How do you keep an audit trail when auto-cleaning up stale Entra devices/users?
Posted by losfla@reddit | sysadmin | View on Reddit | 6 comments
Working on automating stale device/user cleanup in Entra ID — disable first, delete after a retention period. The PowerShell side is straightforward, but two things give me pause:
Audit trail: If someone asks three months later "why was this object removed and who triggered it?" — how do you document that properly? Roll your own DB/CSV logging, or is there something better?
BitLocker/LAPS: Deleting a device object also drops its BitLocker recovery keys. Do you back those up (and LAPS passwords) somewhere first, or does that risk stop you from automating at all?
Curious how people handle this today — plain script + homemade logging, an existing tool, or deliberately manual? Any war stories welcome.
HankMardukasNY@reddit
AI Slop
IT2DJ@reddit
Emdashes give it away.
So does the "curious how people..."
Gtfo.
HankMardukasNY@reddit
“War stories”
retiredaccount@reddit
I used to export the separate entra, intune, and on-prem AD objects daily, then import into a database and use custom SQL queries for all tasks, including stale devices, lost devices, e-waste devices, ghost devices, and later lookup tracking. That way when a tech came upon a long missing device, I could easily say that device last connected two years ago and was removed on this or that date.
aguynamedbrand@reddit
It baffles me that sysadmins are either so lazy or cant be bothered to compose their own posts.
AtarukA@reddit
Open a ticket that will self close automatically.
"Automated ticket:
Action done: Deleted user/machine
Reason: Stale entry"