Skip to main content

Entra Device Hygiene — Stale and Duplicate Object Cleanup

Every managed tenant accumulates orphaned and duplicate device objects over time. Left unaddressed, they produce Conditional Access evaluation failures, inaccurate compliance dashboards, and a device inventory that no longer reflects operational reality. Cleaning them up is not optional: CM.L2-3.4.1 requires a maintained, accurate inventory of organizational systems. A tenant with hundreds of stale objects does not have one.

For decommissioning an individual device through the standard retirement workflow, see Device Lifecycle & Onboarding — Device Retirement. This article covers the hygiene operation at scale: identifying why duplicates accumulate, applying decision logic to determine which object to keep, executing the cleanup in the correct order, and automating ongoing detection.

Why Stale and Duplicate Objects Accumulate

Root CauseWhat Happens
Hybrid Join + Entra Registration coexistingA device gets both a Hybrid Azure AD Joined object (synced from on-prem AD via Entra Connect) and an Entra Registered object (created when a user signs into a Microsoft 365 app or adds a work account via Settings). Two objects, same physical device.
Re-imaging without deregisteringThe device is wiped or re-imaged without running the pre-imaging cleanup checklist. The freshly imaged machine registers again and creates a new object; the old one goes stale.
Autopilot re-registrationsA device is reset or re-enrolled through Autopilot. If the previous Autopilot profile or device object was not removed first, a second object appears alongside the original.
Domain rejoin or domain migrationA machine is unjoined and rejoined to on-premises AD. Entra Connect syncs a new computer object with a new GUID while the old Entra object remains.
Co-management migration timingDuring SCCM-to-Intune co-management rollout, enrollment timing mismatches can create a second device record before the original is removed.
Older Windows buildsWindows 10 2004 and later (and Windows 11) automatically remove stale Entra Registered objects when Hybrid Join completes. Older builds do not — both objects persist indefinitely unless manually cleaned up.

Operational Impact

These are not cosmetic issues. They produce failures that are directly observable in production:

  • Conditional Access evaluation failures. CA policy evaluation may resolve to the stale or non-compliant duplicate instead of the active managed device, blocking the user with no apparent cause.
  • Inaccurate compliance reporting. Non-compliant duplicate objects suppress the overall compliance percentage, triggering false positives in compliance dashboards and SSP artifact exports.
  • BitLocker key confusion. Multiple device objects can each hold BitLocker recovery keys. Deleting the wrong object permanently loses the valid recovery key.
  • Device limit exhaustion. Entra enforces a default limit of 50 registered devices per user. Duplicate accumulation consumes slots and can eventually block new registrations.
  • Dynamic group targeting errors. Dynamic groups and filters may resolve to the stale duplicate, causing policy conflicts, unexpected app assignments, or missed compliance enforcement.

Identification — Which Object to Keep

When two or more Entra device objects represent the same physical device, apply the following priority in order:

PriorityCriterionKeepRemove
1Trust typeHybrid Azure AD Joined (ServerAd)Entra Registered (Workplace) — when a Hybrid object exists for the same device
2Last sign-in activityMost recent approximateLastSignInDateTimeOlder or null sign-in date
3Intune managedisManaged = True, active Intune recordNot managed or orphaned Intune record
4Compliance stateCompliantNon-compliant or unknown
5Account enabledaccountEnabled = TrueaccountEnabled = False
6OS versionCurrent buildOlder build (likely pre-reimage)
7Display nameMatches current hostnameHostname mismatch or stale name

Default rule: If a Hybrid Joined object and an Entra Registered object exist for the same machine, the Registered object is almost always the one to remove — unless the device was intentionally converted to cloud-only join.

approximateLastSignInDateTime lags up to 14 days

This property is not real-time. A device that signed in recently may show an older timestamp. Treat it as directional, not precise. Do not use it as the sole disqualification criterion.

