InactiveDevices

Find and clean up dormant devices in Entra

← Toolkit

Connect to your tenant

InactiveDevices runs entirely in your browser. It signs you in with Microsoft (PKCE) and queries Microsoft Graph as you. No backend, no telemetry, no data leaves your browser.

Required delegated permissions:

  • Device.Read.All - list Entra devices
  • AuditLog.Read.All - read sign-in activity metadata
  • Directory.Read.All - read directory attributes used for filtering
  • DeviceManagementManagedDevices.Read.All - optional Intune primary user, sync date, and Autopilot enrollment status
  • User.Read - sign-in identity
  • Device.ReadWrite.All + Directory.AccessAsUser.All (only when you actually disable, enable or delete)

To change or delete devices you also need an Entra role that can manage devices, like Cloud Device Administrator or Global Administrator.

Inactive device results

Devices past grace period

Lists currently disabled devices with an InactiveDevices timestamp in your chosen extension attribute older than the configured grace period.

Debug log


      

    


    

      

        
About InactiveDevices

        
InactiveDevices is part of the LCToolkit by Lieben Consultancy. It helps you identify stale Entra devices and take bulk actions safely.


        
What it can do

        
    
          
  • List every device in Entra with inactivity details, OS, join type, Autopilot hint and managed status.
    • 
          
  • Optionally enrich with Intune data for primary user and last sync timestamps.
    • 
          
  • Filter by inactivity threshold, creation age, OS, join type, Autopilot, managed status, primary user availability and enabled state.
    • 
          
  • Bulk disable, re-enable or delete selected devices with explicit confirmation.
    • 
          
  • Export your filtered set to XLSX or CSV.
    • 
        


        
How it works

        
    
          
  • Device list: GET /beta/devices?$select=... with paging.
    • 
          
  • Primary user enrichment: GET /beta/deviceManagement/managedDevices?$select=azureADDeviceId,userPrincipalName,lastSyncDateTime,....
    • 
          
  • Inactivity: uses the newest of approximateLastSignInDateTime and Intune lastSyncDateTime; if both are missing it falls back to creation date.
    • 
          
  • Disable: PATCH /v1.0/devices/{id} with {accountEnabled: false} and optional extension-attribute stamp.
    • 
          
  • Delete: DELETE /v1.0/devices/{id}.
    • 
        


        
Autopilot note

        
The Autopilot indicator is inferred from devicePhysicalIds containing entries like [ZTDId]:.... This is a practical heuristic and can be empty on some older objects.


        
Recommended workflow

        
    
          
  1. Pick cleanup mode before scanning: disable-first (recommended) or immediate delete.
    2. 
          
  2. If using disable-first, pick an extension attribute for timestamping and set a grace period.
    3. 
          
  3. Scan, filter, and select devices in Results, then apply the preselected action.
    4. 
          
  4. Later, use the grace-period tab to delete only devices that stayed disabled long enough.
    5.