🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Microsoft Entra ID

How to Find Stale Devices in Microsoft Entra ID

Are you confident that every device registered in your Microsoft 365 environment is still actively used? Many organizations unknowingly accumulate stale devices that lead to unnecessary security exposure and management overhead. These devices can become potential entry points if they lack security updates or are compromised by attackers. Therefore, this guide shows you how to identify inactive devices in Entra ID and clean them up to improve your organization’s security.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Identify Stale Devices in Microsoft Entra Admin Center

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • Sign in to the Microsoft Entra admin center.
  • Navigate to Devices»Overview under Entra ID, and click on the Stale devices card to view all inactive stale devices in Entra ID.
  • By default, devices that have been inactive for over 180 days are displayed. However, you can customize the activity filter to align with your specific requirements.
Identify Stale Devices in Microsoft Entra Admin Center

Note: Devices that never logged in will not show a last activity date, as no sign-in activity has been recorded.

Get Entra ID Stale Devices Lists Using Microsoft Graph PowerShell

Microsoft Graph Permission Required
Device.Read.All, BitLockerKey.Read.All Least Privilege
Directory.ReadWrite.All, BitLockerKey.Read.All Most Privilege
  • Connect to Microsoft Graph PowerShell using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes "Device.Read.All"
  • Run the below cmdlet to retrieve inactive Entra ID devices using PowerShell. It provides details such as the device name, Id, and approximate last sign-in date time.
  • Windows PowerShell Windows PowerShell 
     Get-MgDevice -All | Select-Object DisplayName, Id, ApproximateLastSignInDateTime
Get Entra ID Stale Devices Lists Using Microsoft Graph PowerShell

Export Entra ID Inactive Devices Using PowerShell Script

Microsoft Graph Permission Required
Device.Read.All, BitLockerKey.Read.All Least Privilege
Directory.ReadWrite.All, BitLockerKey.Read.All Most Privilege
  • While the above PowerShell cmdlet is useful for identifying stale devices with their last logon time in Microsoft Entra ID, it requires additional filtering and cmdlets to detailed stale device insights.
  • Therefore, we’ve developed a PowerShell script that seamlessly exports Entra ID inactive devices with their inactive days and key details.
  • To generate a report on inactive devices in Entra ID, run the script with the InactiveDays parameter set to your desired number of days.
  • Windows PowerShell Windows PowerShell 
     ./GetAzureADDevicesReport.ps1 -InactiveDays <NumberOfDays>
Export Entra ID Inactive Devices Using PowerShell Script
GetAzureADDevicesReport.ps1
AdminDroid Entra ID Reporter

Unlock Complete Visibility into Microsoft Entra ID Device Management!

AdminDroid’s Microsoft Entra ID reporting tool helps you effortlessly view all stale devices along with how long they’ve been inactive. To support your proactive management, it also offers key device reports designed to optimize your device inventory and ensure that only active devices can access Microsoft 365 resources.

Review Enabled Devices in Microsoft 365

Check enabled devices in Entra ID to identify stale devices that still retain access to organizational resources, and disable those unused devices.

Identify Deleted Devices in Microsoft Entra ID

Monitor deleted devices to confirm that inactive devices were properly removed and ensure that no active devices were deleted accidentally.

Uncover Security Risks from Unmanaged Devices in Microsoft Entra

Inspect unmanaged devices that haven't been active for a while to block their access to corporate resources before they become attack vectors.

Validate Devices With Multiple Owners in Entra ID

Leverage the devices with multiple owners report to assess whether ownership is still relevant and determine if the device is actively used within your Microsoft 365 environment.

Find Devices Marked as Non-Compliant Due to Inactivity

Detect non-compliant devices in Microsoft 365 that failed to report their compliance status due to inactivity, even after the compliance status validity period.

Spot Inactive Company-Owned Devices in Entra ID

Track company-owned devices in Microsoft Entra ID that have remained unused for a long time and reclaim licenses to reduce unnecessary costs.

Overall, AdminDroid’s Entra ID management tool goes well beyond native solutions by offering a detailed view of your organization’s device identities. Apart from devices, it provides comprehensive insights into users, groups, apps, and more to keep your identity environment clean, secure, and well-structured.

Explore a full range of reporting options
Download Live Demo

Important tips

Prohibit unmanaged devices from accessing SharePoint and OneDrive data to ensure that only active and managed devices can access organizational resources.

Use the device identity settings in Entra ID to limit the number of devices per user and reduce the chances of inactive devices cluttering the tenant.

Mandate device enrollment through Microsoft Intune to enable remote data management and prevent data exfiltration from stale devices.

