Remove inactive devices in Intune automatically using Microsoft Graph API and Powershell (and a scheduled task)

Introduction

*Updated July 23 2018: Minor changes to the script doing the deletion*

Just like we do in Configuration Manager, Active Directory, Exchange and anywhere else (where possible), It’s a good idea to keep things clean (at least I think so). Clean in terms of removing inactive computers, objects, mailboxes and so forth. This brings me to Microsoft Intune and how we can leverage Microsoft Graph API through Powershell to automatically remove inactive devices, and doing so on a schedule through a scheduled task. Curious? Read on 🙂

Example of devices that haven’t checked in for 30 days

Requirements

  • First off. Following script is put together from the the official Microsoft Intune script samples on GitHub.
  • Running anything automated (or manually for that matter) requires an account with proper permissions. A service account with delegated permissions. I’m using a dedicated Global Admin (shared for running all sorts of things automated against Intune/O365/Azure)
  • The script itself requires the Azure AD Powershell module. Run Install-Module AzureAD from an elevated Powershell prompt on the computer running the script.
  • If you really want to automate this to run unattended, you also need some sort of method for authentication. No fun in manually entering credentials each time the script runs. In below script, following Powershell snippet was used to create a credentials.txt file used in combination with my Service Account:
    • IMPORTANT: The credentials file created with below Powershell *HAS* to be run as the account intended to run the script automatically. In this case the ON-PREMISE account we will create later during this guide. (I will remind you again)

How to

Again, this is all done with inspiration from the official Microsoft Intune script samples on GitHub. However, I have made several changes to be able to run it fully automated. The original samples required confirmation prior to any action, as well as offered the opportunity to export data to a .csv. Also, I added a log function, which combined with audit logs in Intune will reveal exactly when the script was run locally and what actions was made in Intune.

So there’s that – run this with caution. It will potentially just delete any inactive device your have in your tenant.

The Script

Copy/paste below into your favorite ISE and save it as Remove-InactiveIntuneDevices.ps1. Search and find all comments starting with EDIT. There are 4 places where you should put your own details:

  1. Service account details
  2. Log file location
  3. How many days of inactivity
  4. Remove the out-commenting on the actual deletion. Keep it for testing

Create the Scheduled Task

  • Before creating the actual scheduled task, you need another service account (for the sake of doing this properly) dedicated to run the task. This will be an on-premise account without any special permissions. However, the account does need the Logon as a batch job user right assignment locally on the server running the task. Launch secpol.msc on the server and browse to the policy shown below and add the newly created account.
    • IMPORTANT: This is the account that the Powershell script creating the credentials.txt file has to be run as. If this is not the case, the authentication will fail as the credential.txt is unique for the user creating it.

  • Create the scheduled task. Below illustrates how I have set it up. Remember to select that the tasks runs whether a user is logged on or not and remember to select your newly created service account.

  • Mine runs on a weekly schedule. This is whatever you prefer and suits your environment.

  • Add an action of running powershell.exe with an argument of: C:\Scripts\Remove-InactiveIntuneDevices.ps1 -executionpolicy bypass (again, change to where you have the script stored)

  • With above in place, leave the rest as default. The task has been created and will be listed on the overview of all the tasks:

Finally

  • Test the script and task: Right click on the task and select Run. All actions will be logged locally to the log file in the path you have chosen. See below:

Please leave a comment if this was useful – thank you 🙂

References:

https://github.com/microsoftgraph/powershell-intune-samples
https://gallery.technet.microsoft.com/scriptcenter/Write-Log-PowerShell-999c32d0

2 thoughts on “Remove inactive devices in Intune automatically using Microsoft Graph API and Powershell (and a scheduled task)

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.