Cleanup Process

Phase 1 — Identify and Disable (Stale threshold: 90+ days)

  1. Pull a report of all device objects where approximateLastSignInDateTime is older than 90 days. See Reference Commands below.
  2. Cross-reference each device against Intune, Autopilot, and on-premises AD to confirm it is genuinely stale — not a device with irregular sign-in patterns (see Variable Stale Thresholds below).
  3. Check BitLocker keys before touching any device object. Export and store recovery keys. If you delete the wrong object, the key is gone permanently.
  4. Disable the device in Entra ID (accountEnabled = $false). Do not delete yet.
  5. Document the disabled device (display name, object ID, trust type, last sign-in) in a tracking spreadsheet or remediation ticket.

Phase 2 — Delete (30-day grace period after disable)

  1. Wait 30 days after disabling. If no user or system reports an issue, proceed to delete.
  2. For Hybrid Joined devices — clean up on-premises AD first. Disable or delete the computer object in the relevant domain. Wait for Entra Connect to complete a sync cycle. If you delete the Entra object without first removing the AD object, Entra Connect will recreate it on the next sync.
  3. Delete the Entra device object.
  4. If the device has an Intune record, delete it: Intune > Devices > All devices or via Graph.
  5. If the device has an Autopilot registration, remove it: Intune > Devices > Windows enrollment > Devices. The hardware hash persists separately and must be removed; it is not deleted when the device object is deleted.
  6. Verify the object does not reappear after the next Entra Connect sync cycle (typically within 30 minutes for delta syncs).

Cleanup Order

On-prem AD (disable/delete computer object)
    ↓ Wait for Entra Connect sync
Entra ID (disable → wait 30 days → delete)

Intune (delete device record)

Autopilot (remove hardware hash, if applicable)
Deleting from Intune does not delete from Entra — and vice versa

These are separate object stores. A wipe from Intune does not remove the Entra device object, and deleting from Entra does not retire the Intune enrollment. Both must be cleaned explicitly.

Pre-Imaging Checklist

The cleanup process above is remedial. The root cause is a missing pre-imaging checklist. Before re-imaging or replacing any device, the technician should complete the following:

  1. Sign in to the device with a local admin or domain admin account.
  2. Run dsregcmd /status and record the join type: Hybrid (DomainJoined + AzureAdJoined), Cloud-only (AzureAdJoined), or Registered (WorkplaceJoined).
  3. If Entra Registered is present: Settings > Accounts > Access work or school > Disconnect.
  4. If Hybrid Joined: run dsregcmd /leave from an elevated prompt.
  5. Remove from Intune if managed: Intune > Devices > find device > Delete, or allow the /leave command to trigger automatic unenrollment.
  6. If enrolled in Autopilot: Intune > Devices > Windows enrollment > Devices > find by serial > Delete.
  7. Disable or delete the computer object in on-premises AD if the device is being decommissioned or renamed.
  8. Force an Entra Connect delta sync or wait for the next cycle to confirm the Entra object has been removed.
  9. Document the decommission in the asset tracking system.
  10. Proceed with re-image or replacement.

Ongoing Hygiene

Monthly Stale Device Detection

Schedule a monthly PowerShell script or Azure Automation runbook to flag devices with no sign-in activity in 90+ days and output results to a shared mailbox, Teams channel, or ITSM ticket. The Find-DuplicateEntraDevices.ps1 script below can be scheduled directly.

Use Entra ID > Devices > Activity as a quick visual check between automated runs.

Entra Connect Sync Scope Review

Review the OU scope for Entra Connect quarterly. Verify that decommissioned OUs, test OUs, and staging containers are excluded from sync scope. Confirm that the userCertificate attribute is syncing correctly — Hybrid Join depends on it for device registration.

Windows Build Verification

Windows 10 2004 and later automatically remove stale Entra Registered objects when Hybrid Join completes. Spot-check a sample of devices by running dsregcmd /status and confirming only one join type is present. If automatic cleanup is not working, investigate GPO or registry overrides and confirm the build meets the minimum requirement.

