Can anyone please explain me why the majority of our devices have multiple object id's in Entra AD? We have about 400 devices which are managed by Intune, all devices are enrolled via Autopilot. All these devices are Hybrid AzureAD joined.
Looking at all of the devices we see that almost all machines have at least two Objects in Entra AD (some have even 3 or more objects):
- an Hybrid Azure AD joined Device
- An Azure AD joined Device
Each object has it's unique DeviceId and Id.
When I verify the Object ID in Intune, I can see that the Hybrid Azure AD device is the correct device. The Azure AD joined device does not appear in Intune. I searched Google, and found various topics about the subject, where some say to leave the double objects alone, while others simply say to remove the devices.
I decided to open a support case with Microsoft and the Engineer simply told me disable all the Azure AD joined Devices, and then remove them (Remove-MgDevice).
So I started building lists according to the Creation Date, believing these are remnants from the guy who I came to replace.
Connect-MgGraph
$Windows_AADJ_Devices = Get-MGDevice -all | ? {($_.TrustType -eq "AzureAD") -and ($_.OperatingSystem -eq "Windows")} | Select-Object DisplayName, DeviceId, ID, @{Name="CreatedDateTime"; Expression={$_.AdditionalProperties.createdDateTime}}, TrustType, AccountEnabled
$2020 = $Windows_AADJ_Devices | ? {$_.CreatedDateTime -like "2020*"}
$2021 = $Windows_AADJ_Devices | ? {$_.CreatedDateTime -like "2021*"}
$2022 = $Windows_AADJ_Devices | ? {$_.CreatedDateTime -like "2022*"}
$2023 = $Windows_AADJ_Devices | ? {$_.CreatedDateTime -like "2023*"}
First I disabled the devices which were created back in 2020, a week later I disabled all computers which were created in 2021, and again a week later, I disabled the computers created back in 2022. The following week, I verified the list again of the device which I disabled first (2020). To my surprise, some devices of that list were enabled again. I verified with the service desk if someone did re-enable these devices. However nobody re-enabled those devices.
I cannot explain how come these devices are re-enabled. Not all devices are being re-enabled.
Example:
$2020 contained 134 devices, 124 were still disabled after a period of 4 weeks, however 10 were re-enabled. I have already disabled the re-enabled devices again, only to discover that they are enabled again a week later.
Eventually I started removing disabled devices which haven't logged on in the last 90 days:
$2020Dis = $2020 | ? {$_.AccountEnabled -ne $true} | % {Get-MgDevice -DeviceId $_.Id | ? {$_.ApproximateLastSignInDateTime -le (Get-Date).addDays(-90)}}
But the question still remain. Why are these multiple objects created? Can I somehow prevent this?
What I also saw is that the Duplicate objects mostly appear incompliant, have a different version level then the object what we believe to be the valid object. Also these device do not have an owner assigned.
