DupedDevices

Find and clean up duplicate devices in Entra ID

← Toolkit

Connect to your tenant

DupedDevices runs entirely in your browser. It signs you in with Microsoft (PKCE) using a multi-tenant app registration and queries Microsoft Graph as you. Your token and data never leave your browser.

Required delegated permissions:

  • Device.Read.All - list all devices in the tenant
  • Directory.Read.All - resolve owners and extension attribute schema
  • User.Read - sign-in identity
  • Directory.AccessAsUser.All (only requested when you actually disable/delete) - PATCH/DELETE on /devices including extensionAttributes

You'll need either the Cloud Device Administrator, Intune Administrator or Global Administrator role to actually disable or delete devices.

Duplicate device groups

Devices past their grace period

Lists devices that are currently disabled and have a DupedDevices timestamp in the configured extension attribute that is older than the grace period. These are safe to delete.

Debug log


      

    


    
    

      

        
About DupedDevices

        
DupedDevices is part of the LCToolkit by Lieben Consultancy. It's a fully client-side browser application. No backend, no telemetry, no data leaves your browser. All API calls go directly from your browser to Microsoft Graph as the signed-in user using MSAL with PKCE.


        
How duplicates are detected

        
Each Entra device has a physicalIds array. DupedDevices reads the [HWID] entry (and falls back to the trailing token of [USER-HWID]) and treats it as the canonical hardware fingerprint. Devices that share that hardware id are grouped together. Within a group, the device with the most recent approximateLastSignInDateTime (falling back to createdDateTime) is marked as the current registration; the rest are flagged as stale candidates for cleanup.

        
By default, only enabled devices are considered when detecting duplicates so a previously-disabled record cannot shadow a fresh re-enrolment. You can flip a checkbox if you also want to see the disabled ones for context.


        
Cleanup workflow

        
    
          
  1. Pick a cleanup mode: Disable (recommended) or Delete.
    2. 
          
  2. Optionally pick an extensionAttribute (1-15) where DupedDevices will write a timestamp at the moment of disabling. This lets the tool later find devices that have been disabled long enough to safely delete.
    3. 
          
  3. Scan, review the proposed candidates, deselect anything you want to keep.
    4. 
          
  4. Click Apply to selected. Each PATCH/DELETE goes through Graph one by one (with retry on 429/503) and you'll see per-device success or failure.
    5. 
          
  5. Later: open the Past grace period tab to find disabled devices whose stamp is older than your grace period and delete them in bulk.
    6. 
        


        
Permissions

        
Read-only operations only need Device.Read.All + Directory.Read.All. The first time you click a write action, DupedDevices does an extra consent for Directory.AccessAsUser.All (Graph requires this scope, not just Device.ReadWrite.All, when you also write to extensionAttributes).


        
What this tool does NOT do

        
    
          
  • It does not touch Intune objects. If a device is also in Intune, retire/wipe it there separately.
    • 
          
  • It does not delete devices that aren't part of a duplicate group (unless you use the past-grace-period tab).
    • 
          
  • It does not change anything until you explicitly click an action button.
    •