Multi-Domain and Multi-Connector Environments

Organizations running multiple on-premises AD domains — each with its own Entra Connect instance syncing to the same Entra tenant — require additional coordination during cleanup.

Duplicate objects across domains: A device that moves between domains, or is accidentally joined to the wrong domain, will produce duplicate Entra objects — one from each Entra Connect instance. Before deleting, confirm which domain the device actually belongs to. Deleting the wrong AD object and then triggering a sync can re-create the unwanted Entra object.

Sync schedule coordination: Each Entra Connect instance may run on its own sync schedule. Know the schedule for each instance before executing bulk changes. After on-premises changes, force a delta sync on the relevant instance:

Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

Confirm the sync result in Entra before proceeding to delete.

Variable stale thresholds: Devices used in operational roles with irregular sign-in patterns — field equipment, shared terminals, kiosks, vehicle-mounted devices — may have legitimate gaps of several months between Entra sign-in events. Use a longer stale threshold (180 days) for these device classes and exclude them from standard automation via a dynamic group based on device name prefix, OU, or Intune group tag. Apply the standard 90-day threshold only to office workstations and user laptops.

Reference Commands

All commands use the Microsoft Graph PowerShell SDK (Microsoft.Graph module).

Connect

# Read-only
Connect-MgGraph -Scopes "Device.Read.All","BitLockerKey.Read.All"

# With write permission (required for disable/delete operations)
Connect-MgGraph -Scopes "Device.ReadWrite.All","BitLockerKey.Read.All"

Find Stale Devices (90+ days without sign-in)

$cutoff = (Get-Date).AddDays(-90).ToString("yyyy-MM-ddTHH:mm:ssZ")
Get-MgDevice -All -Filter "approximateLastSignInDateTime le $cutoff" |
    Select-Object DisplayName, Id, DeviceId, ApproximateLastSignInDateTime,
        TrustType, AccountEnabled, OperatingSystem, OperatingSystemVersion |
    Sort-Object ApproximateLastSignInDateTime |
    Export-Csv -Path "StaleDevices.csv" -NoTypeInformation

Find Duplicate Device Names

Get-MgDevice -All |
    Group-Object DisplayName |
    Where-Object { $_.Count -gt 1 } |
    Select-Object Name, Count,
        @{N='DeviceIds';E={ ($_.Group | ForEach-Object {
            "$($_.TrustType) | LastSign=$($_.ApproximateLastSignInDateTime) | Enabled=$($_.AccountEnabled) | Id=$($_.Id)"
        }) -join "`n" }} |
    Format-List

Disable a Device

Update-MgDevice -DeviceId <ObjectId> -AccountEnabled:$false

Delete a Device

Remove-MgDevice -DeviceId <ObjectId>

Check BitLocker Recovery Keys

# List keys by Entra device ID (not object ID)
Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '<DeviceId>'" |
    Select-Object Id, CreatedDateTime, DeviceId, VolumeType

# Export full key value
Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId <KeyId> -Property "key" |
    Select-Object Id, Key, CreatedDateTime

Find Devices by Trust Type

# Hybrid Azure AD Joined
Get-MgDevice -All -Filter "trustType eq 'ServerAd'" |
    Select-Object DisplayName, Id, ApproximateLastSignInDateTime, AccountEnabled

# Entra Registered only
Get-MgDevice -All -Filter "trustType eq 'Workplace'" |
    Select-Object DisplayName, Id, ApproximateLastSignInDateTime, AccountEnabled

Find-DuplicateEntraDevices.ps1

The script below automates the identification process: it connects to Microsoft Graph, retrieves all device objects, groups by display name, applies the prioritization logic above to recommend Keep / Disable / Review for each duplicate, outputs a console summary, and exports two CSV reports. With -IncludeDeletePermission -DisableStale, it will disable recommended devices after a confirmation prompt.

<#
.SYNOPSIS
    Identifies and reports duplicate device objects in Microsoft Entra ID.

