Hypothetically speaking, what if we had more entries in Entra than there are actual physical devices? (*many* thousands more!) How does this impact the users?
Posted by caylyn953@reddit | sysadmin | View on Reddit | 61 comments
Am asking for a friend of course.
sambodia85@reddit
IIRC, when you register a device for autopilot it creates an object in Entra for it as well. But if the device is Domain Joined, and synced up to Intune as well, you get another.
I think it is by design, it’s just a shitty design.
caylyn953@reddit (OP)
Even so, surely it's bad practice to not be cleaning up after yourself?
sambodia85@reddit
Well in that specific case you’ll break shit deleting it.
caylyn953@reddit (OP)
How will it break?? Why?
sambodia85@reddit
Who knows, it doesn’t matter, it’s by design, nobody gets hurt, nobody pays, they are just there and you don’t delete them.
https://learn.microsoft.com/en-us/autopilot/known-issues#duplicate-device-objects-with-microsoft-entra-hybrid-deployments
StatementNext682@reddit
Could be those entra entities are service accts or guests?
caylyn953@reddit (OP)
Sorry, should have been clearer!
I *cough* "my friend" is only talking about the Entra devices entries they're seeing. Way more exist, than physical devices exist that we own.
(of course you could have tonnes and tonnes of users, that's something else entirely)
Due_Peak_6428@reddit
Yeah but what does it say. Entra registered devices? Or Entra joined devices
caylyn953@reddit (OP)
Both hybrid and entra
Due_Peak_6428@reddit
It's very easy for someone to entra register one of their home devices. All they have to do is on their personal pc log Into office.com
caylyn953@reddit (OP)
Yeah, but I'm not talking about personal devices owned by employees.
Am referring to company devices (laptops & such), what if you find yourself in a situation (hypothetically speaking...) where all of our corporate owned devices have got multiple Entra device entries
Due_Peak_6428@reddit
Maybe computer sharing?
caylyn953@reddit (OP)
Multiple people logging onto the same computer wouldn't create multiple Entra Device IDs would it?
Due_Peak_6428@reddit
It's almost as if you don't know about the existence of ai
caylyn953@reddit (OP)
What does A have to do with this
Due_Peak_6428@reddit
It will give you a bunch of scenarios it can happen. Eg things like computers having windows reinstalled - Entra can't tell the difference. Multiple different enrollment methods being used by user/IT. Multiple user profiles on same devices.
caylyn953@reddit (OP)
AI isn't doing any of that anywhere in our company.
mo0n3h@reddit
I think they meant you could leverage AI to assist with your problem
caylyn953@reddit (OP)
Nah, I tend to believe Redditors are much smarter than AI! ;-) 🤣
Absolute_Bob@reddit
Computer sharing doesn't create duplicate device objects.
Absolute_Bob@reddit
It probably means you aren't pruning devices appropriately and you have objects that belong to machines that have been reimaged or retired hanging out forever. Sort by their last active date, if you have 4 of the same name but only one has an active date in the last few months, delete the others.
caylyn953@reddit (OP)
Are there risks though to deleting the older ones and only leaving the latest Entra device ID?
Absolute_Bob@reddit
No, the only risk is if you accidentally delete the object tied to the active OS install. If that does happen, the worse case depends on your specific environment, but it usually just means someone with admin rights will have to take on the onerous task of typing dsregcmd /join into a cmd prompt.
caylyn953@reddit (OP)
I doubt that is more painful than the current situation 😂
Pupusas_Man@reddit
What? I'm almost afraid to ask you about autopilot... You've gotten very well responses. But you're over your head.
caylyn953@reddit (OP)
I'm just the innocent observer here... being somewhat shocked by what my friend is telling me.
Pupusas_Man@reddit
Willing to help your friend! Let me know
caylyn953@reddit (OP)
They can't be helped. As those running the team don't wish to do anything about it.
All we can do is just stand by and watch horrified.
Pupusas_Man@reddit
Let's hold hands and watch the world burn.
caylyn953@reddit (OP)
But I feel so sorry for the burn victims! :-( And I want to help them <3
Pupusas_Man@reddit
It would've happened regardless. You can't save everyone, save me ❤️
PanicAdmin@reddit
exactly this.
Remember that a single license is usable on 5 devices.
AppIdentityGuy@reddit
You can configure Entra to remove stale devices. They will be in 1 of 3 states ie entra registered, entra joined and hybrid joined.
caylyn953@reddit (OP)
Management doesn't want to do this :-(
Am wondering as the years roll by, what the long term consequences for users would be....
(hypothetically speaking.... maybe this has already happened! And now we're living in that future)
AppIdentityGuy@reddit
Why on earth not?
caylyn953@reddit (OP)
Have a blasé attitude where they don't think it's a big deal at all.