Common Errors and Resolution Steps

Here are some common errors and troubleshooting tips while managing stale devices in Microsoft 365.

Error ./GetAzureADDevicesReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when you try to run the GetAzureADDevicesReport.ps1 script in powershell, but the system’s execution policy prevents running unsigned scripts.

Fix To resolve this error, set the execution policy to Unrestricted before running the script as shown below. 
Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Error Connect-MgGraph: The term ‘connect-MgGraph’ is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs when the Microsoft Graph PowerShell SDK is not installed or the module hasn't been imported in the session.

Fix To resolve this error, install and import the module using the following PowerShell cmdlets. Then proceed to connect to Microsoft Graph. 
#Run the below cmdlet to install the Microsoft Graph module.
Install-Module Microsoft.Graph -Scope CurrentUser
#Run the below cmdlet to import the Microsoft Graph module.
Import-Module Microsoft.Graph

Error Get-MgDevice: Insufficient privileges to complete the operation.

This error occurs when you run the ‘Get-MgDevice’ cmdlet without connecting to Microsoft Graph using the required scope permissions to read device details.

Fix Define the necessary scopes when connecting to the Microsoft Graph PowerShell module as shown below. 
Connect-MgGraph -Scopes "Device.Read.All"

Error Unable to delete devices from Azure AD or device remain in a 'Pending' state.

This issue occurs in a hybrid-joined device synced with Microsoft Entra Connect. If the device is deleted only from Entra ID, it will be re-synced from the on-premises Active Directory and appear in a 'Pending' state.

Fix To resolve this error, ensure the device is also deleted from the on-premises Active Directory. Then, run the following command on the client device to clean up the existing registration. 
dsregcmd /debug /leave

1. How to manage stale devices in Microsoft Entra ID?

Inactive devices can pose a security risk if left unchecked, especially if they still have access to organizational resources. So, it's essential to regularly clean up inactive devices from Entra ID to maintain a secure and well-managed environment.

This can be approached in two ways: disabling inactive devices in case reactivation is needed, and permanently deleting devices that are no longer in use.

Disable stale devices from Entra admin center

  • In the Microsoft Entra admin center, navigate to Devices»Overview under Entra ID, and click on Stale devices card.
  • Then, select the desired devices and click Disable from the toolbar.
  • Then, click OK in the confirmation prompt to disable the selected devices.
disable-stale-devices-entra-admin-center

Note: This only removes the device from Microsoft Entra ID. If the device is managed via Intune, you’ll also need to delete it from Intune.

Delete stale devices from Entra admin center

  • In the Microsoft Entra admin center, navigate to Devices»Overview under Entra ID, and click on Stale devices card.
  • Then, select the devices you want to remove, then click the Delete option in the toolbar.
  • Then, click OK in the confirmation prompt to permanently delete the selected devices.
delete-stale-devices-entra-admin-center

Note: Before deleting any devices, ensure you back up BitLocker recovery keys associated with them. Once a device is deleted, BitLocker recovery keys cannot be retrieved in Entra ID.

2. How to clean up inactive devices using PowerShell?

Besides using the Microsoft Entra portal to manage inactive devices, you can also use Microsoft Graph PowerShell to disable or delete them, especially for bulk operations. The following steps show how to disable or delete multiple stale devices at once using PowerShell.

To manage inactive devices, you need to connect with Microsoft Graph PowerShell with the following cmdlet. 

Connect-MgGraph -Scopes "Device.ReadWrite.All"

Disable stale devices using PowerShell

To disable all stale devices in Entra ID using PowerShell, run the following script by replacing <Days> and <FilePath> with appropriate values. 

$InactiveDays = "<Days>"
$LogPath = "<FilePath>"
Get-MgDevice -All | Where-Object {
    ($_.ApproximateLastSignInDateTime -le (Get-Date).AddDays(-$InactiveDays)) -and
    ($_.AccountEnabled -eq $true)
} | ForEach-Object {
    try {
        Update-MgDevice -DeviceId $_.Id -BodyParameter @{ AccountEnabled = $false } -ErrorAction Stop
        $LogMessage = "Disabled device: $($_.DisplayName) | ID: $($_.Id)"
        Add-Content -Path $LogPath -Value $LogMessage
    }
    catch {
        $ErrorMessage = "ERROR disabling device: $($_.DisplayName) | ID: $($_.Id) | Message: $($_.Exception.Message)"
        Add-Content -Path $LogPath -Value $ErrorMessage
    }
}
disable-stale-devices-powershell

Delete stale devices using PowerShell

You can also remove all stale devices from Microsoft Entra ID using the following PowerShell script. 

