Microsoft Entra ID

How to Identify Never-Logged-In Devices in Microsoft Entra ID

In large Microsoft 365 organizations, it's common to have devices that were registered but never actually used. These devices may have been added during provisioning or through Windows Autopilot. Even if left unused, these never- logged-in devices can complicate license tracking and device management in your Microsoft 365 environment. Therefore, this guide explains how to identify devices in Entra ID that have never signed in and manage them effectively to keep your environment well-organized.

Find Microsoft 365 Never-Logged-In Devices Using Microsoft Entra Admin Center

Microsoft Permission

Security Reader Least Privilege

Global Admin Most Privilege

Sign in to the Microsoft Entra admin center, and navigate to All Devices under Entra ID»Devices.
Here, you can identify never-logged-in devices by checking if the 'Activity' column value is set to 'N/A'.

Find Microsoft 365 Never-Logged-In Devices Using Microsoft Entra Admin Center

Get Never-Logged-In Microsoft 365 Devices Using PowerShell

Microsoft Graph Permission Required

Device.Read.All Least Privilege

Directory.ReadWrite.All Most Privilege

While the Entra portal is helpful for checking never-logged-in devices, it requires reviewing each device individually, which can be time-consuming.
To save time, you can use PowerShell to retrieve only the never-logged-in devices in Microsoft Entra ID.
First, connect to Microsoft Graph PowerShell using the cmdlet below.

Windows PowerShell

 Connect-MgGraph -Scopes "Device.Read.All"

Then, run the following cmdlet to get all never-logged-in devices in Microsoft 365 using PowerShell.

Windows PowerShell

 Get-MgDevice -All | Where-Object { $_.ApproximateLastSignInDateTime -eq $null } |
Select-Object DisplayName, Id, AccountEnabled, RegistrationDateTime, OperatingSystem, TrustType | 
Format-Table -AutoSize

Get Never-Logged-In Microsoft 365 Devices Using PowerShell

Simple & Quick
Track Entra ID Never-Logged-In Devices Using AdminDroid

AdminDroid Permission Required Delegated

Any user with the report access delegated by the Super Admin.

Log in to the AdminDroid 365 Portal.
Navigate to the Never-Logged-In Devices report under Reports»Entra»Insights»Device Reports.
This report provides a list of all never-logged-in devices in your Entra ID environment, with details such as device name, status, added time, ownership type, and more.

Track Entra ID Never-Logged-In Devices Using AdminDroid

AdminDroid Entra ID Reporter

Discover Never-Logged-In Devices to Keep Your Entra Device Inventory Clean!

AdminDroid's Microsoft Entra ID reporting tool helps identify unused devices within your tenant. With easily exportable reports, it enables you to make informed decisions while supporting streamlined devices onboarding and maintaining a well-organized Microsoft 365 environment.

Inspect Device Credential Operations to Minimize Access Interruptions

Audit device credential changes in Entra ID to gain insights into operations that may cause authentication issues and leave devices unused or in a never logged in state.

Keep your Device List Organized by Evaluating Hybrid Joined Devices

Review hybrid Entra joined devices to find pre-created computer accounts synced from Active Directory via Entra Connect, and remove them to keep the directory clean.

Identify Devices Blocked by Compliance Policies in Microsoft 365

Identify non-compliant devices and enforce compliance to prevent them from staying never-logged-in under Conditional Access.

Review Disabled Devices in Entra ID to Identify Sign-In Blocks

Utilize the disabled devices report to spot sign-in blocked devices and re-enable them to prevent unintended log-in issues in Microsoft 365.

Manage Never-Logged-In Devices to Eliminate Unused Personal Devices

Identify unused personal devices in Entra ID to eliminate potential threats by removing them from the device inventory and keeping device counts accurate during audits.

Analyze Recently Registered Devices to Control Unauthorized Endpoints

Monitor recently registered devices to identify and remove duplicate devices before they become unused and pose security risks.

Overall, AdminDroid's Entra ID management tool provides comprehensive visibility into devices that have never accessed Microsoft 365 services. Additionally, it improves device management by detecting unmanaged, stale, and non-compliant devices while optimizing overall resource utilization.

Explore a full range of reporting options

Download Live Demo

Important tips

Require MFA for device registration to ensure only authorized users enroll devices, reduce unused devices, and maintain accountability.

Block unmanaged devices that have never signed in to Microsoft 365 to ensure that only active and authorized devices can access organizational resources.

Set up enrollment notifications in Intune to monitor newly registered devices and quickly detect unauthorized or unnecessary enrollments before they pile up.

Common Errors and Resolution Steps

Below are some common errors and troubleshooting tips while identifying never-logged-in devices in Microsoft 365.

Error Get-MgDevice_List : Authentication needed. Please call Connect-MgGraph.

This error occurs in PowerShell when you try run 'Get-MgDevices' before connecting to the Microsoft Graph module.

Fix To overcome this error, connect to the Microsoft Graph PowerShell module before running the ‘Get-MgDevice’ cmdlet.

Error Connect-MgGraph: The term ‘Connect-MgGraph’ is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs when the Microsoft Graph PowerShell SDK is not installed or the module hasn't been imported in the session.

Fix To resolve this error, install and import the module using the following PowerShell cmdlets, and then connect to the Microsoft Graph PowerShell.

#Run the below cmdlet to install the Microsoft Graph module.
Install-Module Microsoft.Graph -Scope CurrentUser
#Run the below cmdlet to import the Microsoft Graph module.
Import-Module Microsoft.Graph

Error Get-MgDevice: Insufficient privileges to complete the operation.

