We now have not too long ago written this PowerShell magic by following the Microsoft documentation.
How To: Handle stale units in Azure AD
This script has been parameterized to do a number of capabilities as per your wants.
Stipulations for this resolution:
Obtain the answer from beneath git hub hyperlink: (AzureMobileStaleDeviceCleanup.ps1)
https://github.com/VikasSukhija/Downloads
Obtain the answer from PowerShell Gallery:
https://www.powershellgallery.com/packages/AzureMobileStaleDeviceCleanup
Set up-Script -Identify AzureMobileStaleDeviceCleanup
Script will auto generate the password first time when it runs and can put it aside as encrypted in the identical folder.
Script has been added with default parameters, however you’ll be able to change as per your surroundings or simply add it to when working it as proven beneath.
Syntax for working the Script:
Reportonly:
. AzureMobileStaleDeviceCleanup.ps1 -LastActivityDisableDays 180 -LastActivityDeleteDays 365 -Operation Report -smtpserver ‘smtpserver.labtest.com’ -from ‘DoNotRespond@labtest.com’ -erroremail ‘Studies@labtest.com’ -CountofChanges 100
By default, lastactivitydisabledays is about to 90 and LastActivityDeleteDays is about to 120 however you’ll be able to replace it to what ever you need when working it as proven above.
Equally, you’ll be able to select the operation as Disable, Take away or DisableAndRemove.
Disable: This implies script will discover the units which have ‘ApproximateLastLogonTimeStamp‘ earlier than LastActivityDisableDays parameter (This operation will disable the machine in azureAD)
Take away: This implies script will discover the units which have ‘ApproximateLastLogonTimeStamp‘ earlier than LastActivityDeleteDays parameter (This operation will take away the machine in azureAD)
DisableAndRemove: This implies script will discover the units which have ‘ApproximateLastLogonTimeStamp‘ between LastActivityDisableDays and LastActivityDeleteDays (Disable these Units)
Script will even discover units which have ‘ApproximateLastLogonTimeStamp‘ earlier than LastActivityDeleteDays parameter (take away these units)
If you find yourself able to deploy it in prod, don’t forget to un hash the beneath instructions that has been used contained in the script to disable and take away units.
We’re nonetheless testing it and never but put to prod for the shopper so releasing it as it’s, last model could change a bit.
#Set-AzureADDevice -Objectid $Gadget.ObjectID -AccountEnabled $false
#Take away-AzureADDevice -ObjectId $Deleted.ObjectID
Right here is the snippet of the report it is going to generate.
I hope this PowerShell magic will enable you to in eradicating stale units out of your surroundings.
You possibly can schedule it to run every day or weekly as pe your wants.
(Account used for working it’s in bypass MFA or it’s worthwhile to do app registration and certification approach in case your surroundings is strict on MFA’s)
Thanks for studying and downloading….
Tech Wizard
