Duplicate Items Devices Azure AD Best Practice

Question

I am getting a lot of conflicting information when it comes to dealing with duplicate devices in Azure AD. I can understand how easily a device can be duplicated depending upon the join type. My question is should this be remediated or do we leave it be. Take note in the screenshot below. I would assume that the Azure AD registered device can be removed but it is being managed by intune while the other device is not. This device is also active directory domain joined which again would lead me to believe that the Hybrid Azure AD joined device should remain but as you can see it isn't managed by intune. Please advise.

Answer 1

Hello @Johnwilliam-4177,

This is dual state of the device: Ref: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state

1. If your Windows 10 or newer domain joined devices are Azure AD registered to your tenant, it could lead to a dual state of hybrid Azure AD joined and Azure AD registered device. Any existing Azure AD registered state for a user would be automatically removed after the device is hybrid Azure AD joined and the same user logs in.
2. For example, if User A had an Azure AD registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device. If there are multiple users on the same device, the dual state is cleaned up individually when those users log in. After removing the Azure AD registered state, Windows 10 will unenroll the device from Intune or other MDM, if the enrollment happened as part of the Azure AD registration via auto-enrollment.
3. Even though Windows 10 and Windows 11 automatically remove the Azure AD registered state locally, the device object in Azure AD is not immediately deleted if it is managed by Intune. You can validate the removal of Azure AD registered state by running dsregcmd /status and consider the device not to be Azure AD registered based on that.

Thanks,
Akshay Kaushik

Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well

Answer 2

Hi,

According to documentation the AD Join device should be automatically removed by Azure AD.
If that is not happening you can add a reg key to prevent that in the future:

https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

See BlockAADWorkplaceJoin reg key

Hope this helps!

Answer 3

Thanks for the reply. I understand what you are saying but I am more concerned about dealing with the issue as it is. The cat is out of the bag and i have quite a few devices in this state. I would assume that deleting the Azure AD registered device would be the correct course of action however it is being managed by Intune. I would appreciate someone giving me a little input on this.

Answer 4

Same problem here, I already deleted the "Azure AD Registered" record and nothing happens.
The next device used to be duplicates as "Hybrid Azure AD Joined" And "Azure AD Registered", as I say before I deleted de entrance fot Azure AD Registered and is not working.
In my case I already deleted this record before but (moving it from the syncronized OU to an offline OU, after delete, and then y restore the computer to the syncronized OU), after delete the record, registering field it appears as "Pendiente"
Any advice?

]1

Answer 5

So can a Microsoft engineer weigh in on this and tell us if this is expected behavior? This appears top happen because a device can be synced from on prem to Azure AND Azure AD registered when a user authenticates to use an office 365 app.