Remove Devices from Intune and Entra ID Using PowerShell

By /
How to Remove Devices from Intune and Entra ID with PowerShell

When you retire or decommission devices, it’s important to clean up their records from both Microsoft Intune and Microsoft Entra ID (formerly Azure AD). If you don’t, stale device objects can clutter your environment, cause reporting issues, and even lead to compliance problems.

In this guide, I’ll show you how to remove devices safely using Microsoft Graph PowerShell SDK.

Why Use PowerShell and Graph?

While you can retire and delete devices through the Intune and Entra admin portals, PowerShell gives you automation and repeatability. With Graph API commands, you can script bulk removals, schedule clean-ups, or integrate with your offboarding workflows.

Prerequisites

  1. Install the Microsoft Graph PowerShell SDK: Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force
  2. Connect with the right permissions: Connect-MgGraph -Scopes ` "Device.ReadWrite.All", "Directory.ReadWrite.All", "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementManagedDevices.PrivilegedOperations.All" Select-MgProfile -Name "v1.0"

These scopes let you retire, wipe, and delete devices from Intune and Entra.

Step 1: Find the Device

Devices can be searched by name, serial number, or Entra device ID. Here’s a simple helper function:

function Get-ManagedDevice {
    param(
        [Parameter(Mandatory=$true)][ValidateSet('name','serial','azureId')]$By,
        [Parameter(Mandatory=$true)][string]$Value
    )

    $filters = @{
        'name'    = "deviceName eq '$Value'"
        'serial'  = "serialNumber eq '$Value'"
        'azureId' = "azureADDeviceId eq '$Value'"
    }

    $uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices`?$`filter=" + $filters[$By]
    $resp = Invoke-MgGraphRequest -Method GET -Uri $uri
    return $resp.value
}

Step 2: Choose Your Action

You have two main options depending on your scenario:

Option A: Retire → Delete

Use this when offboarding a user or handling a BYOD device. Retire removes company apps, profiles, and data, but keeps the user’s personal files intact.

$md = Get-ManagedDevice -By serial -Value "ABC123XYZ"
$managedId = $md.id
$entraId   = $md.azureADDeviceId

# Retire
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$managedId/retire"

# Delete Intune record
Invoke-MgGraphRequest -Method DELETE -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$managedId"

# Delete Entra record
Remove-MgDevice -DeviceId $entraId -Confirm:$false

Option B: Wipe (Factory Reset) → Delete

Use this for corporate-owned hardware. Wipe resets the device to factory settings.

$md = Get-ManagedDevice -By name -Value "LAPTOP-42"
$managedId = $md.id
$entraId   = $md.azureADDeviceId

# Wipe (factory reset)
$body = @{
  keepEnrollmentData = $false
  keepUserData       = $false
  persistEsimDataPlan= $false
}
Invoke-MgGraphRequest -Method POST `
  -Uri  "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$managedId/wipe" `
  -Body ($body | ConvertTo-Json) -ContentType "application/json"

# Delete Intune record
Invoke-MgGraphRequest -Method DELETE -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$managedId"

# Delete Entra record
Remove-MgDevice -DeviceId $entraId -Confirm:$false

Step 3: (Optional) Remove Autopilot Entry

If the device was part of Windows Autopilot, also remove its Autopilot identity:

$ap = Invoke-MgGraphRequest -Method GET -Uri `
 "https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities`?$`filter=serialNumber eq 'ABC123XYZ'"

if($ap.value){
  $apId = $ap.value[0].id
  Invoke-MgGraphRequest -Method DELETE -Uri `
    "https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/$apId"
}

Notes and Best Practices

  • Async operations: Retire and Wipe are asynchronous. Deleting the record immediately usually works, but if you hit errors, wait a few minutes and retry.
  • Permissions: Retire/Wipe require the DeviceManagementManagedDevices.PrivilegedOperations.All scope.
  • Hybrid devices: Don’t forget to disable or delete the on-prem AD computer account if you’re running hybrid join.
  • Bulk cleanup: You can query by “last seen” date and bulk-remove old devices using the same flow.

Final Thoughts

With PowerShell and Microsoft Graph, you can fully automate the lifecycle of Intune and Entra devices—whether you’re handling a single offboarding case or running periodic cleanups. Retire for BYOD, Wipe for corporate devices, and always remember to delete the Intune and Entra records to keep your environment clean.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top