[Azure AD] Devices - Stale devices update

Author: MicrosoftGuyJFlo

articles/active-directory/devices/manage-stale-devices.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: how-to
-ms.date: 06/02/2021
+ms.date: 02/03/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,13 +19,13 @@ ms.collection: M365-identity-device-management
 ---
 # How To: Manage stale devices in Azure AD
 
-Ideally, to complete the lifecycle, registered devices should be unregistered when they are not needed anymore. However, due to, for example, lost, stolen, broken devices, or OS reinstallations you typically have stale devices in your environment. As an IT admin, you probably want a method to remove stale devices, so that you can focus your resources on managing devices that actually require management.
+Ideally, to complete the lifecycle, registered devices should be unregistered when they aren't needed anymore. However, due to, for example, lost, stolen, broken devices, or OS reinstallations you typically have stale devices in your environment. As an IT admin, you probably want a method to remove stale devices, so that you can focus your resources on managing devices that actually require management.
 
 In this article, you learn how to efficiently manage stale devices in your environment.
 
 ## What is a stale device?
 
-A stale device is a device that has been registered with Azure AD but has not been used to access any cloud apps for a specific timeframe. Stale devices have an impact on your ability to manage and support your devices and users in the tenant because: 
+A stale device is a device that has been registered with Azure AD but hasn't been used to access any cloud apps for a specific timeframe. Stale devices have an impact on your ability to manage and support your devices and users in the tenant because: 
 
 - Duplicate devices can make it difficult for your helpdesk staff to identify which device is currently active.
 - An increased number of devices creates unnecessary device writebacks increasing the time for Azure AD connect syncs.
@@ -35,7 +35,7 @@ Stale devices in Azure AD can interfere with the general lifecycle policies for
 
 ## Detect stale devices
 
-Because a stale device is defined as registered device that hasn't been used to access any cloud apps for a specific timeframe, detecting stale devices requires a timestamp-related property. In Azure AD, this property is called **ApproximateLastLogonTimestamp** or **activity timestamp**. If the delta between now and the value of the **activity timestamp** exceeds the timeframe you have defined for active devices, a device is considered to be stale. This **activity timestamp** is now in public preview.
+Because a stale device is defined as registered device that hasn't been used to access any cloud apps for a specific timeframe, detecting stale devices requires a timestamp-related property. In Azure AD, this property is called **ApproximateLastLogonTimestamp** or **activity timestamp**. If the delta between now and the value of the **activity timestamp** exceeds the timeframe you've defined for active devices, a device is considered to be stale. This **activity timestamp** is now in public preview.
 
 ## How is the value of the activity timestamp managed?  
 
@@ -79,7 +79,7 @@ Define a timeframe that is your indicator for a stale device. When defining your
 
 ### Disable devices
 
-It is not advisable to immediately delete a device that appears to be stale because you can't undo a deletion if there is a false positive. As a best practice, disable a device for a grace period before deleting it. In your policy, define a timeframe to disable a device before deleting it.
+It isn't advisable to immediately delete a device that appears to be stale because you can't undo a deletion if there's a false positive. As a best practice, disable a device for a grace period before deleting it. In your policy, define a timeframe to disable a device before deleting it.
 
 ### MDM-controlled devices
 
@@ -122,7 +122,7 @@ Disable or delete Azure AD registered devices in the Azure AD.
 
 ## Clean up stale devices in the Azure portal  
 
-While you can clean up stale devices in the Azure portal, it is more efficient, to handle this process using a PowerShell script. Use the latest PowerShell V2 module to use the timestamp filter and to filter out system-managed devices such as Autopilot.
+While you can clean up stale devices in the Azure portal, it's more efficient, to handle this process using a PowerShell script. Use the latest PowerShell V2 module to use the timestamp filter and to filter out system-managed devices such as Autopilot.
 
 A typical routine consists of the following steps:
 
@@ -156,11 +156,23 @@ $dt = (Get-Date).AddDays(-90)
 Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | Set-AzureADDevice -AccountEnabled $false
 ```
 
+### Delete devices
+
+> [CAUTION]
+> The `Remove-AzureADDevice` cmdlet does not provide a warning. Running this command will delete devices without prompting. **There is no way to recover deleted devices**.
+
+Using the same 90 day example we can pipe the output to delete the devices that have a logon time stamp over 90 days old.
+
+```powershell
+$dt = (Get-Date).AddDays(-90)
+Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | Remove-AzureADDevice
+```
+
 ## What you should know
 
 ### Why is the timestamp not updated more frequently?
 
-The timestamp is updated to support device lifecycle scenarios. This attribute is not an audit. Use the sign-in audit logs for more frequent updates on the device.
+The timestamp is updated to support device lifecycle scenarios. This attribute isn't an audit. Use the sign-in audit logs for more frequent updates on the device.
 
 ### Why should I worry about my BitLocker keys?
 
@@ -170,8 +182,8 @@ When configured, BitLocker keys for Windows 10 devices are stored on the device
 
 When you delete an Azure AD device that was associated with a Windows Autopilot object the following three scenarios can occur if the device will be repurposed in future:
 - With Windows Autopilot user-driven deployments without using pre-provisioning, a new Azure AD device will be created, but it won’t be tagged with the ZTDID.
-- With Windows Autopilot self-deploying mode deployments, they will fail because an associate Azure AD device cannot be found.  (This failure is a security mechanism to make sure that no “imposter” devices try to join Azure AD with no credentials.) The failure will indicate a ZTDID mismatch.
-- With Windows Autopilot pre-provisioning deployments, they will fail because an associated Azure AD device cannot be found. (Behind the scenes, pre-provisioning deployments use the same self-deploying mode process, so they enforce the same security mechanisms.)
+- With Windows Autopilot self-deploying mode deployments, they'll fail because an associate Azure AD device can’t be found.  (This failure is a security mechanism to make sure that no “imposter” devices try to join Azure AD with no credentials.) The failure will indicate a ZTDID mismatch.
+- With Windows Autopilot pre-provisioning deployments, they'll fail because an associated Azure AD device can’t be found. (Behind the scenes, pre-provisioning deployments use the same self-deploying mode process, so they enforce the same security mechanisms.)
 
 ### How do I know all the type of devices joined?