This error occurs when you run the ‘Get-MgDevice’ cmdlet without connecting to Microsoft Graph using the required scope permissions to read device details.

Fix To resolve this error, use the required scopes when connecting to the Microsoft Graph PowerShell module, such as “Device.Read.All”, as shown below.

Connect-MgGraph -Scopes "Device.Read.All"

Error Unable to delete devices from Entra AD or device remain in a 'Pending' state.

This issue occurs in a hybrid-joined device synced with Microsoft Entra Connect. If the device is deleted only from Entra ID, it will be re-synced from the on-premises Active Directory and appear in a 'Pending' state.

Fix To resolve this error, ensure the device is also deleted from the on-premises Active Directory. Then, run the following command on the client device to clean up the existing registration.

dsregcmd.exe /debug /leave

Microsoft Entra ID

Frequently Asked Questions

Optimize Entra ID Device Inventory with Never-Used Device Management

What is the difference between inactive devices and never-logged-in devices in Microsoft 365?

What are the best practices for managing never-signed-in devices in Microsoft 365?

How to find unmanaged devices that were never used in Entra ID?

How to remove never-used devices from Microsoft Entra?

1. What is the difference between inactive devices and never-logged-in devices in Microsoft 365?

Never-logged-in devices and inactive devices are often mistaken for one another, but they are different. Devices that have never been used are generally safe to remove, as they typically don’t store any organizational data. On the other hand, inactive devices were used in the past and may still contain sensitive information, so they must be handled with caution.

Understanding the difference between these two helps you make the right decisions when cleaning up your device inventory.

difference-stale-devices-never-logged-in-devices

2. What are the best practices for managing never-signed-in devices in Microsoft 365?

Managing never-signed-in devices in Microsoft Entra ID is important for keeping your identity environment secure and efficient. Without proper governance, these devices can become security liabilities, clutter your directory, and create compliance gaps. Here are some best practices to implement structured policies and controls for effectively managing never-used devices in Entra ID.

Manage on-premises devices Always remove unused hybrid-joined devices in your on-premises Active Directory first, then let Entra Connect synchronize the changes to Entra ID to prevent synchronization conflicts.
Disable before deleting Unused devices should first be disabled, followed by a defined grace period. This allows you to account for legitimate reasons for inactivity and gives users an opportunity to report any issues before permanent removal.
Set device enrollment policies Control who can join or register devices in Entra ID by restricting this ability to specific users or groups in the device identity settings. This helps prevent unauthorized device enrollment and reduces the chances of never-used devices.
Manage devices with Microsoft Intune Oversee devices via Microsoft Intune to enforce regular check-ins and compliance reporting, so you can easily identify and manage devices that fail to check in.
Limit devices per user Set a limit on the maximum number of Microsoft Entra-joined or registered devices per user (default is 50, but expandable up to 100) to prevent the accumulation of never-logged-in or orphaned devices.

3. How to find unmanaged devices that were never used in Entra ID?

Unmanaged devices are endpoints that are registered in Entra ID but not managed by Microsoft Intune or any other MDM solution. As a result, they are not validated against compliance policies and are considered noncompliant. So, it’s important to identify devices that were never used so you can enroll them in Intune/MDM and make sure they comply with organizational policies.

Identify never-used unmanaged devices using Microsoft Entra

In Microsoft Entra, navigate to Devices»Overview under Entra ID, and click on Unmanaged devices.
Then, check for devices with no activity logs by identifying those with N/A in the Activity column.

Export never-used unmanaged devices using PowerShell

To export never-used unmanaged devices from Entra ID, run the following cmdlet after connecting to Microsoft Graph PowerShell and replacing <OutputPath> with your output file location.

Get-MgDevice |
    Where-Object {
        -not $_.ApproximateLastSignInDateTime -and
        -not $_.IsManaged
    } |
    Select-Object DisplayName, Id, RegistrationDateTime, OperatingSystem |
    Export-Csv "<OutputPath>.csv" -NoTypeInformation

find-never-used-unmanaged-devices-powershell

4. How to remove never-used devices from Microsoft Entra?

Avoid letting never-used devices put your Microsoft 365 organization’s security at risk, as these devices can silently serve as attack vectors and may allow unauthorized access. To prevent this, identify and delete such devices regularly to maintain a proper device lifecycle and a well-governed identity environment.

Remove never-used devices via Entra admin center

In Microsoft Entra admin center, navigate to All Devices under Entra ID»Devices.
Then, Select the never-used devices and click Delete from the toolbar.
Then, click OK in the confirmation prompt to delete the selected devices.

Note:This only removes the device from Microsoft Entra ID. If the device is managed via Intune, you’ll also need to delete it from Intune.

Delete never-used devices from Microsoft 365 using PowerShell

To delete all never-used devices in Microsoft 365, connect to Microsoft Graph PowerShell with the Device.ReadWrite.All scope and run the following cmdlet.

$NeverUsedDevices = Get-MgDevice -All | Where-Object { -not $_.ApproximateLastSignInDateTime }
$NeverUsedDevices | Select DisplayName, Id
(Read-Host "Delete these devices? (Y/N)") -match '^[Yy]$' ? (
    $NeverUsedDevices | ForEach-Object {
        Remove-MgDevice -DeviceId $_.Id
        Write-Host "Deleted: $($_.DisplayName)"
    }
) : (Write-Host "Deletion cancelled.")