.DESCRIPTION
    Connects to Microsoft Graph, exports all device objects, identifies
    duplicates by DisplayName, and applies decision logic to recommend which
    devices to keep, disable, or review. Generates console output and CSV reports.

    Decision logic priority:
      1. Prefer Hybrid Joined (ServerAd) or Entra Joined (AzureAd) over Registered (Workplace)
      2. Among same trust type, prefer most recent ApproximateLastSignInDateTime
      3. Among same date, prefer IsManaged, then IsCompliant, then AccountEnabled
      4. Mark recommended action: Keep / Disable (stale duplicate) / Review (both active)

.PARAMETER IncludeDeletePermission
    Connects with Device.ReadWrite.All scope. Required if using -DisableStale.

.PARAMETER DisableStale
    After generating reports, disable devices marked as "Disable (stale duplicate)"
    with a confirmation prompt. Requires -IncludeDeletePermission.

.PARAMETER StaleThresholdDays
    Days since last sign-in after which a device is considered stale. Default: 90.

.EXAMPLE
    .\Find-DuplicateEntraDevices.ps1
    Read-only scan with default 90-day stale threshold.

.EXAMPLE
    .\Find-DuplicateEntraDevices.ps1 -StaleThresholdDays 180
    Read-only scan using 180-day threshold (appropriate for field/operational devices).

.EXAMPLE
    .\Find-DuplicateEntraDevices.ps1 -IncludeDeletePermission -DisableStale
    Scan and disable stale duplicates (with confirmation prompt).
#>

[CmdletBinding(SupportsShouldProcess)]
param(
    [switch]$IncludeDeletePermission,
    [switch]$DisableStale,
    [int]$StaleThresholdDays = 90
)

$ScriptDir    = Split-Path -Parent $MyInvocation.MyCommand.Definition
$DateStamp    = Get-Date -Format "yyyy-MM-dd"
$Transcript   = Join-Path $ScriptDir "EntraDeviceAudit_${DateStamp}.log"

Start-Transcript -Path $Transcript -Append | Out-Null
Write-Host "Transcript: $Transcript" -ForegroundColor Cyan

# --- Prerequisites ---
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Identity.DirectoryManagement)) {
    $install = Read-Host "Microsoft.Graph module not found. Install now? (Y/N)"
    if ($install -eq 'Y') {
        Install-Module Microsoft.Graph -Scope CurrentUser -Force -AllowClobber
    } else {
        Write-Host "Cannot proceed. Exiting." -ForegroundColor Red
        Stop-Transcript | Out-Null; return
    }
}

# --- Connect ---
if ($DisableStale -and -not $IncludeDeletePermission) {
    Write-Host "ERROR: -DisableStale requires -IncludeDeletePermission." -ForegroundColor Red
    Stop-Transcript | Out-Null; return
}

$Scopes = if ($IncludeDeletePermission) { @("Device.ReadWrite.All") } else { @("Device.Read.All") }
try {
    Connect-MgGraph -Scopes $Scopes -ErrorAction Stop | Out-Null
    Write-Host "Connected." -ForegroundColor Green
} catch {
    Write-Host "Connection failed: $_" -ForegroundColor Red
    Stop-Transcript | Out-Null; return
}

# --- Retrieve devices ---
$Properties = @(
    "DisplayName","DeviceId","Id","ApproximateLastSignInDateTime","TrustType",
    "IsManaged","IsCompliant","AccountEnabled","OperatingSystem",
    "OperatingSystemVersion","ProfileType","ManagementType","RegistrationDateTime"
)
try {
    $AllDevices = Get-MgDevice -All -Property ($Properties -join ',') -ErrorAction Stop | Select-Object $Properties
    Write-Host "Retrieved $($AllDevices.Count) devices." -ForegroundColor Green
} catch {
    Write-Host "Retrieval failed: $_" -ForegroundColor Red
    Disconnect-MgGraph | Out-Null; Stop-Transcript | Out-Null; return
}

