When a user no longer needs to use devices managed by Microsoft Intune, there are several best practices to consider depending on whether you are deleting the user from Azure Active Directory (Azure AD) or need to keep the user present for other purposes. In this post, we’ll review the steps to take to ensure an offboarded user cannot add new devices, and help clean up your Intune datasets more quickly.
Deleting a user
If you are ready to completely remove a user from Azure AD (for example, if a user leaves the organization or you are removing a service account), there are a few steps to remember.
- IMPORTANT: Always retire or remote wipe devices associated with that user before deleting the user from Azure AD. (If devices are enrolled with user affinity, Intune manages devices based on the associated user. If the user is deleted prior to cleaning up their devices, Intune's ability to manage the device may become limited (to explore further details on device management actions, please see: Remotely run device actions with Intune to learn more.))
- Remove the user from any Azure AD security groups that are assigned any Intune Administrator roles.
- Delete the user from Azure AD.
Once the user is deleted from Azure AD, Microsoft Endpoint Manager will automatically remove the user from any Intune reports, device enrollment manager (DEM) accounts, or other configurations.
Keeping a user
If you plan to preserve a user’s account in Azure AD (for example, for a legal compliance period or to use a service account for a different workload.), but do not intend for them to enroll devices or otherwise access device management, there are several more considerations.
- Retire or remote wipe any devices enrolled by the user. This will clean up Intune reports for that user and reduce stale data as their devices become inactive.
- Remove the user from any Azure AD security groups assigned any Intune Administrator roles.
- Add the user to an Azure AD security group assigned a device type enrollment restriction blocking all platforms.
- (If applicable) Revoke any Android Enterprise tokens the user may have been granted to prevent them from enrolling new devices.
We hope you’ve found this review helpful as you manage your organization’s users. If you have any questions or feedback, comment on this post or reach out to @IntuneSuppTeam on Twitter.
03/20/23: Updated to clarify the steps under the "Deleting a user" section. Thanks for the feedback!