Unjoin a past user after deletion

some1somewhere 1 Reputation point
2021-03-22T14:45:40.79+00:00

A new Microsoft365 Standard (desktop apps+exchange) user was added to a PC before deleting the old user. The old user was simply deleted and not "disconnected" from the AAD first. The PC has also since been renamed.

Now some items are saying that the new user does not have access. In the AAD admin console, the PC still appears with the old PC name and user says None. I've renamed again, I've had it resave the bitlocker key in hopes it would cause it to update to the new user. I tried under the new user [Disconnect] under "work or school" ... connected to XXXXX's Azure AD; it doesn't work. It asks for credentials of a local admin account which can be a MS account or a local account - I've tried both this new user and the ticket desk Azure AD user which also exists. The credentials are valid. it says "account info doesn't work"

dsregcmd /status shows

DEVICE state:
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
USER state:
WorkplaceJoined: NO

I noted that there is an "Azure AD removal tool" - WPJCleanup.zip. The download contains five folders for v 1709 to 2004; does not include a folder for 20H2. Is this the correct solution to resolve this issue ? Will the 2004 version work for 20H2 ? Will I lose the profile of the current user and need to redo everything ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,896 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,056 Reputation points Microsoft Employee
    2021-03-24T16:34:20.47+00:00

    You should remove the Azure AD join, remove the device, and turn off automatic registration.

    You can remove the Azure AD join by running dsregcmd /status.

    Then, if you know the object ID of the device you can try removing the device with this command:

    Remove-AzureADDevice -ObjectId "deviceIDhere"  
    

    See also: How do I remove an Azure AD registered state for a device locally?

    As mentioned in the documentation, deleting an Azure AD device does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g Conditional Access). When a user is deleted or disabled in Azure AD, it's not immediately known to the Windows device. So users who signed in previously can access the desktop with the cached username and password, typically for ~4 hours after deletion.

    I would unjoin the device, remove the device, remove the user from the organization, and permanently delete the user.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.