Thomas' Wiki

User Tools

Site Tools

Trace: purge_stale_devices_from_entra_id
purge_stale_devices_from_entra_id

This is an old revision of the document!

Microsoft has an article where they explain best practices to purge stale devices from Entra ID. I have implemented these actions in a script.

First, the script searches for all devices that have not been active for 180 days and disables them.

Next, it searches for all disabled devices that have not been active for 210 days, and actually deletes them. When deleting devices, it also generates a file containing Bitlocker keys for the deleted devices.

The script also indicates how many devices will be impacted, and will ask you to confirm before any changes are made. 

using namespace System.Management.Automation.Host
 
Connect-MgGraph -ContextScope Process -Scopes "BitLockerKey.Read.All"
 
# First, disable the devices.
$DisableDays = 180
$DisableDate = (Get-Date).AddDays(-$DisableDays)
$Params = @{
	accountEnabled = $false
}
 
$DevicesToSetDisabled = Get-MgDevice -All | Where {($_.ApproximateLastSignInDateTime -le $DisableDate) -and ($_.AccountEnabled -eq $true)}
$Count = $DevicesToSetDisabled.Count
 
$Title = "Disable inactive devices?"
$Question= "Would you like to disable $Count enabled devices that have been inactive for approximately $DisableDays days?"
$Choices = @(
    [System.Management.Automation.Host.ChoiceDescription]::new("&Yes", "Inactive devices will be disabled.")
    [System.Management.Automation.Host.ChoiceDescription]::new("&No", "Inactive devices will NOT be disabled.")
)
$Answer = $Host.UI.PromptForChoice($Title, $Question, $Choices, 1)
 
If($Answer -eq 0) {
Write-Host "Disabling devices..."
    foreach ($Device in $DevicesToSetDisabled) {
    Write-Host "Disabling device $($Device.DisplayName) (last active on $($Device.ApproximateLastSignInDateTime))."
       Update-MgDevice -DeviceId $Device.Id -BodyParameter $params
    }
}
 
# Then, delete devices that are disabled and have remained inactive for another month.
 
$DeleteDays = $DisableDays + 30
$DeleteDate = (Get-Date).AddDays(-$DeleteDays)
 
$DevicesToDelete = Get-MgDevice -All | Where {($_.ApproximateLastSignInDateTime -le $DeleteDate) -and ($_.AccountEnabled -eq $false)}
$Count = $DevicesToDelete.Count
 
$Title = "Delete inactive devices?"
$Question= "Would you like to delete $Count disabled devices that have been inactive for approximately $DeleteDays days?"
$Choices = @(
    [System.Management.Automation.Host.ChoiceDescription]::new("&Yes", "Inactive devices will be deleted.")
    [System.Management.Automation.Host.ChoiceDescription]::new("&No", "Inactive devices will NOT be deleted.")
)
$Answer = $Host.UI.PromptForChoice($Title, $Question, $Choices, 1)
 
If($Answer -eq 0) {
 
$ExportKeys = @()
$KeyList = Get-MgInformationProtectionBitlockerRecoveryKey -All
 
Write-Host "Deleting devices..."
    foreach ($Device in $DevicesToDelete) {
        # First save the bitlocker key.
        Write-Host "Exporting Bitlocker keys for $($Device.DisplayName)."
        $DeviceKeys = $KeyList | Where-Object {$_.DeviceID -eq $Device.DeviceId}
        ForEach($Key in $DeviceKeys) {
            $ExportKeys += Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $Key.Id -Property key
        }
        # Then delete the device.
        Write-Host "Deleting device $($Device.DisplayName) (last active on $($Device.ApproximateLastSignInDateTime))."
        Remove-MgDevice -DeviceId $Device.Id
    }
    Write-Host "Exporting Bitlocker keys to CSV file."
    $ExportDate = Get-Date -Format "yyyy-MM-dd-HH-mm"
    $ExportKeys | Export-Csv -Path "ExportedBitlockerKeys-$ExportDate.csv"
}
 
Disconnect-MgGraph
, , ,
purge_stale_devices_from_entra_id.1710492508.txt.gz · Last modified: by thomas
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki