querying the Microsoft Graph API. Graph PowerShell May 13, 2024 · May 13, 2024, 6:59 PM @Evans, Danny,Thanks for posting in Q&A. The good news is starting in Autopilot service release 2307, you can now remove stale devices in just one single step, without first removing the existing Intune device. Jul 6, 2025 · How do I remove stale device objects which are stuck in a Pending state for devices that have been decommissioned? There is no physical way to offboard the devices in question by running commands etc as they are physically no longer within the organisation. The script then filters these devices based on the 'approximateLastLogonTimestamp' property to identify devices that have not been used for a specified number of days. I'm trying to fully automate this (I plan on using an Azure Automation Runbook), but I'm currently stuck trying to get the Remove-TeamViewerOutdatedDeviceV2 (linked above) to run completely automated. Jul 27, 2025 · } Schedule this script via Azure Automation, Azure Functions (timer-triggered), or even GitHub Actions. Assistance very much appreciated. To automate Azure AD device cleanup procedure by running it in a scheduled task. After a certain time, devices display in the AAD with a stale status. Mar 7, 2023 · It is been a while since I have written a blog post and it was still in the drafts, so it is time to finish it. You need to create a Credential Object in yo - remove-stale-intune-devices-automatically/Remove Dec 17, 2019 · When you swap a device by reimaging or reinstalling, the Hardware ID stays the same. You need to create a Credential Object in your automation account with Global Admin rights and specify the name of the credential object as a script parameter Apr 8, 2019 · How to manage stale devices in Microsoft Entra ID - Microsoft Entra ID Learn how to remove stale devices from your database of registered devices in Microsoft Entra ID. These devices can impact security, compliance, and administrative overhead. If you enable the automatic device cleanup rule in Microsoft Intune the device is only removed within MDM and the Azure AD entry still exists. Sep 12, 2019 · Recalling the first article we read: “ Because a stale device is defined as registered device that hasn't been used to access any cloud apps for a specific timeframe, detecting stale devices requires a timestamp-related property. Retrieve all devices The script below will generate a list of all devices displaying device information. All using Application permissions. These Jun 27, 2023 · How to identify and remove/delete stale devices in Azure AD and in Intune as can see many devices there? here is our case: We are seeing same device entries in Azure AD and one of the entry is assigned to a user and others does not show user UPN and details. However, although adding a device to Azure AD is quite simple, deleting or deactivating a device from your Oct 7, 2023 · Alongside the recommendation, you’re presented with a list of stale apps categorized under the “ Impacted resource ” section. duh! In the environments I manage, most of the times devices are lost, broken, forgotten in trains and taxis or have their OS reinstalled. When configured, BitLocker keys for Windows 10 or newer devices are stored on the device object in Microsoft Entra ID. Steps to Identify Stale Devices 1. May 14, 2023 · Many times administrators have come across stale device records in Entra ID and Intune, because the process of removing a device from the organization’s infrastructure is not well defined or wasn’t completed successfully. Remove-AzureADDevice -ObjectId a34dad44-3e2f-4aff-a84b-3027bad701b4 After executing the above PowerShell command, I got the expected output and the This script will automatically remove stale intune devices for you based on a configurable number of days the device was not active. Now go click Permissions under Security, and you should see the Microsoft Graph permission of Device. To check the stale devices in Azure AD. Azure AD tenant administrator has to perform the device cleanup task in Azure AD portal to remove the stale record permanently. Jul 31, 2023 · If the duplicate devices are very old and stale you can also check out steps mentioned on following document to clear those device entries: How To: Manage stale devices in Azure AD Additionally, you can check out the instructions provided under Handling devices with Azure AD registered state, if you want to avoid such a scenario. As an Intune Administrator, maintaining a clean and accurate device inventory is crucial for effective management and reporting. I have an App Registration with the correct API permissions already Mar 7, 2023 · The device removal is only applicable to Intune portal and devices do not get removed from Azure AD. This makes it a breeze to identify them and take the necessary steps to remove those stale apps from Azure app registration. Confirm that your cleanup policy aligns with the actual lifecycle of your device before deleting a stale device. Feb 8, 2023 · Hi All, While checking the Devices in my M365 Tenant i was stumbled over the Stale Devices. If