using namespace System.Management.Automation.Host
 
Connect-MgGraph -ContextScope Process -Scopes "BitLockerKey.Read.All"
 
# First, disable the devices.
$DisableDays = 180
$DisableDate = (Get-Date).AddDays(-$DisableDays)
$Params = @{
	accountEnabled = $false
}
 
$DevicesToSetDisabled = Get-MgDevice -All | Where {($_.ApproximateLastSignInDateTime -le $DisableDate) -and ($_.AccountEnabled -eq $true)}
$Count = $DevicesToSetDisabled.Count
 
$Title = "Disable inactive devices?"
$Question= "Would you like to disable $Count enabled devices that have been inactive for approximately $DisableDays days?"
$Choices = @(
    [System.Management.Automation.Host.ChoiceDescription]::new("&Yes", "Inactive devices will be disabled.")
    [System.Management.Automation.Host.ChoiceDescription]::new("&No", "Inactive devices will NOT be disabled.")
)
$Answer = $Host.UI.PromptForChoice($Title, $Question, $Choices, 1)
 
If($Answer -eq 0) {
Write-Host "Disabling devices..."
    foreach ($Device in $DevicesToSetDisabled) {
    Write-Host "Disabling device $($Device.DisplayName) (last active on $($Device.ApproximateLastSignInDateTime))."
       Update-MgDevice -DeviceId $Device.Id -BodyParameter $params
    }
}
 
# Then, delete devices that are disabled and have remained inactive for another month.
 
$DeleteDays = $DisableDays + 30
$DeleteDate = (Get-Date).AddDays(-$DeleteDays)
 
$DevicesToDelete = Get-MgDevice -All | Where {($_.ApproximateLastSignInDateTime -le $DeleteDate) -and ($_.AccountEnabled -eq $false)}
$Count = $DevicesToDelete.Count
 
$Title = "Delete inactive devices?"
$Question= "Would you like to delete $Count disabled devices that have been inactive for approximately $DeleteDays days?"
$Choices = @(
    [System.Management.Automation.Host.ChoiceDescription]::new("&Yes", "Inactive devices will be deleted.")
    [System.Management.Automation.Host.ChoiceDescription]::new("&No", "Inactive devices will NOT be deleted.")
)
$Answer = $Host.UI.PromptForChoice($Title, $Question, $Choices, 1)
 
If($Answer -eq 0) {
 
$ExportKeys = @()
$KeyList = Get-MgInformationProtectionBitlockerRecoveryKey -All
 
Write-Host "Deleting devices..."
    foreach ($Device in $DevicesToDelete) {
        # First save the bitlocker key.
        Write-Host "Exporting Bitlocker keys for $($Device.DisplayName)."
        $DeviceKeys = $KeyList | Where-Object {$_.DeviceID -eq $Device.DeviceId}
        ForEach($Key in $DeviceKeys) {
            $ExportKeys += Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $Key.Id -Property key
        }
        # Then delete the device.
        Write-Host "Deleting device $($Device.DisplayName) (last active on $($Device.ApproximateLastSignInDateTime))."
        Remove-MgDevice -DeviceId $Device.Id
    }
    Write-Host "Exporting Bitlocker keys to CSV file."
    $ExportDate = Get-Date -Format "yyyy-MM-dd-HH-mm"
    $ExportKeys | Export-Csv -Path "ExportedBitlockerKeys-$ExportDate.csv"
}
 
Disconnect-MgGraph