Nowadays Microsoft provides us a lot of flexibility to empower end-users to be productive as never before. Users are able to register their devices in order to access corporate resources anytime, anywhere on devices they love. Provisioning of Windows 10 devices to your enterprise has never been easier for end-users. They are even able to join their brand new devices to the corporate from home taking benefit of Windows Autopilot & Azure AD MDM auto-enrollment.
From an end-user perspective this is great, productivity can be restored in minutes instead of hours or even days. However the flexibility we provide for the end-users has a downside from an IT Admin perspective. As we’re able to join or register devices to Microsoft Intune/Azure AD, it causes a lot of obsolete device objects in your tenants.
Currently Microsoft Intune/Azure AD doesn’t provide a mechanism to automaticaly delete obsolete/stale records (yet). Now it’s a manual task. This is a challenge for an IT Admin to keep up with a clean and tidy Microsoft Intune/Azure AD tenant. With the introduction of Graph API new capabilities were introduced to delete obsolete/stale device records by using automation. With Microsoft Intune PowerShell sample scripts (thanks again Dave!) we have great inspiration to automate any form of day-to-day operations such as “housekeeping”.
As mentioned the solution is based on Azure Automation, PowerShell and Microsoft Graph API. In order to perform actions to Microsoft Intune/Azure AD we need to unattended authenticate to Intune Graph API/Azure AD. In this blog post I’ll not explain how to set up the perquisites to use Azure Automation for this purpose as Oliver Kieselbach wrote a great and detailed blog post how to achieve this. Our starting point of the solution is to have this in place before we can continue and run the housekeeping script on a recurring base.
With the housekeeping script we can delete device objects based on their device state, device compliance state, management channel and the number of days devices hasn’t synced/connected to Microsoft Intune. Using these input parameters we have a fine grained filter to perform the housekeeping job in a recurring way.
WARNING! Using incorrect parameters can result in deleting all device objects in your tenant! For safety reason I have commented the invoke & delete actions.
To better understand the working of the PowerShell script hereby a brief outline.
- Get input parameters (criteria)
- Connect to Microsoft Intune
- Query Microsoft Intune Graph API
- Delete device objects in Intune
- Connect to Azure AD
- Delete corresponding device objects in Azure AD
In order to run the script we have to define the criteria of deleting device objects.
- Number of days not connected/synced to Microsoft Intune (mandatory);
- Device management channel (‘eas’, ‘mdm’, ‘easMdm’, ‘configurationManagerClientMdm’);
- Device compliance state (‘compliant’, ‘noncompliant’, ‘unknown’, ‘configManager’);
- Device management state (‘managed’, ‘wipePending’, ‘retireIssued’, ‘retirePending’):
In this example we will delete device objects which hasn’t connected/contacted for at least 60 days, compliance state noncompliant and management state managed.
First add a Runbook as part of Azure Automation, provide a descriptive name and select PowerShell as Runbook Type and provide a description per your convenience.
Now we created the Runbook we can paste the housekeeping script below and publish it.
After the Runbook has been published we can schedule it. By scheduling the runbook, obsolete device objects can be deleted on a recurring base. Your Intune tenant hasn’t be that clean and tidy as never before!
The schedule can be defined based on your needs and in this example we will schedule the housekeeping script once a day.
After completing the schedule we can define the parameters for the housekeeping script. The DaysLastSyncDate is mandatory and be aware to provide the correct value. A value of 0 will delete all device objects in Intune!
Now we have implemented the solution it is time to show the results. Therefore we start the runbook manually and provide the parameters mentioned in our example (DaysLastSyncDate=60, ManagementAgentState=mdm, CompliantState=noncompliant, ManagementState=managed). Once the runbook complete successfully the results speak for themselves. 51 device objects were found which met our criteria and got deleted from both Microsoft Intune & Azure AD.
Housekeeping wasn’t that easy & fun before!
Now we have validated the solution we can schedule one or multiple runbooks with different criteria and just monitor the jobs to keep your Microsoft Intune tenant(s) clean & tidy.
We are aiming to enable end-users to do more and keep them happy. At the same time we want to keep our IT Admins happy as well to ease their jobs. In this blog post we used Azure Automation to schedule & execute PowerShell runbooks. The runbook contains PowerShell script to query Microsoft Intune & based on the input parameters, device objects got deleted from both Microsoft Intune & Azure AD. It is just an example of the almost unlimited possibilities and taking advantage to bring the mentioned technology together.
Microsoft Intune Graph API sample scripts
Olivier Kieselbach how to connect interactively to Azure AD/Microsoft Intune
Special thanks to my colleague Dennis van Akker who helped me out to do some PowerShell magic. Fun it was Dennis!