Entra ID Object Drift – Are We Measuring Tenant Health Correctly?

Hi Menahem​,

This is a very relevant point. In many environments the security posture looks healthy at the dashboard level, but directory hygiene issues quietly accumulate over time. Secure Score and compliance dashboards are useful indicators, but they do not necessarily reflect the operational integrity of the identity and device inventory.

In large Entra ID tenants it’s common to see drift caused by scenarios such as:

• Device re-enrollment or Autopilot resets creating duplicate identities
• Hybrid join remnants after device rebuilds
• Intune orphan records when devices are removed or reimaged
• Stale device objects that are no longer active but still targeted by Conditional Access or policies

Over time this creates governance debt and can lead to inaccurate reporting or unintended policy targeting.

What has worked well in several environments is implementing lifecycle-based cleanup logic, for example:

• Monitoring last sign-in timestamps and device activity
• Automated cleanup for stale devices after defined inactivity periods
• Correlating Intune and Entra device objects to detect orphan records
• Using automation (Graph or scheduled jobs) to maintain directory hygiene

Treating directory hygiene as an ongoing operational process, rather than a periodic cleanup exercise, tends to make a big difference at scale.

It’s good to see more discussion around this topic because identity and device drift is something many large tenants experience but rarely measure directly.