This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I use Hybrid Azure AD / Entra ID and Intune to deploy and manage the AD computer objects that are joined to OnPremise AD DS.
May I know the potential side effects of deleting the device using the below code?
Remove-MgDevice -DeviceId
Is there any way to undo it or redo it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @EnterpriseArchitect,
If there is no CA policy in place to block unmanaged devices, users can log in to Entra resources from any device, whether it is Entra registered, Entra joined, or unmanaged.
To effectively control user logins, a CA policy should be implemented to restrict access from unmanaged devices such as iOS or Android.
Does it mean it won't have any effect?
Yes, even after you delete a device from Entra using the Remove-MgDevice -DeviceId command, users will still be able to access resources from that particular device.
It is recommended to implement a CA policy to block access from unmanaged devices according to your organizational requirements. Please let me know if you need any assistance in creating such a policy with specific requirements. I am happy to help you out here.
Or else you can refer the below documentation for more insights on creating a block CA policy.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-access
Hope this includes all the information that you were looking for.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello @EnterpriseArchitect,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hello @EnterpriseArchitect,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Thank you @Raja Pothuraju
Hello @EnterpriseArchitect,
Thank you for posting your query on Microsoft Q&A.
If you use Microsoft Entra hybrid joined and Intune to manage your AD computer objects that are joined to OnPremise AD DS, deleting a device using the Remove-MgDevice command will remove the device from Microsoft Entra ID and Intune. This means that the device will no longer be able to access any Microsoft Entra resources.
If the device is Microsoft Entra hybrid joined using windows Autopilot it can't be deleted before the device gets deleted from Intune.
Note: When you delete a Microsoft Entra hybrid joined device only in Microsoft Entra ID will re-synchronize the device from your on-premises using Microsoft Entra Connect but as a new object in "Pending" state. A re-registration is required on the device.
Is there any way to undo it or redo
it?
As for undoing or redoing the removal:
Undo: There's no direct "undo" command for Remove-MgDevice. Once the device is removed, the action is irreversible.
Redo: You can re-enroll the device into management. If the device is still available and accessible, you can enroll it again into Hybrid Azure AD / Entra ID and Intune management. However, any configurations and policies that were previously applied will need to be reapplied. To mitigate the potential risks, it's recommended to carefully review and confirm the device you're removing before executing the Remove-MgDevice command.
Please refer the below documents for more information.
https://learn.microsoft.com/en-gb/entra/identity/devices/faq
https://learn.microsoft.com/en-us/entra/identity/devices/manage-stale-devices
I hope this information is helpful. Please feel free to reach out if you have any further questions.
Thanks,
Raja Pothuraju.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thank you @Raja Pothuraju ,
What happens to the mobile device with the Join type = Microsoft Entra registered, what would happen if I delete that device and the user is still using it?
Hello @EnterpriseArchitect,
Thank you for following up on this!
Deleting a device registered with Microsoft Entra ID does not remove its registration on the client. It will only prevent access to resources using the device as an identity, such as Conditional Access.
Based on the screenshot provided, it appears to be an iOS device not managed by any MDM provider, like Intune. This indicates that it is registered with Entra ID without being managed by Intune. If you delete the device from Entra devices, users will not be able to access any resources from Entra.
Allow me to illustrate a scenario: After deleting the device from Entra, if users attempt to log in to any application from that device, access will be blocked by the Conditional Access policy, since you've removed the device object entry from Entra devices. This restriction remains in place unless the user attempts access from a registered device.
Do you have any Conditional Access policies deployed for those users to block access from an unmanaged device?
Please let me know if you have any further concerns regarding this matter.
Thanks and Regards,
Raja Pothuraju
Hello @EnterpriseArchitect,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hi @Raja Pothuraju ,
No, I do not have any CA for the Non Windows device to access the M365 applications like Outlook, OneDrive and Teams.
Does it mean it won't have any effect?