Devices showing activity even after being deleted

MarcVanderhaegen 241 Reputation points
2022-11-30T11:52:03.807+00:00

Hello, We are facing a strange problem. We have a lot of machines who have been deleted from our AD, the storage device was sanitized, for months but still, in AAD, we can see activity ! For example, this device was sanitized on 22/02/2021 but still, it show activity on 28/11/2022 : ![265668-image.png][1] The activity found for this machine is : ![265670-image.png][2] How is it possible ? Thanks for your help. Marc [1]: /api/attachments/265668-image.png?platform=QnA [2]: /api/attachments/265670-image.png?platform=QnA

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,628 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alistair Ross 7,106 Reputation points Microsoft Employee
    2022-11-30T15:30:09.967+00:00

    Hello anonymous user

    The device show is a Hybrid Azure AD Joined device, meaning it was joined to on-premises AD and Azure AD. The activity timestamp is triggered by an authentication attempt of a device when:

    • A Conditional Access policies requiring managed devices or approved client apps has been triggered.
    • Windows 10 or newer devices that are either Azure AD joined or hybrid Azure AD joined are active on the network.
    • Intune managed devices have checked in to the service.

    Just because it is deleted from Active Directory, doesn't mean you have removed the device. Follow the instructions from this page here to correctly clean up devices. https://learn.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices

    I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

    Kind regards

    Alistair