# --- Trust type ranking ---
function Get-TrustTypeRank { param([string]$TrustType)
    switch ($TrustType) {
        "ServerAd"  { 3 }   # Hybrid Azure AD Joined
        "AzureAd"   { 2 }   # Entra Joined
        "Workplace" { 1 }   # Entra Registered
        default     { 0 }
    }
}

# --- Identify duplicates ---
$StaleDate      = (Get-Date).AddDays(-$StaleThresholdDays)
$DeviceGroups   = $AllDevices | Group-Object -Property DisplayName
$DuplicateGroups = $DeviceGroups | Where-Object { $_.Count -gt 1 }
$NonDuplicates  = $DeviceGroups | Where-Object { $_.Count -eq 1 }

$Results = [System.Collections.Generic.List[PSCustomObject]]::new()

foreach ($group in $DuplicateGroups) {
    $sorted = $group.Group | Sort-Object -Property @(
        @{ Expression = { Get-TrustTypeRank $_.TrustType }; Descending = $true },
        @{ Expression = { $_.ApproximateLastSignInDateTime -as [datetime] }; Descending = $true },
        @{ Expression = { [bool]$_.IsManaged }; Descending = $true },
        @{ Expression = { [bool]$_.IsCompliant }; Descending = $true },
        @{ Expression = { [bool]$_.AccountEnabled }; Descending = $true }
    )
    $keeper = $sorted[0]
    for ($i = 0; $i -lt $sorted.Count; $i++) {
        $dev       = $sorted[$i]
        $lastSignIn = $dev.ApproximateLastSignInDateTime -as [datetime]
        if ($i -eq 0) {
            $action = "Keep"
        } elseif ((Get-TrustTypeRank $dev.TrustType) -lt (Get-TrustTypeRank $keeper.TrustType)) {
            $action = "Disable (stale duplicate)"
        } elseif ($null -eq $lastSignIn -or $lastSignIn -lt $StaleDate) {
            $action = "Disable (stale duplicate)"
        } else {
            $action = "Review (both active)"
        }
        $Results.Add([PSCustomObject]@{
            DuplicateGroup                = $group.Name
            DisplayName                   = $dev.DisplayName
            DeviceId                      = $dev.DeviceId
            ObjectId                      = $dev.Id
            ApproximateLastSignInDateTime = $dev.ApproximateLastSignInDateTime
            TrustType                     = $dev.TrustType
            IsManaged                     = $dev.IsManaged
            IsCompliant                   = $dev.IsCompliant
            AccountEnabled                = $dev.AccountEnabled
            OperatingSystem               = $dev.OperatingSystem
            OperatingSystemVersion        = $dev.OperatingSystemVersion
            ProfileType                   = $dev.ProfileType
            ManagementType                = $dev.ManagementType
            RegistrationDateTime          = $dev.RegistrationDateTime
            RecommendedAction             = $action
        })
    }
}

$StaleNonDuplicates = ($NonDuplicates | Where-Object {
    $d = $_.Group[0]; $ls = $d.ApproximateLastSignInDateTime -as [datetime]
    $null -eq $ls -or $ls -lt $StaleDate
}).Count

# --- Console summary ---
Write-Host "`n===  ENTRA DEVICE DUPLICATE REPORT  ===" -ForegroundColor Cyan
Write-Host "Total devices:                 $($AllDevices.Count)"
Write-Host "Unique device names:           $($DeviceGroups.Count)"
Write-Host "Names with duplicates:         $($DuplicateGroups.Count)"
Write-Host "Total duplicate objects:       $($Results.Count)"
Write-Host "Stale non-duplicate devices:   $StaleNonDuplicates (no sign-in $StaleThresholdDays+ days)"

Write-Host "`nTrust Type Breakdown:" -ForegroundColor Cyan
$AllDevices | Group-Object TrustType | ForEach-Object {
    $label = switch ($_.Name) {
        "ServerAd"  { "Hybrid Azure AD Joined (ServerAd)" }
        "AzureAd"   { "Entra Joined (AzureAd)" }
        "Workplace" { "Entra Registered (Workplace)" }
        default     { "Other/Unknown ($($_.Name))" }
    }
    Write-Host "  ${label}: $($_.Count)"
}

