Prévia do material em texto
Manage Stale Devices in Azure Ad What is Device Identity A device identity is an object in Azure Active Directory (Azure Ad). This device object is similar to users, groups, or applications. A device identity gives administrators information they can use when making access or configuration decisions. There are three ways to get a device identity: Azure AD registration Azure AD join Hybrid Azure AD join Device identities are a prerequisite for scenarios like device-based Conditional Access policies and Mobile Device Management with Microsoft Endpoint Manager. Modern device scenario The modern device scenario focuses on two of these methods: Azure AD registration Bring your own device (BYOD) Mobile device (cell phone and tablet) Azure AD join Windows 10 devices owned by your organization Windows Server 2019 and newer servers in your organization running as VMs in Azure Hybrid Azure AD join is seen as an interim step on the road to Azure AD join. Hybrid Azure AD join provides organizations support for down-level Windows versions back to Windows 7 and Server 2008. All three scenarios can coexist in a single organization. Resource access Registering and joining devices to Azure AD gives users Seamless Sign-on (SSO) to cloud-based resources. Devices that are Azure AD joined benefit from SSO to your organization's on-premises resources. What is stale device A stale device is a device that has been registered with Azure AD but has not been used to access any cloud apps for a specific timeframe. Stale devices have an impact on your ability to manage and support your devices and users in the tenant because: Duplicate devices can make it difficult for your helpdesk staff to identify which device is currently active. An increased number of devices creates unnecessary device writebacks increasing the time for Azure AD connect syncs. Manage Stale Devices in Azure Ad As a general hygiene and to meet compliance, you may want to have a clean state of devices. Stale Device Detection A stale device is defined as registered device that hasn't been used to access any cloud apps for a specific timeframe, detecting stale devices requires a timestamp-related property. In Azure AD, this property is called ApproximateLastLogonTimestamp or activity timestamp. If the delta between now and the value of the activity timestamp exceeds the timeframe you have defined for active devices, a device is considered to be stale. This activity timestamp is now in public preview. We can leverage PowerShell script to detect stale devices in Azure Ad. Challenges dealing with Azure AD Devices There is no report in Azure AD that shows the stale devices. There is no retention policy to delete the stale devices from Azure AD. There is no way to restore the deleted Azure AD device or its attributes (e.g Bit-Locker recovery key). Why stale Device Cleanup is Required When you swap a device by reimaging or reinstalling, the Hardware ID stays the same. This results in multiple Device Entries in Azure AD and causes issues with Conditional Access as Intune thinks the older version isn’t actually compliant even though Intune just has 1 record. Action Set a device clean-up rules Intune managed devices. Intune managed devices needs to be removed from Intune before clean-up from the Azure Ad. (Recommended: 90-180 days) If your device is under control of any other MDM solution, retire the device in the management system before disabling or deleting it. Don't delete system-managed devices. These devices are generally devices such as Autopilot. Once deleted, these devices can't be reprovisioned. The new Get-AzureADDevice cmdlet excludes system- managed devices by default. Bit-locker keys for Windows 10 devices are stored on the device object in Azure AD. As soon as we delete a stale device, we will also delete the Bit-locker keys that are stored on the device. You may use .ExportBitLockerKey.ps1 script to export all device BitLocker Key’s from AzureAd Disable stale devices in Azure Ad at least for a week. Delete disable stale device entry from Azure Ad. .AzureADDeviceCleanup.ps1 script will help you to disable & delete stale device entry from Azure Ad. Manage Stale Devices in Azure Ad Reference https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices PowerShell Script https://github.com/Sumanjit092/AzureAdDeviceBitLockerKeyExport https://github.com/Sumanjit092/AzureADDeviceCleanup