Blog Post

Intune Customer Success
2 MIN READ

Offboarding users from Microsoft Endpoint Manager – Microsoft Intune

Intune_Support_Team's avatar
Mar 17, 2022

When a user no longer needs to use devices managed by Microsoft Intune, there are several best practices to consider depending on whether you are deleting the user from Azure Active Directory (Azure AD) or need to keep the user present for other purposes. In this post, we’ll review the steps to take to ensure an offboarded user cannot add new devices, and help clean up your Intune datasets more quickly.

 

Deleting a user

If you are ready to completely remove a user from Azure AD (for example, if a user leaves the organization or you are removing a service account), there are a few steps to remember.

 

  1. IMPORTANT: Always retire or remote wipe devices associated with that user before deleting the user from Azure AD. (If devices are enrolled with user affinity, Intune manages devices based on the associated user. If the user is deleted prior to cleaning up their devices, Intune's ability to manage the device may become limited (to explore further details on device management actions, please see: Remotely run device actions with Intune to learn more.))
  2. Remove the user from any Azure AD security groups that are assigned any Intune Administrator roles.
  3. Delete the user from Azure AD.

 

Once the user is deleted from Azure AD, Microsoft Endpoint Manager will automatically remove the user from any Intune reports, device enrollment manager (DEM) accounts, or other configurations.

 

Keeping a user

If you plan to preserve a user’s account in Azure AD (for example, for a legal compliance period or to use a service account for a different workload.), but do not intend for them to enroll devices or otherwise access device management, there are several more considerations.

 

  1. Retire or remote wipe any devices enrolled by the user. This will clean up Intune reports for that user and reduce stale data as their devices become inactive.
  2. Remove the user from any Azure AD security groups assigned any Intune Administrator roles.
  3. Add the user to an Azure AD security group assigned a device type enrollment restriction blocking all platforms.
  4. (If applicable) Revoke any Android Enterprise tokens the user may have been granted to prevent them from enrolling new devices.

 

We hope you’ve found this review helpful as you manage your organization’s users.  If you have any questions or feedback, comment on this post or reach out to @IntuneSuppTeam on Twitter.

 

Post updates:

03/20/23: Updated to clarify the steps under the "Deleting a user" section. Thanks for the feedback!

Updated Mar 20, 2023
Version 2.0
  • BlackSheep_13's avatar
    BlackSheep_13
    Copper Contributor

    I have issues with retiring, the windows device is still coming back on the list of all devices as MDE, we did the offboarding script before we retired it. The device object is no longer existing in our Entra ID and AD. Is there a way to remove it?  

     

    {"error":{"code":"InternalServerError","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"An internal server error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 6bfc0c08-bf0a-4ede-b5a3-5a1809096885 - Url: https://fef.msud01.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices('d23c4d5f-7210-e62f-0e39-8d07f3954be9')?api-version=5024-04-03\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}","innerError":{"date":"2024-06-28T04:24:26","request-id":"b38b69cd-effc-4682-9d44-1085ac941635","client-request-id":"6bfc0c08-bf0a-4ede-b5a3-5a1809096885"}}}

    • Intune_Support_Team's avatar
      Intune_Support_Team
      Icon for Microsoft rankMicrosoft

      Hi BlackSheep_13 

       

      Sorry we missed your message. We wanted to check if you were continuing to experience this issue? If so, can you verify if the offboarding script was successfully applied by reviewing Event Viewer logs?

       

      Thanks!

      • BlackSheep_13's avatar
        BlackSheep_13
        Copper Contributor

        Sorry, I no longer have access to that device and won't be able to verify anything. 

  • Hi lukeapathy, retire or wipe requests on all devices associated with that user will not work if user is deleted from Entra ID, because they will no longer be able to authenticate with Entra/Intune. This means the device will have no way of receiving the wipe instruction for that user. However, if a user is blocked and MFA is revoked but account is still in Entra ID, you can still wipe and remove company data. Hope this helps!

  • lukeapathy's avatar
    lukeapathy
    Copper Contributor

    Hello Intune_Support_Team,

     

    When offboarding a user and issuing a Wipe request or Remove Company Data request, you state the process needs to be performed BEFORE the EntraID account is removed.  Can the User be in a BLOCKED state with MFA Credentials Revoked and the Wipe Issuance and Remove Company data work in this scenario?  What are the prerequisites for performing this as it relates to the EntraID User account?  

     

    At present, when a user is being offboarded, the first step is to block the user account in EntraID and revoke MFA sessions.  How does this impact the Wipe/Remove Company data functions with Intune?

     

  • AndrewE_TLCNZ's avatar
    AndrewE_TLCNZ
    Copper Contributor

    IMPORTANT: Always retire or remote wipe devices associated with that user before deleting the user from Azure AD. (If devices are enrolled with user affinity, Intune manages devices based on the associated user. If the user is deleted prior to cleaning up their devices, Intune's ability to manage the device may become limited.)

    Are you able to point me to documentation, or advise what "Intune's ability to manage this device may become limited" means?  I can't find anything which explains this at all.

     

    We've got a customer who didn't follow instructions and have ended up with about 8 devices enrolled to a user who has now left.  These devices are in remote locations which need to have maximum uptime, so we need to make sure they continue to be managed until remediation can be applied (likely replacement with a correctly set up device - one site at a time).

  • dbroughton's avatar
    dbroughton
    Copper Contributor

    I have an excel spreadsheet where I keep bitlocker recovery keys before I do any offboarding

  • Steve Whitcher's avatar
    Steve Whitcher
    Bronze Contributor

    I would add another important step to consider even before remote wiping device:
    For company owned iOS devices, record the Activation Lock Bypass Code from the device's Hardware page in Intune.  Once the device wipe occurs you will no longer be able to access this information, and may have trouble reactivating the device without it.