From a4acdf4ac97bb5b699479971e5f79f20d8dd46f8 Mon Sep 17 00:00:00 2001 From: Thomas De Reyck Date: Thu, 26 Sep 2024 16:43:24 +0200 Subject: [PATCH] Added first snippet. --- microsoft/entra_id/purge_stale_devices.ps1 | 69 ++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 microsoft/entra_id/purge_stale_devices.ps1 diff --git a/microsoft/entra_id/purge_stale_devices.ps1 b/microsoft/entra_id/purge_stale_devices.ps1 new file mode 100644 index 0000000..ea383c5 --- /dev/null +++ b/microsoft/entra_id/purge_stale_devices.ps1 @@ -0,0 +1,69 @@ +using namespace System.Management.Automation.Host + +Connect-MgGraph -ContextScope Process -Scopes "BitLockerKey.Read.All" + +# First, disable the devices. +$DisableDays = 180 +$DisableDate = (Get-Date).AddDays(-$DisableDays) +$Params = @{ + accountEnabled = $false +} + +$DevicesToSetDisabled = Get-MgDevice -All | Where {($_.ApproximateLastSignInDateTime -le $DisableDate) -and ($_.AccountEnabled -eq $true)} +$Count = $DevicesToSetDisabled.Count + +$Title = "Disable inactive devices?" +$Question= "Would you like to disable $Count enabled devices that have been inactive for approximately $DisableDays days?" +$Choices = @( + [System.Management.Automation.Host.ChoiceDescription]::new("&Yes", "Inactive devices will be disabled.") + [System.Management.Automation.Host.ChoiceDescription]::new("&No", "Inactive devices will NOT be disabled.") +) +$Answer = $Host.UI.PromptForChoice($Title, $Question, $Choices, 1) + +If($Answer -eq 0) { +Write-Host "Disabling devices..." + foreach ($Device in $DevicesToSetDisabled) { + Write-Host "Disabling device $($Device.DisplayName) (last active on $($Device.ApproximateLastSignInDateTime))." + Update-MgDevice -DeviceId $Device.Id -BodyParameter $params + } +} + +# Then, delete devices that are disabled and have remained inactive for another month. + +$DeleteDays = $DisableDays + 30 +$DeleteDate = (Get-Date).AddDays(-$DeleteDays) + +$DevicesToDelete = Get-MgDevice -All | Where {($_.ApproximateLastSignInDateTime -le $DeleteDate) -and ($_.AccountEnabled -eq $false)} +$Count = $DevicesToDelete.Count + +$Title = "Delete inactive devices?" +$Question= "Would you like to delete $Count disabled devices that have been inactive for approximately $DeleteDays days?" +$Choices = @( + [System.Management.Automation.Host.ChoiceDescription]::new("&Yes", "Inactive devices will be deleted.") + [System.Management.Automation.Host.ChoiceDescription]::new("&No", "Inactive devices will NOT be deleted.") +) +$Answer = $Host.UI.PromptForChoice($Title, $Question, $Choices, 1) + +If($Answer -eq 0) { + +$ExportKeys = @() +$KeyList = Get-MgInformationProtectionBitlockerRecoveryKey -All + +Write-Host "Deleting devices..." + foreach ($Device in $DevicesToDelete) { + # First save the bitlocker key. + Write-Host "Exporting Bitlocker keys for $($Device.DisplayName)." + $DeviceKeys = $KeyList | Where-Object {$_.DeviceID -eq $Device.DeviceId} + ForEach($Key in $DeviceKeys) { + $ExportKeys += Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $Key.Id -Property key + } + # Then delete the device. + Write-Host "Deleting device $($Device.DisplayName) (last active on $($Device.ApproximateLastSignInDateTime))." + Remove-MgDevice -DeviceId $Device.Id + } + Write-Host "Exporting Bitlocker keys to CSV file." + $ExportDate = Get-Date -Format "yyyy-MM-dd-HH-mm" + $ExportKeys | Export-Csv -Path "ExportedBitlockerKeys-$ExportDate.csv" +} + +Disconnect-MgGraph