Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, December 13, 2018 3:19 PM
I've been testing several scenarios within our setup of Intune. One of these that appears to fail is when I delete/disable an AD account that has devices configured within Intune (i.e. a member of staff leaves the company). The Azure sync occurs and the account is deleted (moves into the Deleted Users section), however the devices are not wiped - the company data remains. I'm guessing as the account associated with Company Portal is no longer valid, the device can't sync.
Am I doing something wrong here or is this, in effect, by design? It seems the only way around this is to manually delete the associated devices before we process the account - but then how can we guarantee that all devices have received the signal before proceeding, as deleting the item from Intune means we lose management.
Thanks
All replies (7)
Friday, December 14, 2018 2:07 AM âś…Answered
Hello,
Before you delete or disable the Azure AD account, you must Wipe or Retire the devices associated with that user firstly. Otherwise, Intune can no longer wipe or retire those devices. Please refer here for more details.
Best regards,
Andy Liu
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, December 13, 2018 5:10 PM
To be clear here, what type of devices are you referring to? iOS, Android, or Windows (or all)?
Also, are you manually initiating a wipe or just expecting it to happen when you delete the user?
Jason | https://home.configmgrftw.com | @jasonsandys
Friday, December 14, 2018 9:17 AM
Jason, it was a general question for mobile devices but mainly Android and iOS. I was wondering if, when the user account is deleted the mobile devices are too.
Andy, thanks for the link, at least I know I'm not missing anything. We have an automated script to close accounts down. So I may have to add a section that connects to Azure and triggers the devices to wipe first.
Just out of interest, if a device is switched off at the time will the wipe still be queued up when the device is switched on or would it still require the user account to exist (and be active).
Friday, December 14, 2018 4:10 PM
Yes, it will queue up and the user is irrelevant for this.
Jason | https://home.configmgrftw.com | @jasonsandys
Saturday, December 15, 2018 1:05 AM
Another option and something to enable on the side is to use Intune Device Cleanup rules. Devices that are inactive and stale will be removed based on the rule setup.
Best Regards,
Shuchi
Monday, December 17, 2018 10:12 AM
Another option and something to enable on the side is to use Intune Device Cleanup rules. Devices that are inactive and stale will be removed based on the rule setup.
Best Regards,
Shuchi
We already have this configured, but as the article mentions, it won't perform a device wipe.
We just need to make sure devices are sent a wipe request before the user's account is deleted/disabled.
Monday, December 17, 2018 3:25 PM
As noted, that's a manual process although you may be able to script this using the GraphAPI and then incorporate in your decommissioning process.
Jason | https://home.configmgrftw.com | @jasonsandys