Related features:

Related Powershell Guides:

How to remove devices from Microsoft Entra ID

In this page

Device removal actions in Microsoft Entra ID determine how a device loses access to organizational resources and is purged from your directory. For IT admins, managing device deletions can be challenging, especially when dealing with stale, lost, or decommissioned endpoints across hybrid and cloud environments. However, there are straightforward ways to review, disable, and permanently remove devices from Microsoft Entra ID.

  • M365 admin center
  • PowerShell
  • ADManager Plus
 

How to remove devices in Microsoft Entra ID using the Microsoft Entra admin center

  1. Sign in to the Microsoft Entra admin center.
  2. Navigate to Entra ID > Devices.
  3. Select All devices.
  4. Find the device you want to remove from the list.
  5. If needed, disable it first to stop communication by clicking Disable.
  6. Select the device again and click Delete.
  7. In the pop-up that appears, click Delete once more to confirm removal from Microsoft Entra ID.
Removing devices from Microsoft Entra ID using the Microsoft Entra admin center.

How to remove devices from Microsoft Entra ID using Windows PowerShell

  • Connect to the Microsoft Graph PowerShell.
    Connect-MgGraph
  • Get the list of devices.
    Get-MgDevice
  • Remove a device using the ObjectId of the device you want to remove.
    Remove-MgDevice -ObjectId "<DeviceObjectId>"

Example query to remove MyLaptop:

Get-MgDevice -SearchString "MyLaptop" Remove-MgDevice -ObjectId "a2b3c4d5-6789-40ab-9bcd-ef1234567890"

How to remove devices from Microsoft Entra ID using Microsoft Graph PowerShell

The syntax is as follows:

Remove-MgDevice
-DeviceId <string>
[-IfMatch <string>]
[-ResponseHeadersVariable <string>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-PassThru]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-WhatIf]
[-Confirm]
[<CommonParameters>]

Example query to remove the device TestLaptop:

Get-MgDevice -Filter "displayName eq 'TestLaptop'"
Remove-MgDevice -DeviceId "a2b3c4d5-6789-40ab-9bcd-ef1234567890"

Example output:

Confirm
Are you sure you want to perform this action?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):
After confirmation, the device is deleted.
You can verify the action by running:
Get-MgDevice -DeviceId "a2b3c4d5-6789-40ab-9bcd-ef1234567890"
This will return nothing, confirming the device was removed.

Accelerate your Microsoft 365 management and reporting

ADManager Plus empowers Microsoft 365 admins with a clear, easy-to-navigate interface, streamlining routine tasks for greater efficiency.

Directory hygiene and security

Locate dormant or inactive accounts using ready-made reports and quickly remove them to keep your directory safe and well-organized.

User life cycle management

Simplify bulk user provisioning and deprovisioning to assure appropriate access at all times and eliminate abandoned accounts.

Access governance

Monitor group memberships and privileges to block unauthorized entry and uphold least-privilege principles.

Audit and reporting

Leverage over 200 built-in reports covering users, groups, licenses, and directory health for complete oversight. Export data to CSV, PDF, or HTML to enhance auditing and compliance processes.

Automation

Automate bulk user operations, license assignments, group management, and other repetitive administrative tasks, saving valuable time.

Risk exposure management

Spot and review users with excessive permissions, evaluate privilege pathways, and gain actionable security insights. ADManager Plus reveals risks and guides you to the right remediation steps, enabling stronger protection and operational resilience.

Important tips

  • Regularly track and review inactive devices

    Check last sign-in timestamps or activity reports to find devices that haven't connected for a chosen period (e.g., 30, 90, or 180 days). Review details such as owner and operating system before removing them to avoid accidentally offboarding devices still in use.

  • Disable devices before deletion

    Follow a two-step process: disable the device first to block access, then allow a grace period before deleting it. This reduces the chance of mistakes and ensures the device is truly unnecessary.

  • Verify BitLocker and MDM dependencies

    Before deleting a device, make sure BitLocker recovery keys and other important dependencies are handled. If the device is managed through MDM solutions like Intune, retire or disenroll it from the management console to prevent leaving behind orphaned records.

Simplify Microsoft Entra ID bulk actions with ADManager Plus

Try it now for free

FAQ

No, removing a device from Intune does not automatically delete it from Microsoft Entra ID. Devices must also be manually removed from Microsoft Entra ID to ensure they are fully deleted. For Autopilot and hybrid-joined devices, additional steps may be needed in their respective management platforms.

Deleting an Entra-registered device immediately revokes its access to organizational resources and removes its identity from the directory. For devices synced from on-premises AD (hybrid-joined), deletion should occur in the local AD first; otherwise, the object may be re-synced back into Microsoft Entra ID.

Microsoft Intune offers device cleanup rules to automatically purge devices that have not checked in for a specified period, but Microsoft Entra ID does not have native automated cleanup—device removal must be manual or scripted. For Hybrid Microsoft Entra joined devices, deletions should begin in on-premises AD and then be synchronized to Microsoft Entra ID. Regularly review device activity and establish clear policies to keep your directory up to date.

The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link