Write-Host "`nRecommended Actions for Duplicates:" -ForegroundColor Cyan
$Results | Group-Object RecommendedAction | ForEach-Object {
    $color = switch -Wildcard ($_.Name) { "Keep" { "Green" } "Review*" { "Yellow" } "Disable*" { "Red" } default { "White" } }
    Write-Host "  $($_.Name): $($_.Count)" -ForegroundColor $color
}

Write-Host "`n--- Duplicate Groups Detail ---" -ForegroundColor Cyan
foreach ($groupName in ($Results | Select-Object -ExpandProperty DuplicateGroup -Unique)) {
    Write-Host "Device: $groupName"
    $Results | Where-Object { $_.DuplicateGroup -eq $groupName } | ForEach-Object {
        $color = switch -Wildcard ($_.RecommendedAction) { "Keep" { "Green" } "Review*" { "Yellow" } "Disable*" { "Red" } default { "White" } }
        $si = if ($_.ApproximateLastSignInDateTime) { $_.ApproximateLastSignInDateTime } else { "Never" }
        Write-Host ("  [{0}] Trust={1}  LastSignIn={2}  Managed={3}  Compliant={4}  Enabled={5}  ObjectId={6}" -f
            $_.RecommendedAction, $_.TrustType, $si, $_.IsManaged, $_.IsCompliant, $_.AccountEnabled, $_.ObjectId
        ) -ForegroundColor $color
    }
    Write-Host ""
}

# --- CSV exports ---
$DetailCsv   = Join-Path $ScriptDir "EntraDeviceDuplicates_${DateStamp}.csv"
$SummaryCsv  = Join-Path $ScriptDir "EntraDeviceSummary_${DateStamp}.csv"
$Results | Export-Csv -Path $DetailCsv -NoTypeInformation -Encoding UTF8
Write-Host "Detail report: $DetailCsv" -ForegroundColor Green

$TrustBreak = $AllDevices | Group-Object TrustType
[PSCustomObject]@{
    ReportDate               = $DateStamp
    TotalDevices             = $AllDevices.Count
    UniqueDeviceNames        = $DeviceGroups.Count
    DuplicateDeviceNames     = $DuplicateGroups.Count
    TotalDuplicateObjects    = $Results.Count
    StaleNonDuplicates       = $StaleNonDuplicates
    StaleThresholdDays       = $StaleThresholdDays
    RecommendedKeep          = ($Results | Where-Object RecommendedAction -eq "Keep").Count
    RecommendedDisable       = ($Results | Where-Object { $_.RecommendedAction -like "Disable*" }).Count
    RecommendedReview        = ($Results | Where-Object { $_.RecommendedAction -like "Review*" }).Count
    HybridJoinedCount        = ($TrustBreak | Where-Object Name -eq "ServerAd").Count
    EntraJoinedCount         = ($TrustBreak | Where-Object Name -eq "AzureAd").Count
    RegisteredCount          = ($TrustBreak | Where-Object Name -eq "Workplace").Count
} | Export-Csv -Path $SummaryCsv -NoTypeInformation -Encoding UTF8
Write-Host "Summary report: $SummaryCsv" -ForegroundColor Green

