Manage Stale Device in Azure Ad

Prévia do material em texto

Manage Stale Devices in Azure Ad 
 What is Device Identity 
A device identity is an object in Azure Active Directory (Azure Ad). This device object is similar to users, 
groups, or applications. A device identity gives administrators information they can use when making 
access or configuration decisions. 
There are three ways to get a device identity: 
 Azure AD registration 
 Azure AD join 
 Hybrid Azure AD join 
Device identities are a prerequisite for scenarios like device-based Conditional Access 
policies and Mobile Device Management with Microsoft Endpoint Manager. 
 Modern device scenario 
The modern device scenario focuses on two of these methods: 
 Azure AD registration 
 Bring your own device (BYOD) 
 Mobile device (cell phone and tablet) 
 Azure AD join 
 Windows 10 devices owned by your organization 
 Windows Server 2019 and newer servers in your organization running as VMs in Azure 
 
 Hybrid Azure AD join is seen as an interim step on the road to Azure AD join. Hybrid Azure AD join 
provides organizations support for down-level Windows versions back to Windows 7 and Server 
2008. All three scenarios can coexist in a single organization. 
 Resource access 
Registering and joining devices to Azure AD gives users Seamless Sign-on (SSO) to cloud-based 
resources. 
Devices that are Azure AD joined benefit from SSO to your organization's on-premises resources. 
 What is stale device 
A stale device is a device that has been registered with Azure AD but has not been used to access any 
cloud apps for a specific timeframe. Stale devices have an impact on your ability to manage and support 
your devices and users in the tenant because: 
 Duplicate devices can make it difficult for your helpdesk staff to identify which device is 
currently active. 
 An increased number of devices creates unnecessary device writebacks increasing the time for 
Azure AD connect syncs. 
Manage Stale Devices in Azure Ad 
 As a general hygiene and to meet compliance, you may want to have a clean state of devices. 
 Stale Device Detection 
A stale device is defined as registered device that hasn't been used to access any cloud apps for 
a specific timeframe, detecting stale devices requires a timestamp-related property. In Azure 
AD, this property is called ApproximateLastLogonTimestamp or activity timestamp. If the delta 
between now and the value of the activity timestamp exceeds the timeframe you have defined 
for active devices, a device is considered to be stale. 
 
This activity timestamp is now in public preview. We can leverage PowerShell script to detect 
stale devices in Azure Ad. 
 Challenges dealing with Azure AD Devices 
 There is no report in Azure AD that shows the stale devices. 
 There is no retention policy to delete the stale devices from Azure AD. 
 There is no way to restore the deleted Azure AD device or its attributes (e.g Bit-Locker 
recovery key). 
 Why stale Device Cleanup is Required 
When you swap a device by reimaging or reinstalling, the Hardware ID stays the same. This results in 
multiple Device Entries in Azure AD and causes issues with Conditional Access as Intune thinks the older 
version isn’t actually compliant even though Intune just has 1 record. 
 Action 
 Set a device clean-up rules Intune managed devices. Intune managed devices needs to be removed 
from Intune before clean-up from the Azure Ad. (Recommended: 90-180 days) 
 If your device is under control of any other MDM solution, retire the device in the management 
system before disabling or deleting it. 
 Don't delete system-managed devices. These devices are generally devices such as Autopilot. Once 
deleted, these devices can't be reprovisioned. The new Get-AzureADDevice cmdlet excludes system-
managed devices by default. 
 Bit-locker keys for Windows 10 devices are stored on the device object in Azure AD. As soon as we 
delete a stale device, we will also delete the Bit-locker keys that are stored on the device. 
 You may use .ExportBitLockerKey.ps1 script to export all device BitLocker Key’s from AzureAd 
 Disable stale devices in Azure Ad at least for a week. 
 Delete disable stale device entry from Azure Ad. 
 .AzureADDeviceCleanup.ps1 script will help you to disable & delete stale device entry from Azure 
Ad. 
 
Manage Stale Devices in Azure Ad 
 Reference 
https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices 
 
 PowerShell Script 
https://github.com/Sumanjit092/AzureAdDeviceBitLockerKeyExport 
https://github.com/Sumanjit092/AzureADDeviceCleanup