How to manage Entra ID Stale Devices

More often than not, when we refer to Identity lifecycle management, it’s usually in connection with users in our tenants and almost never devices associated with these user profiles. An identity lifecycle refers to the entire process that begins when a user’s digital identity is created and assigned access to resources. This also includes physical resources such as devices, and continues with authentication of that identity, updates to credentials and attributes, ending when that identity is retired. The process includes stages such as creation –>verification–>authentication–>authorization–>management–>retirement.

If you’re using Entra ID, you might run into a common issue: dealing with old, unused user devices after users are retired and their devices disabled. In most cases, these devices remain in your Entra ID. These devices, called “stale devices,” can cause a security breach if not managed properly. To complete the lifecycle, registered devices should be unregistered and deleted when they aren’t needed anymore.

What Are Stale Devices?

Stale devices are basically old gadgets that haven’t been connected to your organization’s network for a while. Think of them as forgotten tablets or laptops collecting dust in a drawer. You can Find these devices in your Entra ID.


Why Are They a Problem?

Well, these forgotten devices can pose a security risk. They might still have access to your company’s Information, even if they’re not being used anymore. That’s not good news. If someone unauthorized gets their hands on them, this could lead to a data breach. In addition, these devices can interfere with the general lifecycle policies for devices in your company.

Here’s how to efficiently manage stale devices in your environment.

Retrieve all devices

The script below will generate a list of all devices displaying device information. Just to get a picture of how many devices are registered in your Tenant.

# Connect to Microsoft Graph using Connect-MgGraph
Connect-MgGraph -Scopes “Device.Read.All”

# Retrieve devices
$devices = Get-MgDevice

# Display device information
$devices | Format-Table -Property DisplayName, DeviceType, OperatingSystem

Identify Stale devices 

Here we will identify all devices that have been inactive the last 6 months and export the results to a CSV file for further evalution.

# Connect to Microsoft Graph using Connect-MgGraph
Connect-MgGraph -Scopes “Device.Read.All”

# Calculate the date 6 months ago
$sixMonthsAgo = (Get-Date).AddMonths(-6)

# Retrieve devices and filter based on last activity
$inactiveDevices = Get-MgDevice | Where-Object { $_.LastSyncDateTime -lt $sixMonthsAgo }

# Define the path for the CSV file in “C:\Temp”
$csvFilePath = “C:\Temp\InactiveDevices.csv”

# Export inactive devices to a CSV file
$inactiveDevices | Select-Object DisplayName, DeviceType, OperatingSystem, LastSyncDateTime | Export-Csv -Path $csvFilePath -NoTypeInformation

Disable Inactive devices

Once you have counter checked the list of Inactive Devices, I recommend you disable them. I don’t recommend to immediately delete a device that appears to be stale because you can’t undo a deletion if there’s a false positive. You should have a policy in place that determines the grace period before deleting disabled devices.

# Connect to Microsoft Graph using Connect-MgGraph
Connect-MgGraph -Scopes “Device.ReadWrite.All”

# Calculate the date 6 months ago
$dt = (Get-Date).AddMonths(-6)

# Retrieve devices and filter based on last activity and Windows devices
$inactiveWindowsDevices = Get-MgDevice -All | Where-Object { $_.ApproximateLastSignInDateTime -le $dt -and $_.DeviceOSType -eq “Windows” }

# Loop through each inactive Windows device and disable it
foreach ($device in $inactiveWindowsDevices) {
# Construct the parameters to disable the device
$params = @{
accountEnabled = $false

# Disable the device
try {
Update-MgDevice -DeviceId $device.Id -BodyParameter $params
Write-Host “Disabled device: $($device.DisplayName)”
} catch {
Write-Host “Failed to disable device: $($device.DisplayName). Error: $($_.Exception.Message)”

Write-Host “All inactive Windows devices have been processed.”

All Stale devices in my tenant have now been disabled and a message, “All inactive Windows devices have been processed” has been generated.

Delete Stale devices

Alternatively, you can choose to delete Stale devices. Please bear in mind that deleted devices cannot be recovered.

# Calculate the date 6 months ago
$dt = (Get-Date).AddMonths(-6)

# Retrieve all devices and filter based on last sign-in date and disabled status
$Devices = Get-MgDevice -All | Where {
($_.ApproximateLastSignInDateTime -le $dt) -and
($_.AccountEnabled -eq $false)

# Iterate through each stale device and remove it
foreach ($Device in $Devices) {
Remove-MgDevice -DeviceId $Device.Id

In addition to the above mentioned:

  1. Regularly check your device list in Entra ID. Look for any devices that haven’t connected for a long time. This helps you spot the stale ones.
  2. Set up automatic rules to deal with stale devices. Entra ID has tools that can do this for you, like blocking access from devices that haven’t checked in for a while.
  3.  Have clear rules for how you handle devices. When a device is no longer needed, make sure it’s properly removed from your system.
  4.  Consider using a two-factor authentication or making sure only trusted devices can access your company’s resources. This adds an extra layer of protection. Conditional access Policies come to play here.

Managing stale devices doesn’t have to be a headache. By keeping an eye on your device list, automating cleanup,  and adding extra security measures, you can keep your company’s data safe and sound. So go ahead, give those old devices a proper farewell!

Leave a Comment