you want to remove stale devices immediately, use the Delete action instead. Then, take note of the application name and ID of the identified unused apps. well. Apr 8, 2024 · In addition, these devices can interfere with the general lifecycle policies for devices in your company. Jan 10, 2019 · If you are using Azure AD and the time passes you’ll have a lot of old device entries. To show the Feb 9, 2024 · Device Clean-up Rules within Intune is a simple feature that play a critical role in maintaining an organized and up-to-date Intune environment. This results in multiple Device Entries in Azure AD and causes issues with Conditional Access as Intune thinks the older version isn’t actually compliant even though Intune just has 1 record. Here is a link you can refer. Some time ago, I was asked if there was a method to automatically clean-up Azure Active Directory from idle devices that had not have Dec 29, 2022 · In Azure Active Directory (Azure AD), a Azure AD Clean Up Stale Devices that has not been used to authenticate with Azure AD for a certain period of time. Sep 15, 2023 · How to delete/remove a devices from Azure AD without removing it from Autopilot profile as I have seen without removing it from Autopilot profile it does not allow to remove the device from Azure AD device section and there is no option to unlink that… Feb 7, 2021 · 2) Deleting a Windows 10 device only in Azure AD will re-synchronize the device from your on-premises using Azure AD connect but as a new object in "Pending" state. Jun 8, 2023 · Remove-AzureADDevice -ObjectId <String> Let’s discuss an example of how to use the Remove-AzureADDevice PowerShell command. From your description, I know you want to delete stale records in Intune automatically. A re-registration is required on the device. May I know the potential side effects of deleting the device using the below code? Remove-MgDevice -DeviceId Is there any way… Mar 17, 2020 · But you also need to cleanup the device records that were created in Azure Active Directory, Intune, the Autopilot registration service, Microsoft Endpoint Manager (if you’re using it) and Active Directory in the case of Hybrid-joined devices. Example You can execute the below Azure PowerShell command to remove a specified device in your Azure Active Directory. Azure Active Directory (Azure AD) assists workers of companies who utilize the program in the workplace by granting access to internal resources and company-owned cloud apps. In this post we will discuss two ways of removing an Entra ID joined, autopilot device from the Azure infrastructure. In Azure AD, this property is called ApproximateLastLogonTimestamp or activity timestamp. I dont know why MS has made it like this, i think its strange as well. Access Microsoft Entra Struggling with cluttered devices in Entra ID? Discover how to manage Microsoft Entra registered devices, understand the difference between registered versus joined states, and implement automatic disabling to clean up stale entries. In a perfect world, Azure AD registered devices should be unregistered when they aren’t needed anymore. Feb 1, 2022 · 24 hours passed and I still see this Device in my inventoryI sent API request for all 4th devices, but same issue Jun 13, 2024 · I use Hybrid Azure AD / Entra ID and Intune to deploy and manage the AD computer objects that are joined to OnPremise AD DS. 4 days ago · Detect stale devices Because a stale device is defined as a registered device that hasn't been used to access any cloud apps for a specific timeframe, detecting stale devices requires a timestamp-related property. An increased number of devices creates Aug 2, 2021 · Delete inaccessible devices from Defender for Endpoint, use backend API to delete the devices. There were about 7500 Stale devices in the directory, and I’m not that fond of clicking my mouse. Symptoms: Device shows up under… Oct 27, 2022 · How can I remove stale devices from Azure AD using MS graph PowerShell module? Trying with {Device. Add safeguards Before deleting devices entirely, take these precautionary steps: Dry-run mode – Log devices flagged for deletion without removing them. All} scops, even Get-MgDevice show the following error Apr 26, 2023 · As an IT admin, you probably want a method to remove stale devices, so that you can focus your resources on managing devices that actually require management. Ensuring that your Intune device inventory remains lean and efficient is essential for several reasons, Jul 16, 2025 · Learn how to remove stale devices from your database of registered devices in Microsoft Entra ID. Intune rules clean up Intune but need to clean up in Entra. Can be used to disable the stale devices for a period of time, then clean them safely. Jul 27, 2023 · The device is removed from Intune management. Manual cleanup is time-consuming, but with PowerShell, you can automate this process, saving time and keeping your environment Mar 3, 2022 · Over time, Azure AD can begin to collect stale devices within its platform. Aug 25, 2023 · Stale devices in Azure AD can interfere with the general lifecycle policies