When a user no longer needs to use devices managed by Microsoft Intune, there are several best practices to consider depending on whether you are deleting the user from Azure Active Directory (Azure AD) or need to keep the user present for other purposes. In this post, we’ll review the steps to take to ensure an offboarded user cannot add new devices, and help clean up your Intune datasets more quickly.
Deleting a user
If you are ready to completely remove a user from Azure AD (for example, if a user leaves the organization or you are removing a service account), there are a few steps to remember.
IMPORTANT: Always retire or remote wipe devices associated with that user before deleting the user from Azure AD. (If devices are enrolled with user affinity, Intune manages devices based on the associated user. If the user is deleted prior to cleaning up their devices, Intune's ability to manage the device may become limited.)
Once the user is deleted from Azure AD, Microsoft Endpoint Manager will automatically remove the user from any Intune reports, device enrollment manager (DEM) accounts, or other configurations.
Keeping a user
If you plan to preserve a user’s account in Azure AD (for example, for a legal compliance period or to use a service account for a different workload.), but do not intend for them to enroll devices or otherwise access device management, there are several more considerations.
Retire or remote wipe any devices enrolled by the user. This will clean up Intune reports for that user and reduce stale data as their devices become inactive.