'None' user account compliance entry - deleted AAD user object

%3CLINGO-SUB%20id%3D%22lingo-sub-942656%22%20slang%3D%22en-US%22%3E'None'%20user%20account%20compliance%20entry%20-%20deleted%20AAD%20user%20object%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-942656%22%20slang%3D%22en-US%22%3E%3CP%3EHopefully%20someone%20in%20the%20community%20has%20observed%20this%20behaviour%20and%20can%20shed%20some%20light%20%2F%20be%20a%20shoulder%20to%20cry%20on....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20describe%20the%20scenario%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESolely%20intune%20managed%20devices%2C%20no%20SCCM%20or%20co-management.%3C%2FP%3E%3CP%3EMulti%20user%20device%2C%20shared%20with%20multiple%20users.%3C%2FP%3E%3CP%3EWhen%20a%20user%20logs%20into%20the%20device%2C%20built-in%20compliance%20policy%20runs.%3C%2FP%3E%3CP%3EAssigned%20compliance%20policy%20runs.%3C%2FP%3E%3CP%3EEach%20user%20that%20logs%20on%2C%20creates%20an%20entry%20in%20the%20compliance%20records%20for%20the%20device%20(as%20I%20would%20expect).%3C%2FP%3E%3CP%3EHowever%2C%20when%20a%20user%20leaves%20the%20company%2C%20the%20user%20object%20is%20moved%20in%20on%20premise%20AD%20to%20an%20OU%20that%20is%20not%20synchronised%20by%20AD%20connect.%20It%20is%20deleted%20after%20a%20period%20of%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20this%20happens%2C%20the%20object%20no%20longer%20exists%20in%20AAD%2C%20and%20so%20the%20compliance%20check%20for%20that%20user%20can%20no%20longer%20locate%20that%20user%2C%20displaying%20it%20as%20a%20'None'%20entry%20where%20the%20username%20once%20was.%20This%20causes%20the%20device%20to%20go%20noncompliant%20in%20some%20instances%2C%20falling%20foul%20of%20the%20'Enrolled%20User%20Exists'%20check.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo....%20What%20is%20the%20recommended%20action%20here%3F%20I%20can%20think%20of%20a%20few%20ways%20out%20but%20none%20that%20are%20a%20long%20term%20resolution%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConvert%20the%20multi-user%20devices%20to%20Kiosks%20(cannot%20do%20this%20as%20the%20limitations%20are%20too%20great%20for%20user%20experience%20and%20app%20requirements%20etc)%3C%2FP%3E%3CP%3EWipe%20terminal%20machines%20every%20time%20a%20new%20user%20logs%20on%20(unacceptable).%3C%2FP%3E%3CP%3ESyncronise%20the%20OU%20that%20disabled%20users%20are%20moved%20to%2C%20keeping%20them%20in%20AAD%20(poses%20problem%20when%20they%20are%20finally%20deleted%20though).%3C%2FP%3E%3CP%3ENever%20delete%20users%20from%20AD%20(security%20risk).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20we%20doing%20something%20fundamentally%20wrong%20here%20and%20has%20anyone%20else%20experienced%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-942656%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-999456%22%20slang%3D%22en-US%22%3ERe%3A%20'None'%20user%20account%20compliance%20entry%20-%20deleted%20AAD%20user%20object%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999456%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20for%20anyone%20that's%20interested%2C%20these%20accounts%20appeared%20in%20my%20testing%20when%20the%20EMS%20license%20was%20removed.%20Disabling%20the%20users%20account%20had%20no%20impact%20on%20this%20and%20we%20want%20to%20reassign%20EMS%20licenses%20as%20people%20leave%20the%20business%20so%20there's%20no%20point%20keeping%20any%20old%20user%20accounts%20(not%20that%20that's%20a%20good%20solution%20anyway%2C%20but%20good%20to%20know%20the%20root%20cause).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20noncompliance%20in%20this%20scenario%20isn't%20really%20an%20issue%20any%20more.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20support%20call%20open%20with%20Microsoft%20for%20some%20official%20guidance%20on%20whether%20these%20old%20'none'%20account%20entries%20against%20historical%20device%20compliance%20checks%20can%20be%20safely%20ignored.%20I'm%20not%20sure%20why%20they're%20not%20just%20automatically%20cleaned%20up%20after%20the%20EMS%20license%20is%20removed%20from%20the%20user.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hopefully someone in the community has observed this behaviour and can shed some light / be a shoulder to cry on....

 

I'll describe the scenario:

 

Solely intune managed devices, no SCCM or co-management.

Multi user device, shared with multiple users.

When a user logs into the device, built-in compliance policy runs.

Assigned compliance policy runs.

Each user that logs on, creates an entry in the compliance records for the device (as I would expect).

However, when a user leaves the company, the user object is moved in on premise AD to an OU that is not synchronised by AD connect. It is deleted after a period of time.

 

When this happens, the object no longer exists in AAD, and so the compliance check for that user can no longer locate that user, displaying it as a 'None' entry where the username once was. This causes the device to go noncompliant in some instances, falling foul of the 'Enrolled User Exists' check.

 

So.... What is the recommended action here? I can think of a few ways out but none that are a long term resolution:

 

Convert the multi-user devices to Kiosks (cannot do this as the limitations are too great for user experience and app requirements etc)

Wipe terminal machines every time a new user logs on (unacceptable).

Syncronise the OU that disabled users are moved to, keeping them in AAD (poses problem when they are finally deleted though).

Never delete users from AD (security risk).

 

Are we doing something fundamentally wrong here and has anyone else experienced this?

 

1 Reply

Well, for anyone that's interested, these accounts appeared in my testing when the EMS license was removed. Disabling the users account had no impact on this and we want to reassign EMS licenses as people leave the business so there's no point keeping any old user accounts (not that that's a good solution anyway, but good to know the root cause).

 

The noncompliance in this scenario isn't really an issue any more.

 

I have a support call open with Microsoft for some official guidance on whether these old 'none' account entries against historical device compliance checks can be safely ignored. I'm not sure why they're not just automatically cleaned up after the EMS license is removed from the user.