AppIdentityGuy@reddit
Especially the joined devices should be cleaned up. Any stale/unused security principal in a directory is a potential attack vector. Whilst I am not aware of these objects being a specific threat currently in my mind it makes sense to get rid of them. They just clutter things up. It's just good identity hygiene.
caylyn953@reddit (OP)
oh man, I hadn't even thought about how these might be a cybersecurity vulnerability! Is that a real possibility that could be done??
AppIdentityGuy@reddit
Not that I'm aware of but it's good practice to get rid of stale objects
caylyn953@reddit (OP)
Now I think about it, then it does seem like a cybersecurity vulnerability, for instance if a person leaves (either by choice, or fired) then if they've kept the credentials for themselves, then even if their device is wiped before it's redeployed and handed over to the next employee, those credentials still exist in Entra. And this is an attack vector they could use to gain access to the corporate systems again?
AppIdentityGuy@reddit
Not that I'm aware of but why take the chance. It's one setting in Entra
Absolute_Bob@reddit
Then management is stupid or you've failed to adequately explain things.
caylyn953@reddit (OP)
Which never ever happens! ;-)
I agree there is no upside to what they're doing, but what are the downsides if they keep up this blasé attitude for years to come?
Absolute_Bob@reddit
It just clutters things up and makes it more difficult to find things like BitLocker keys and laps passwords if they're being sync'd. It means dynamic groups get overly inflated and policy application numbers will look like shit regardless of reality, if you're using endpoint manager users could hit their device registration limit and won't be able to add another until some are pruned.
It's like asking why we don't just keep all of our trash perpetually just because we have a really large trash can. Eventually it smells like shit and makes it hard to find stuff because the bin is overflowing when all we have to do is sit it on the curb once a week.
caylyn953@reddit (OP)
I do wonder how it's possible to do any sort of effective reporting metrics of your device management when you've got so many thousands of ancient ghost entries floating about?!
drinkwineandscrew@reddit
There's not a huge user impact, the main impact you may see is on user support, having to figure out which device is the right one if they need to help the user. As long as your policies as in place for device compliance etc and you're not in a gigantic org where you have hundreds of thousands of devices, it's not something that would have a meaningful user impact.
KoxziShot@reddit
Zero impact to the users. Should it be cleaned and maintained yes. Does any major enterprise organisation with 50-100k+ users do this. Not really.
caylyn953@reddit (OP)
Surely it's making it so much harder to do proper device management and reporting on the stats?
And it's a cybersecurity vulnerability, for instance if a person leaves (either by choice, or fired) then if they've kept the credentials for themselves, then even if their device is wiped before it's redeployed and handed over to the next employee, those credentials still exist in Entra. And this is an attack vector they could use to gain access to the corporate systems again?
CobaltFrame@reddit
I think you need /r/shittysysadmin
caylyn953@reddit (OP)
🤣😂🤣😂🤣
Please don't anybody cross-post this to there...
DiscipleOfYeshua@reddit
What, for example, is one "worse case scenario" you envision?
caylyn953@reddit (OP)
Worst case scenario (*cough* our current situation *cough*) is we have thousands and thousands more devices on Entra than exist in reality.
DiscipleOfYeshua@reddit
And that is a concern, bc?...
(I like a clean desk, and a clean system. But cleanup is what we do when priority 1 and 2 items are all done...)
caylyn953@reddit (OP)
Eventually it must surely have an impact on the users?
Imagine if we did this attitude towards everything else.
Oh we're going to upgrade our networking equipment, but we're going to leave all our old networking equipment plugged in and powered on....
No big deal the first couple of times we do it? But what happens when we have more old networking equipment still part of the network topology than we have actual new networking equipment that is what the networking itself is meant to be???
DiscipleOfYeshua@reddit
Ok, so i take it your high priority items are done. Cool, time for cleanup!
Have you checked the users and serials of the devices? Output the whole thing to excel to look for duplicates? Most recent logins / activity?
Knyghtlorde@reddit
Are they duplicates of real devices or random entries ?
Details are important
caylyn953@reddit (OP)
Every Entra ID name is associated with real world ID label on a physical computer that's deployed to the users.
Just the thing is when you look up a computer ID in Entra, you'll almost always see multiple results for it.
Pupusas_Man@reddit
What is the actual issue? You talk in circles and fire entra this and that. What is the actual problem? I'm still not convinced you know anything at all and you're over your head.
pm_me_domme_pics@reddit
Depends on the size of your tenant. I have hundreds but thats because someone thought it was worthwhile logging in and renaming devices by hand so they all got doubled. Nearing thousand extra entries and no impact so far
caylyn953@reddit (OP)
But how would you know if it's having no impact or not? How do you know if those user logging in issues are: 1) due to the app itself 2) network issues 3) an ID10T error 4) Entra issues 4) or something else entirely different?
PanicAdmin@reddit
90% id10t errors.
5% network issues
4,5% app/client issues
0,5% entra issues