As part of an Intune project I’m working on, one of the things our support team wanted was a way to ensure devices were removed from Intune as part of our leavers process - this allows us to automatically remove a device from Intune without waiting for the Intune policy to remove retired/non-compliant devices, which is capped to a minimum of 30 days up to around 280 or so. Initial investigations showed many are asking for this functionality via a script but unable to locate the exact solution, either the scripts were aimed at devices or exceeded the requirements and needed a more simple solution. I love playing with PowerShell whenever I get the chance and this was a fun little thing to troubleshoot and provide a solution for.
Firstly the following script uses MSGraph, so requires the module being installed on the machine running the script and also needs connecting into a tenant to run the scripts against.
Install MSGraph locally
Inside an administrative PowerShell window, run:
Install-Module -Name Microsoft.Graph.Intune
Connect to your tenant
In the same window, run:
Connect-MSGraph -AdminConsent
You’ll be asked to use an account that has the right permissions, for simplicity’s sake use an account that is an Intune Admin.
In production you’ll want to use a service account which is restricted to running this task - I.e., graph access and ability to modify/remove devices from Intune.
Set the $RemoveUser variable
Inside the script, there’s only one thing you need to modify and that’s the $RemoveUser variable. In our environment we use a ticketing system, so as part of our workflow we can export the value assigned to this variable from said system. In turn, the value is then used in the script.
It’s important to note this is the UPN value being used, but there’s a few others which can be used however I found UPN to be the best - you’ve also got things like chassisType, activation date, model, manufacturer, serial number, userDisplayName and so on - however I found the UPN best as all I want to-do is cycle through the assigned devices with the UPN I specify and loop through those.
See the following command which details the UPN filtering process with the Intune module.
It’s upto you how to populate this variable, but you could also make it a prompt so the person running the script is prompted for the UPN or you can hardcode it in this instance if it’s a one-time thing.
$RemoveUser = "INSERT_UPN_HERE"
$RemoveDevices = Get-IntuneManagedDevice –Filter "userPrincipalName eq '$RemoveUser'" –ErrorAction Stop
Script process explanation
The next phase of the script runs through a loop, using the module to delete each device which is inside the $IntuneDevice.Id variable.
foreach ($RemoveDevice in $RemoveDevices)
Remove-IntuneManagedDevice –managedDeviceId $IntuneDevice.Id –Verbose –ErrorAction Stop
Remove_Intune_Devices.ps1
A full output of the script below, note I have commented out the actual removal command - remove this once you’re comfortable with the script.
Hopefully this script helps you, please reach out if any issues or questions!
# Remove_Intune_Devices.ps1
# Written by Chris Fison - fisontech.net
# Install the MS Intune Graph Module
Install-Module -Name Microsoft.Graph.Intune
# Connect to MSGraph and give consent
Connect-MSGraph -AdminConsent
# Enter a UPN of the target user
$RemoveUser = "INSERT_UPN_HERE"
# Remove any device that has a UPN assigned which matches your target user
$RemoveDevices = Get-IntuneManagedDevice –Filter "userPrincipalName eq '$RemoveUser'" –ErrorAction Stop
If ($RemoveDevices.Count -ge 1)
{
foreach ($RemoveDevice in $RemoveDevices)
{
Write-host " Deleting: $($RemoveDevice.deviceName)" –NoNewline
# Remove-IntuneManagedDevice –managedDeviceId $IntuneDevice.Id –Verbose –ErrorAction Stop
Write-host " - Success" –ForegroundColor Green
}
}
Else
{
Write-host "No User Exists!" –ForegroundColor Red
}
Noteworthy references:
https://techwizard.cloud/2019/07/03/microsoft-intune-powershell-module/