Regularly clean up MEID guest user with automation
Requirements: Create an App Registration with Directory.ReadWrite.AuditLog.Read.All and Device.User.ReadWrite.All. For logging you need to have an Azure Function to create an API to centralize logs in an Azure Log Analytics Worksspace.Workspace.
This automation get all Microsoft Entra ID Devices via the Microsoft Graph API and check everyone for their latest sign in. If the login was more than 6 months ago, the device will be deleted from the Microsoft Entra ID. Afterwards, the key figures for the deleted devices and the errors are passed to the Azure Function API, where they are then stored in the corresponding Log Analytics Workspace.
Use case
This automation concept is perfectly suited for large enterprises which don't have an overview of their old Microsoft Entra ID Devices. Authentication in the direction of Microsoft Entra ID is user-independent with an app registration. This makes it perfect for automated and regular execution of this code. In combination with an Azure Runbook that runs weekly, the Microsoft Entra ID environment can be simplified significantly.
PowerShell script
This PowerShell script needs the AzureAD Module, an app registration with the appropriate permissions and an Azure Function to collect the logs and write them to an Azure Log Analytics Workspace.
First install the AzureAD Module.
Install-Module AzureAD
After you have installed the modules and organized the prerequisites (App Registration with Directory.ReadWrite.AuditLog.Read.All and Device.User.ReadWrite.All permission and an Azure Function API for centralizing the logs) you can fill the four variables to the PowerShell code and run the script.
Import-Module AzureAD
$tenantId= "<yourtenantid>"
$ClientId= "<yourclientidofappregistration>"
$ClientSecret = "<yourclientsecretofappregistration>"
$url="<yoururlofcentralizedlogcollectionfunction>"
Function Send-Logs(){
param (
[String]$LogType,
[Hashtable]$LogBodyList
)
$LogBodyJSON = @"
{
"logtype": "$LogType",
"logbody": {}
}
"@
$LogBodyObject = ConvertFrom-JSON $LogBodyJSON
Foreach($Log in $LogBodyList.GetEnumerator()){
$LogBodyObject.logbody | Add-Member -MemberType NoteProperty -Name $log.key -Value $log.value
}
$Body = ConvertTo-JSON $LogBodyObject
$Response = Invoke-Restmethod -uri $url -Body $Body -Method POST -ContentType "application/json"
return $Response
}
$Body = @{
"tenant" = $TenantId
"client_id" = $ClientId
"scope" = "https://graph.microsoft.com/.default"
"client_secret" = $ClientSecret
"grant_type" = "client_credentials"
}
$Params = @{
"Uri" = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
"Method" = "Post"
"Body" = $Body
"ContentType" = "application/x-www-form-urlencoded"
}
$AuthResponse = Invoke-RestMethod @Params
$Header = @{
"Authorization" = "Bearer $($AuthResponse.access_token)"
}
$azurePassword = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($ClientId , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $TenantId -ServicePrincipal
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
$Result = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/devices" -Header $Header
$Devices = $Result.value
while ($Result.'@odata.nextLink') {
$Result = Invoke-RestMethod -Uri $Result.'@odata.nextLink' -Headers $Header
$Devices += $Result.value
}
$oldDevices = @()
$failedDateDevices = @()
foreach($inactiveDevice in $Devices){
try{
$Date = Get-Date($inactiveDevice.approximateLastSignInDateTime)
if($Date -lt ((Get-Date).AddMonths(-6))){
$oldDevices += $inactiveDevice
}
} catch {
$failedDateDevices += $inactiveDevice
}
}
Write-Warning "Date Errors: $($failedDateDevices.count)"
$failedDeleteDevices = @()
$deletedDevices = @()
foreach($Device in $oldDevices){
try{
Remove-AzureADDevice -ObjectId $Device.id
Write-Output "Deleted: $($Device.displayName)"
$deletedDevices += $Device
}catch{
$failedDeleteDevices += $Device
}
}
Write-Warning "Delete Errors: $($failedDeleteDevices.count)"
$Logs = @{
"deletesuccess" = "$($deletedDevices.count)"
"dateerrors"="$($failedDateDevices.count)"
"deleteerrors"="$($failedDeleteDevices.count)"
}
Send-Logs -LogType "CleanUpMEIDDevicesExecutions" -LogBodyList $Logs