Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Best practices for ex staff and their devices - Security and Compliance

Copper Contributor

Hi All,


Not sure if this is the right Hub for the post but, I think it is....


What are the best practises or the general consensus on what happens to an ex staff members AAD/AD account and device within Azure and Intune.

At present we only disable ex staff and leave the disabled account in Azure/AD (Hybrid environment) and leave the device in Intune...Only after 180 days is the device removed from AAD of non activity. 


My colleague is of the option, just leave the device and disabled user in AAD for record keeping as it does no harm leaving them there. 


Now I think, we should be doing the following:

Wiping the device via Intune (this will remove it from AAD and Intune)

Disable user from AAD/AD, remove from all groups and then once done, delete the user (I appreciate there might be broken links in SharePoint etc, but with a disabled user the same issue)


The reason for putting the post in the Security/Compliance/Identity Hub is we are going for our first SOC 2 compliance and I feel, having disabled users and non compliant devices in Intune (the device will become non compliant after so many days of not been active) will make it harder to justify why we have non compliant devices in AAD and disabled users. He says we need to leave them in or have to explain why we removed the user/device 

Keep things to up to date and this helps with doing reporting and housekeeping...




So, from a compliance and security prospective what are the best practices for dealing with ex staff and their devices?
I know every company has different ideas





0 Replies