Deleting and Removing computer object synched hybrid from Entra ID /Azure AD ?

EnterpriseArchitect 5,406 Reputation points
2024-06-13T07:00:43.1366667+00:00

I use Hybrid Azure AD / Entra ID and Intune to deploy and manage the AD computer objects that are joined to OnPremise AD DS.

May I know the potential side effects of deleting the device using the below code?

Remove-MgDevice -DeviceId 

Is there any way to undo it or redo it?

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
434 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,374 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,205 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,133 questions
0 comments No comments
{count} votes

Accepted answer
  1. Raja Pothuraju 8,075 Reputation points Microsoft Vendor
    2024-06-17T12:51:19.8333333+00:00

    Hello @EnterpriseArchitect,

    If there is no CA policy in place to block unmanaged devices, users can log in to Entra resources from any device, whether it is Entra registered, Entra joined, or unmanaged.

    To effectively control user logins, a CA policy should be implemented to restrict access from unmanaged devices such as iOS or Android.

    Does it mean it won't have any effect?

    Yes, even after you delete a device from Entra using the Remove-MgDevice -DeviceId command, users will still be able to access resources from that particular device.

    It is recommended to implement a CA policy to block access from unmanaged devices according to your organizational requirements. Please let me know if you need any assistance in creating such a policy with specific requirements. I am happy to help you out here.

    Or else you can refer the below documentation for more insights on creating a block CA policy.
    https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-access

    Hope this includes all the information that you were looking for.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Raja Pothuraju 8,075 Reputation points Microsoft Vendor
    2024-06-13T15:41:08.6566667+00:00

    Hello @EnterpriseArchitect,

    Thank you for posting your query on Microsoft Q&A.

    If you use Microsoft Entra hybrid joined and Intune to manage your AD computer objects that are joined to OnPremise AD DS, deleting a device using the Remove-MgDevice command will remove the device from Microsoft Entra ID and Intune. This means that the device will no longer be able to access any Microsoft Entra resources.

    If the device is Microsoft Entra hybrid joined using windows Autopilot it can't be deleted before the device gets deleted from Intune.

    • Deleting a device:
      • Prevents it from accessing your Microsoft Entra resources.
      • Removes all details attached to the device. For example, BitLocker keys for Windows devices.
      • Is a nonrecoverable activity. We don't recommend it unless it's required.

    Note: When you delete a Microsoft Entra hybrid joined device only in Microsoft Entra ID will re-synchronize the device from your on-premises using Microsoft Entra Connect but as a new object in "Pending" state. A re-registration is required on the device.

    Is there any way to undo it or redo it?

    As for undoing or redoing the removal:

    Undo: There's no direct "undo" command for Remove-MgDevice. Once the device is removed, the action is irreversible.

    Redo: You can re-enroll the device into management. If the device is still available and accessible, you can enroll it again into Hybrid Azure AD / Entra ID and Intune management. However, any configurations and policies that were previously applied will need to be reapplied. To mitigate the potential risks, it's recommended to carefully review and confirm the device you're removing before executing the Remove-MgDevice command.

    Please refer the below documents for more information.

    https://learn.microsoft.com/en-gb/entra/identity/devices/manage-device-identities#delete-a-microsoft-entra-device

    https://learn.microsoft.com/en-gb/entra/identity/devices/faq

    https://learn.microsoft.com/en-us/entra/identity/devices/manage-stale-devices

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Thanks,

    Raja Pothuraju.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.