# --- Optional: disable stale duplicates ---
if ($DisableStale) {
    $ToDisable = $Results | Where-Object { $_.RecommendedAction -like "Disable*" -and $_.AccountEnabled -eq $true }
    if ($ToDisable.Count -eq 0) {
        Write-Host "No enabled stale duplicates to disable." -ForegroundColor Green
    } else {
        Write-Host "`n$($ToDisable.Count) device(s) to disable:" -ForegroundColor Yellow
        Write-Host "*** Verify BitLocker keys before proceeding. ***" -ForegroundColor Red
        $hybrid = $ToDisable | Where-Object { $_.TrustType -eq "ServerAd" }
        if ($hybrid.Count -gt 0) {
            Write-Host "  $($hybrid.Count) Hybrid Joined device(s) detected — clean up from on-prem AD first." -ForegroundColor Red
        }
        $ToDisable | ForEach-Object {
            Write-Host "  $($_.DisplayName) | $($_.TrustType) | LastSignIn=$($_.ApproximateLastSignInDateTime) | ObjectId=$($_.ObjectId)" -ForegroundColor Yellow
        }
        $confirm = Read-Host "`nType 'DISABLE' to confirm (any other input cancels)"
        if ($confirm -eq 'DISABLE') {
            $ok = 0; $fail = 0
            $ToDisable | ForEach-Object {
                try {
                    Update-MgDevice -DeviceId $_.ObjectId -AccountEnabled:$false -ErrorAction Stop
                    Write-Host "  DISABLED: $($_.DisplayName)" -ForegroundColor Red; $ok++
                } catch {
                    Write-Host "  FAILED: $($_.DisplayName): $_" -ForegroundColor Red; $fail++
                }
            }
            Write-Host "Complete: $ok disabled, $fail failed." -ForegroundColor Cyan
        } else {
            Write-Host "Cancelled." -ForegroundColor Yellow
        }
    }
}

Disconnect-MgGraph | Out-Null
Write-Host "`nScript complete. Reports in: $ScriptDir" -ForegroundColor Cyan
Stop-Transcript | Out-Null

Key Gotchas

  • BitLocker key loss is permanent. If you delete a device object that holds the only copy of a BitLocker recovery key, the key cannot be recovered. Export and confirm all BitLocker keys before deleting any device object.
  • Entra Connect recreates what you delete. Deleting a Hybrid Joined device from Entra without first removing the computer object from on-premises AD will result in the object being recreated on the next sync cycle. Always clean AD first.
  • approximateLastSignInDateTime lags up to 14 days. Do not treat it as real-time. Use it directionally and cross-reference against Intune's lastSyncDateTime for higher precision.
  • Graph API throttling. Get-MgDevice -All on large tenants can hit throttling (HTTP 429). The script above will fail silently on throttled calls; add retry logic with exponential backoff for bulk operations exceeding a few hundred devices.
  • Autopilot hardware hashes survive device deletion. Deleting the Entra or Intune device object does not remove the Autopilot hardware hash registration. The hash persists and can cause re-enrollment issues. Remove it explicitly.
  • Disabled devices may still consume a license slot. Deletion is the only way to fully free the slot in configurations that bill per registered device.
  • Dynamic group membership is not instant. After disabling or deleting a device, dynamic group recalculation can take 5–30 minutes. Do not assume Conditional Access policies update immediately.
  • Test with a small batch first. Before running bulk disable or delete operations, validate with 5–10 devices and wait a full sync cycle before proceeding.

CMMC Control Mapping

NIST SP 800-171 Rev. 2 ControlHow Entra Device Hygiene Satisfies It
CM.L2-3.4.1 — Establish and maintain baseline configurations and inventories of organizational systemsStale and duplicate device cleanup produces an accurate, current inventory of managed endpoints. An inventory populated with orphaned objects does not satisfy this control.
IA.L2-3.5.1 — Identify system users, processes acting on behalf of users, and devicesEntra device objects are how the directory identifies devices for authentication and access decisions. Orphaned device objects represent unidentified or ambiguously identified system components.
AC.L2-3.1.1 — Limit system access to authorized users and devicesStale device objects with accountEnabled = True represent device identities that can still authenticate to the tenant. Disabling and removing them limits system access to currently authorized, actively managed devices.

CMMC Level 2 assessors evaluating CM.L2-3.4.1 will typically request a device inventory export. An export containing hundreds of stale objects with no evidence of a hygiene process is unlikely to satisfy this practice without additional explanation.

📩 Don't Miss the Next Solution

Join the list to see the real-time solutions I'm delivering to my GCC High clients.