$InactiveDays = "<Days>"
$LogPath = "<FilePath>"
Get-MgDevice -All | Where-Object {
    ($_.ApproximateLastSignInDateTime -le (Get-Date).AddDays(-$InactiveDays)) -and
    ($_.AccountEnabled -eq $true)
} | ForEach-Object {
    try {
        Remove-MgDevice -DeviceId $_.Id -ErrorAction Stop 
        $LogMessage = "Deleted device: $($_.DisplayName) | ID: $($_.Id)" 
        Add-Content -Path $LogPath -Value $LogMessage
    } 
    catch {
        $ErrorMessage = "ERROR deleting device: $($_.DisplayName) | ID: $($_.Id) | Message: $($_.Exception.Message)"
        Add-Content -Path $LogPath -Value $ErrorMessage
    } 
}
delete-stale-devices-powershell

3. How to recover a deleted device in Microsoft Entra ID?

Device recovery in Microsoft Entra ID is not as straightforward as restoring a user or group. Once a device is deleted, it cannot be recovered through the Microsoft Entra portal. Instead, users must re-register or rejoin the device depending on how it was originally enrolled.

As an admin, here's what you need to know about managing and guiding users through re-enrolling devices based on their join type, such as Entra-joined, registered, or hybrid-joined. 

Re-register Entra‑registered Windows 10/11 devices

Users can re-add their devices to Microsoft Entra through the Windows settings shown below.

  • Navigate to Settings»Accounts»Access Work or School, select the account, and click Disconnect.
  • Click on "+ Connect" and register the device again by going through the sign-in process.
re-register-entra-registered-devices

Recover Entra‑joined Windows 10/11 devices

For devices joined to Microsoft Entra ID, users can trigger the recovery process by following the steps below.

  • Open PowerShell as an administrator and run the following command to recover deleted Entra-joined devices.
    dsregcmd /forcerecovery
  • Then, users will be prompted to sign in using their work or school account. After that, they should sign out and sign back in to complete the process.
recover-entra-joined-devices

Re-join Entra hybrid joined Windows 10/11 devices

In the case of hybrid Entra ID joined devices, the recovery process involves leaving the current join state and allowing the user to re-register the device.

  • Run the following command to leave the current join state.
    dsregcmd /debug /leave
  • Then, sign out and sign in again to initiate the scheduled task that registers the device with Microsoft Entra ID.

Note: These recovery steps are only for Windows 10, Windows 11, and Windows Server 2016+, not supported on macOS or Linux.

4. How to remotely retire, wipe, or delete stale devices using Microsoft Intune?

Inactive devices may still contain sensitive corporate data. Therefore, it's essential to remove all organizational information from these devices before deleting them from Intune. To support this, Intune allows you to remotely manage data on managed inactive devices and set up automatic cleanup rules to keep your environment secure.

Run remote actions on Intune stale devices

  • In the Intune admin center, navigate to Devices»All devices.
  • Then, apply a filter using Last check-in, and select the inactive device as needed.
  • From the top toolbar, choose Retire, Wipe, or Delete based on your specific requirements.
run-remote-actions-intune-stale-devices

Below is an explanation of each remote actions you can use to manage stale devices in Intune and their effects.

  • Retire: This option helps remove data from a device and leaves personal data intact.
  • Wipe: This feature resets the device to its factory default settings and removes all data and configurations, based on the option you select below.
    • Wipe device, but keep enrollment state and associated user account.
    • Wipe device, and continue to wipe even if device loses power. If you select this option, please be aware that it might prevent some devices running Windows 10 and later from starting up again.
  • Delete: This action helps remove inactive devices from the list after they’ve been retired, wiped, and are no longer in use.

Note: Retire and wipe actions will work depending on the device’s OS, and its enrollment type, like Azure AD joined or hybrid Azure AD joined. The retire and wipe actions will remain in a pending state until the device reconnects to the network.

Set up auto cleanup in Intune to remove inactive devices

You can set automatic cleanup rules in Intune to remove devices after a set period of inactivity.

  • Navigate to Devices»Organize device»Device clean-up rules in the Intune admin center.
  • Enter a name for the policy and choose the platform based on your requirements, then click Next.
  • Under the Rule settings tab, specify the number of days in the "Remove devices that haven’t checked in for this many days" field based on your needs.
  • Verify the affected devices by selecting Preview affected devices from the warning box, and then click Next.
  • Finally, review your configuration and click Create.
set-up-intune-device-clean-up-rules
review-intune-device-clean-up-rules

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Microsoft Entra ID
How to Find Stale Devices in Microsoft Entra ID
Microsoft Entra ID Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo