In our environment, all of our window devices are automatically joined to Intune when they are Azure joined. This is working as expected, but what is the best practice for retiring said devices. Typically, our Intune Service Admin will be the one retiring a devices, however, removing a device from Intune doesn't remove it from Azure AD. Is there any way to grant the Intune Service admin (or other role-based admin) the ability to delete these devices from Azure AD? What's the best practice for retiring devices?