Over time, Azure AD can begin to collect stale devices within its platform. This can happen for a variety of reasons, one cause we recently encountered stemmed from non-persistent VDI machines creating device registrations on end user’s O365 licenses.. In this example, every time their machine spun up, Azure AD would create a new registration for a user’s account.

The problem with this scenario is that there is a hard limit on the number of registrations a user’s account can collect before it begins to become problematic. In this situation, if a user logged in once a day for 50 days, they’d accumulate 50 registrations in Azure AD. Therefore, the limit of registrations would quickly pile up and begin locking users out of Microsoft Office products.  

Fortunately, we discovered a quick method to pull all stale devices in your Azure AD tenant. It can be achieved by running a script that identifies all stale devices and pulls them into a CSV file. From there, you can take that CSV and modify the contents, then add the contents to a new CSV that you’ll name in a second script. That second script will pull the devices from Azure AD and delete them, thus removing the devices that have gone stale. The full instructions are listed below.  

  

To begin, here is the script retrieve all devices active over 7 days ago in Azure AD and places them into a .CSV file: 



Define your own Parameters below

$Tenant = ” enteryourtenanthere.onmicrosoft.com” 

$PathCsv = “C:\Users\Public\Downloads\Stale-Devices-For-Removal.csv” 

 ######## END of parameters definition section ###########


 

Connect-AzureAD -TenantID $Tenant 

 

$dt = (Get-Date).AddDays(-7) 

Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | export-csv -Path $PathCsv  

 

It is important to note that in the parameters definition for “$Tenant” and “$PathCsv” that you define your own variables according to what you wish to accomplish, whether it be cleaning up a test tenant, or removing stale devices from a production tenant. 

Open “Windows PowerShell ISE” from the start menu 

In the PowerShell Dialogue box at the bottom of the screen, install and import the required modules, MSOnline and AzureAD, for PowerShell to properly run the functions provided in the script. 

 

Install-Module -name AzureAD

Install-Module MSOnline

Import-Module -name AzureAD
Import-Module MSOnline

After installing and importing the modules, run the script.  

The requested tenant will then ask for credentials. Enter credentials and verify with Microsoft Authenticator, then allow the script to run.
 

 

After the script runs fully, please take a moment to locate the CSV file that was created in the path that you designated when defining variables in the script. 

Below is an example of the potential output of stale devices (Note that this list may be MUCH larger.) 


For best practice, and to ensure no AAD device that are not intended to be removed are removed, it is suggested to move the data that is to be deleted to its own CSV, which will then be pulled into the following script for direct removal.

Now that the data is prepared for removal, open the second PowerShell script in Windows Powershell ISE 

 

THIS SCRIPT DELETES ALL DEVICES PROVIDED IN A .CSV FILE FROM AZURE AD

 


 

Define your own Parameters below

$Tenant = ” enteryourtenanthere.onmicrosoft.com” 

$PathCsv = “C:\Users\Public\Downloads\Stale-Devices-For-Removal.csv” 

############################## END of parameters definition section ############################################ 

 

 

 

CONNECT-AZUREAD -TENANTID $TENANT 

 

$list=import-csv $PathCsv 

 

Foreach($device in $list)  

    {Remove-AzureADDevice -ObjectId $device.ObjectId}  

 

Modify the parameters to match the proper tenant and the path the CSV file that stores the data that is to be removed. 

Run the script after modifying the parameters. The connected tenant will then ask for credentials. Enter credentials and verify with Microsoft Authenticator, then allow the script to run. 

After the script finishes, the expected devices will be removed.  

Your work can be validated by checking the device’s objectID from the .CSV file and inputting it into AzureAD to determine if the device still exists, in this case it will not.