Hi All, Alan here PFE from Italy, trying to give some little tips on how to install the correct PS module in order to use the required cmdlets for Stale Device Management.
The article explaining this is: How To: Manage stale devices in Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices
One day you might wonder why you have all those stale devices in your AzureAD. Well maybe the user changed his/her phone and that old object never got removed from AzureAD. Well yes it is a manual process.
A good article explaining the difference between Registered and Joined: Azure AD Join vs Azure AD Device Registration: https://blogs.technet.microsoft.com/trejo/2016/04/09/azure-ad-join-vs-azure-ad-device-registration/
To get a list of registered devices you have two options, Azure or Office portals:
- From Azure portal just click on Azure Active Directory and then navigate to Devices / All Devices
- From Office portal go to Admin page, scroll down to Admin Centers and click on Azure Active Directory. Click on Devices / All Devices
Information is displayed in various columns, in our case we need Join Type, MDM and Activity.
Join Type can be:
- Azure AD Registered à Single Sign On (SSO) and seamless multi-factor authentication across company cloud applications using personal devices in bring your own device (BYOD) scenarios
- Azure AD Joined à corporate owned device management for users that primarily use cloud applications
- Empty à could be a device that configured Outlook Mobile or Authenticator and this created a device registration without Intune enrollment
MDM can be:
- Microsoft Intune à enrolled with Intune
- None à could be a device that configured Outlook Mobile or Authenticator and this created a device registration without Intune enrollment
Activity:
- This is our great friend. Activity timestamp or ApproximateLastLogonTimestamp (from PS)
Enabled : True
DeviceTrustType : Workplace Joined
DeviceTrustLevel : Compliant
ApproximateLastLogonTimestamp : 23-Apr-19 06:34:22
Recalling the first article we read: “Because a stale device is defined as registered device that hasn't been used to access any cloud apps for a specific timeframe, detecting stale devices requires a timestamp-related property. In Azure AD, this property is called ApproximateLastLogonTimestamp or activity timestamp. If the delta between now and the value of the activity timestamp exceeds the timeframe you have defined for active devices, a device is considered to be stale. This activity timestamp is now in public preview.”
So I tried to list all stale devices using the cmdlets listed in the article.
Our firsts command would be:
Get-MsolDevice -all | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv x:\AllDeviceSlist-Summary.csv
This works great but I had Intune policy set to 90 days so I needed to get all stale devices where the Activity was more than 90 days.
$date = get-date -date $(get-date).adddays(-90) -format MM-dd-yyyy
Get-MsolDevice -all -LogonTimeBefore $dt | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv c:\DeviceList-olderthan-90days-summary.csv
-LogonTimeBefore à this one didn’t work for me even with AzureAD PS module and MSOnline module
You need latest module for MSonline version 1.1.183.17
In some cases you could have some trouble installing the latest versions, maybe because of proxy, GPOs, some other strange issue
I tried to install latest MSOnline and MSOnlineextened modules but that LogonTimeBefore wasn’t there
I removed and reinstalled AzureAD Powershell module and WIF 5.1 then I tried to reinstall
Install-module MSOnline
Install-module MSOnlineextended
No luck! LogonTimeBefore wasn’t there
I solved by manually downloading, unzipping and importing the modules (.psd1 file)
https://www.powershellgallery.com/packages/AzureAD/2.0.2.26
https://www.powershellgallery.com/packages/MSOnline/1.1.183.17
And our cmdlet works great
$date = get-date -date $(get-date).adddays(-90) -format MM-dd-yyyy
Get-MsolDevice -all -LogonTimeBefore $dt | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv c:\DeviceList-olderthan-90days-summary.csv
To remove the stale devices you should use the following, careful that this removes all the Stale Devices found at once
Get-MsolDevice -all -LogonTimeBefore $dt | remove-msoldevice -force
-force à user is not prompted for confirmation
Good idea is to filter on DeviceID or ObjectID and try one by one at first
Hope this helps you a little on device management
Alan@PFE
Microsoft
