Blog Post

Core Infrastructure and Security Blog
6 MIN READ

Identify Device state in EntraID/Defender with PowerShell

edgarus71's avatar
edgarus71
Icon for Microsoft rankMicrosoft
Oct 22, 2025

In certain occasions you may want to confirm what is the state of your devices or a subset of your devices in EntraID and cross reference this with the device status you see in Defender for Endpoint. Sometimes a device can appear as onboarded in Defender for Endpoint but given that an inactive device remains visible in the Defender portal for 180 days before it gets removed automatically, it can be challenging to understand what devices that show as inactive in the console are actually disabled in EntraID and no longer part of the device fleet you manage. The challenge today is that the EntraID API doesn’t expose the parameter “AccountState” to the Defender API, hence it is not possible to run an API call from the API explorer view from Defender portal to query this parameter, or view this information through Defender portal.

Proposed solution: One way to achieve this result is by integrating few pieces of available technology. It sounds like a lot of moving parts but we do not need App registration in EntraID MS ...
Updated Oct 22, 2025
Version 1.0
defender atp
powershell
josequintino's avatar
josequintino
MCT
Oct 22, 2025

Excellent technical approach and very well structured. The integration between EntraID, Microsoft Graph API, and Defender for Endpoint via PowerShell is clearly explained and provides a practical solution to a recurring challenge in device management. The attention to security, particularly the encryption of the client secret, reflects a strong focus on critical details. Congratulations on the clarity, usefulness, and applicability of this content, a valuable reference for infrastructure and security professionals.