SOLVED

Muliple Entra AD objects for the same device

Brass Contributor

Can anyone please explain me why the majority  of our devices have multiple object id's in Entra AD? We have about 400 devices which are managed by Intune, all devices are enrolled via Autopilot. All these devices are Hybrid AzureAD joined.

Looking at all of the devices we see that almost all machines have at least two Objects in Entra AD (some have even 3 or more objects):

  1. an Hybrid Azure AD joined Device
  2. An Azure AD joined Device

Each object has it's unique DeviceId and Id.

When I verify the Object ID in Intune, I can see that the Hybrid Azure AD device is the correct device. The Azure AD joined device does not appear in Intune. I searched Google, and found various topics about the subject, where some say to leave the double objects alone, while others simply say to remove the devices.

I decided to open a support case with Microsoft and the Engineer simply told me disable all the Azure AD joined Devices, and then remove them (Remove-MgDevice).

So I started building lists according to the Creation Date, believing these are remnants from the guy who I came to replace.

 

 

Connect-MgGraph
$Windows_AADJ_Devices = Get-MGDevice -all | ? {($_.TrustType -eq "AzureAD") -and ($_.OperatingSystem -eq "Windows")} | Select-Object DisplayName, DeviceId, ID, @{Name="CreatedDateTime"; Expression={$_.AdditionalProperties.createdDateTime}}, TrustType, AccountEnabled
$2020 = $Windows_AADJ_Devices | ? {$_.CreatedDateTime -like "2020*"}
$2021 = $Windows_AADJ_Devices | ? {$_.CreatedDateTime -like "2021*"}
$2022 = $Windows_AADJ_Devices | ? {$_.CreatedDateTime -like "2022*"}
$2023 = $Windows_AADJ_Devices | ? {$_.CreatedDateTime -like "2023*"}

 

 

First I disabled the devices which were created back in 2020, a week later I disabled all computers which were created in 2021, and again a week later, I disabled the computers created back in 2022. The following week, I verified the list again of the device which I disabled first (2020). To my surprise, some devices of that list were enabled again. I verified with the service desk if someone did re-enable these devices. However nobody re-enabled those devices.

I cannot explain how come these devices are re-enabled. Not all devices are being re-enabled. 

Example:

$2020 contained 134 devices, 124 were still disabled after a period of 4 weeks, however 10 were re-enabled. I have already disabled the re-enabled devices again, only to discover that they are enabled again a week later.

Eventually I started removing disabled devices which haven't logged on in the last 90 days:

 

$2020Dis = $2020 | ? {$_.AccountEnabled -ne $true} | % {Get-MgDevice -DeviceId $_.Id | ? {$_.ApproximateLastSignInDateTime -le (Get-Date).addDays(-90)}}

 

But the question still remain. Why are these multiple objects created? Can I somehow prevent this?

What I also saw is that the Duplicate objects mostly appear incompliant, have a different version level then the object what we believe to be the valid object. Also these device do not have an owner assigned. 

 

 

2 Replies
best response confirmed by TherealKillerbe (Brass Contributor)
Solution

Today, i got a bit of history which might partially explain what is going on.
It seems they enrolled devices with Intunes before they configured AD Connect.
However this might explain some of the Azure AD joined devices, but does not explain why some (although a minority) have been registered in 2023.

Today I noted the attribute DeviceVersion, al the Azure AD joined devices have DeviceVersion=2. Been looking for info regarding this attribute, but failed to find any besides this:
-DeviceVersion
For internal use only.

Type: Int32
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

Eventually we went ahead with removing the machines which we determined incorrect. We saw no effect on the subject machines...
Will monitor closely to see if still double entries are created.
1 best response

Accepted Solutions
best response confirmed by TherealKillerbe (Brass Contributor)
Solution

Today, i got a bit of history which might partially explain what is going on.
It seems they enrolled devices with Intunes before they configured AD Connect.
However this might explain some of the Azure AD joined devices, but does not explain why some (although a minority) have been registered in 2023.

Today I noted the attribute DeviceVersion, al the Azure AD joined devices have DeviceVersion=2. Been looking for info regarding this attribute, but failed to find any besides this:
-DeviceVersion
For internal use only.

Type: Int32
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

View solution in original post