for devices in your organization. What device types get affected from this device clean-up? AzureADDeviceCleanup PowerShell script helps to manage the stale devices in Azure AD in an efficient way by giving different options to deal with stale devices in Azure AD. To hopefully resolve your issue, you can try to detect these stale devices within Azure AD by using a timestamp-related property called ApproximateLastLogonTimestamp or activity timestamp. The devices are most autopilot devices. The List shows Devices that have an acivity more than 6 Months ago Let’s check if we can get that Information with Microsoft. How To: Manage stale devices in Azure AD This script has been parameterized to do multiple functions as per … Jun 27, 2025 · A stale device is a device registered with Microsoft Entra ID that hasn't accessed any cloud apps for a specific timeframe. This repository contains a set of PowerShell scripts for managing stale Azure AD devices. Removal happens the next time the device checks in and receives the remote Retire action. Oct 10, 2025 · Learn how to export the CSV of stale Azure AD device inventory for effective cleanup with PowerShell with our step-by-step guide. So I needed a quicker method to deal with the devices. These rules help address the challenges posed by test devices, workforce changes, and users . An increased number of devices Jul 13, 2025 · When Autopilot was first introduced by Microsoft, deletion of Printers and Windows Autopilot devices weren’t supported in Azure AD. Connect to Azure Active Directory using the Connect-MsolService cmdlet Get the list of devices Disable the device using the Disable-MsolDevice cmdlet. - mzmaili/AzureADDeviceC Dec 20, 2021 · As with cleaning up inactive guest users, inactive devices also pose several issues for organizations. Here’s how to efficiently manage stale devices in your environment. The device still shows up in Intune until the device checks in. Aug 19, 2022 · Folks, How can I delete or remove the old device in Azure AD with ApproximateLastLogonTimeStamp older than 120 days? Is there any PowerShell or Azure Policy to do that automatically? 陈旧设备是向 Microsoft Entra ID 注册的,在特定时间范围内未访问任何云应用的设备。 陈旧的设备会影响对租户中的设备和用户进行管理和支持,因为: 重复的设备可能使支持人员难以识别哪些设备当前处于活动状态。 有更多的设备创建不必要的设备写回,增加了 Microsoft Entra Connect 同步时间。 出于 A stale device is a device that has been registered with Azure AD but hasn't been used to access any cloud apps for a specific timeframe. Use Defender Admin Center to offboard. Feb 16, 2021 · Based on input parameters ('management agent', 'compliance state' and 'management state', 'Days last synced') the script is used to perform "housekeeping" to keep your Microsoft Intune/Azure AD clean and tidy of obsolete/stale device objects. In this example, every time their machine spun up, Azure AD would create a new registration for a user’s account. Most methods (such as Nicola’s) to combat this is by cleaning up stale devices in Azure AD based on their last Nov 7, 2023 · Removing stale devices from Entra/Intune less than 1 minute read Today, I continued the cleanup process of our Entra Directory. Azure AD device attribute called ApproximateLastLogonTimestamp helps to delete Azure AD stale devices. Stale devices in Microsoft Entra ID (formerly Azure AD) can clutter your tenant, making device management inefficient. And as you’ve probably figured out already, that means PowerShell. I was able to rename the device and join the PC once renamed, but this rouge device still remains in my device list. The scripts utilize the Microsoft Graph API to identify and remove devices that have been inactive for a sp Jun 1, 2025 · To keep the active directory running smoothly and without issues, one of the tasks is to remove the stale users and devices from the Azure directory or on-premises active directory. Dec 18, 2024 · I am trying to create a runbook in my Automation Account which deletes all stale devices (inactive for >= 180 days) from Entra. Jul 3, 2021 · A device that has been registered with Azure AD but has not been used to access any cloud apps for a specific timeframe is stale device. ReadWrite. Just to get a picture of how many devices are registered in your Apr 22, 2023 · If you would like to visually verify permissions, go to Enterprise Applications in Azure AD, search for the Object (principal) ID copied from above, and then select the application representing our Automation account. This can happen for a variety of reasons, one cause we recently encountered stemmed from non-persistent VDI machines creating device registrations on end user's O365 licenses. How this can be easily fixed via PowerShell I have already described in a separate blog article. I also tried to remove the device from PS with… Feb 21, 2025 · Azure Active Directory – Remove Stale Devices In Azure Active Directory, it is relatively easy to delete a device, provided the previous steps have performed correctly. When configured, BitLocker keys for Windows 10 devices are stored on the device object in Azure AD. pnamb ztln jlub zbpmd zklxt owlqoyu sstjkt udhvtfj vnztxr wlbtxy vgi zpg sbxbu nily akmk