AzureAD Stale Devices Cleanup

/ October 8, 2022

We have recently written this PowerShell magic by following the Microsoft documentation.

How To: Manage stale devices in Azure AD

This script has been parameterized to do multiple functions as per your needs.

Prerequisites for this solution:

Download the solution from below git hub link: (AzureMobileStaleDeviceCleanup.ps1)

https://github.com/VikasSukhija/Downloads

Download the solution from PowerShell Gallery:

https://www.powershellgallery.com/packages/AzureMobileStaleDeviceCleanup

Install-Script -Name AzureMobileStaleDeviceCleanup


Script will auto generate the password first time when it runs and will save it as encrypted in the same folder.

Script has been added with default parameters, but you can change as per your environment or just add it to when running it as shown below.

 

Syntax for running the Script:

Reportonly:

.\ AzureMobileStaleDeviceCleanup.ps1 -LastActivityDisableDays 180 -LastActivityDeleteDays 365 -Operation Report -smtpserver ‘smtpserver.labtest.com’ -from ‘DoNotRespond@labtest.com’ -erroremail ‘Reports@labtest.com’ -CountofChanges 100

By default, lastactivitydisabledays is set to 90 and LastActivityDeleteDays is set to 120 but you can update it to what ever you want when running it as shown above.

Similarly, you can choose the operation as Disable, Remove or DisableAndRemove.

 

Disable: This means script will find the devices that have ‘ApproximateLastLogonTimeStamp‘ before LastActivityDisableDays parameter (This operation will disable the device in azureAD)

Remove: This means script will find the devices that have ‘ApproximateLastLogonTimeStamp‘ before LastActivityDeleteDays parameter (This operation will remove the device in azureAD)

DisableAndRemove: This means script will find the devices that have ‘ApproximateLastLogonTimeStamp‘ between LastActivityDisableDays and LastActivityDeleteDays (Disable those Devices)

 

Script will also find devices that have ‘ApproximateLastLogonTimeStamp‘ before LastActivityDeleteDays parameter (remove those devices)

When you are ready to deploy it in prod, do not forget to un hash the below commands that has been used inside the script to disable and remove devices.

We are still testing it and not yet put to prod for the customer so releasing it as it is, final version may change a bit.

#Set-AzureADDevice -Objectid $Device.ObjectID -AccountEnabled $false

#Remove-AzureADDevice -ObjectId $Deleted.ObjectID

 

Here is the snippet of the report it will generate.


I hope this PowerShell magic will help you in removing stale devices from your environment.

You can schedule it to run daily or weekly as pe your needs.

(Account used for running it is in bypass MFA or you need to do app registration and certification way if your environment is strict on MFA’s)

 

Thanks for reading and downloading….

Tech Wizard

https://techwizard.cloud

https://syscloudpro.com/

PowerShell Fast Track

 

Related posts

Leave a comment