How can we improve Azure Active Directory?

Delegate permissions to remove devices

The user role User administrator is not able to remove users registered device objekts in Azure AD. I think that roles should be granted that permisson.
Or create an addiotional role that have the permission to remove device objects in Azure AD.

62 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Daniel Persson shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

17 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Todd Meyers commented  ·   ·  Flag as inappropriate

    Along with most everyone here we deal with thousands of users who login into multiple devices everyday (Laptops, desktop, Virtual desktops, etc.) The build up grows rapidly and seems to only effect users who have enrolled with Intune to gain access to their corporate email. after a certain period of time their email will stop working on their phone because the company portal app has requested the user to login again. This gets added to the list of devices again and then blocks the user. The ability to remove these devices in a lower administrative account or the ability for the Global Admin to delegate this permission to any role would be great.

  • Andy Simmons commented  ·   ·  Flag as inappropriate

    +1

    We use conditional access and non-persistent pooled virtual desktops. This results in thousands of users workplace joining a "new" device 1-2 times daily.

    Those users quickly hit the limit on number of registered devices. It's really unsettling that we need GA permissions to automate the device cleanup.

  • Peter Holdridge commented  ·   ·  Flag as inappropriate

    A custom operation for deleting Azure AD Devices is needed to create a custom RBAC role for this. Our helpdesk cannot help our users if they need to delete these types of objects and have to contact a GA for this. This is desperately needed.

  • dmnq commented  ·   ·  Flag as inappropriate

    The role "Device administrator" should be granted. Our client guys are responsible for managing the devices in Intune. They can delete the device in Intune, but not in Azure AD.
    Or provide RBAC for Azure AD to build customer roles like in AD.

  • James commented  ·   ·  Flag as inappropriate

    I totally agree with the rest of the users here. This is functionality that needs to be in place. I can't allow the dozens of tech who can enroll devices be a Global Tenant Admin in just so they can also delete a device.

  • Chad ODell commented  ·   ·  Flag as inappropriate

    I work at a large company that’s dealing with device limits in Azure AD. Only GA can remove devices after a user hits their limit. We can’t go unlimited due to security concerns.
    We would like to see either a way to have a small number of users exceed the number of allowed devices or a way to have a non-GA role be provisioned the ability to remove devices when users hit the limit. The fact that device removal can’t be handled outside of GA is very limiting to our support model and security model.
    As we (and other companies) prepare to begin implementing wearables and IoT tech across the org, the GA only model for managing device removal is not going to be sustainable.

  • Sagar commented  ·   ·  Flag as inappropriate

    The user role User administrator is not able to remove users registered device objects in Azure AD. I think that roles should be granted that permission.
    Or create an additional role that have the permission to remove device objects in Azure AD.

  • Kent commented  ·   ·  Flag as inappropriate

    The RBAC roles of InTune (even the InTune Administrator role) cannot remove a device from Azure! One needs to be a Global Administrator in Azure to remove dormant devices when they cannot be removed! Unless I'm missing something, there needs to be a canned RBAC role or permission for Azure and InTune corrected by MS for this. What a nightmare to support!

    In example: An iOS device which was once enrolled with InTune and now has been wiped by it's last user, is now to be reused by someone else. However, by InTune's design, it CAN'T ENROL now and delivers some meaningless-cryptic error about "Profile Installation Failed" "A connection to the server could not be established"... And so the unsaid solution, is to remove the device from InTune... But guess what!?! You can't! Not unless you know who the old user was! And since the device was wiped by the old user, the Search by email, UPN, or 'Device Name' is totally pointless! All that can be discerned on the device is the essentially the serial and IMEI from it! And behold, you can't search by those details to remove the device so it can now enrol with a new user!

    Nevermind the permissions, how unthought out does this design seem?

    Subsequently, how pointless also is the new Troubleshoot Blade when you can only search for name or email there as well!

    There needs to be way more intuitive search options. As well as a better design for the reuse of devices!

    I’ve also seen similar occur on Win 10 Join. Removing from InTune and completely resetting the device was the only way to resolve this similar error… Azure AD Join Error 80180026

    Personally I would think that a reused device should pave over the last active user in Azure/InTune… obviously not!

  • John K commented  ·   ·  Flag as inappropriate

    +1 for this. GA access is heavily restricted, and it's preventing us from enrolling phones when we hit the limit.

  • Guido Otto commented  ·   ·  Flag as inappropriate

    Urgently needed.
    Helpdesk / support people cannot solve issues with incomplete enrolled devices because they are not allowed to remove "in limbo" devices from intune to start a new enrollment from scratch.

  • Nick Fields commented  ·   ·  Flag as inappropriate

    Second this, it would be great to delegate this to helpdesk staff instead of requiring Global Admins to do it...

  • Daniel Persson commented  ·   ·  Flag as inappropriate

    Nice to see that it more then us who face the same issues.

    In my case some users have issues to enroll devices in Intune. And the Intune Support told us to remove the device objects to solve it. To bad you cant delegate that permission. I dont want to have my servicedesk personel of 30+ technician to be GA.

  • Bård Magnus Bergersen commented  ·   ·  Flag as inappropriate

    End user should also be able to remove his/her own device(s). There is a remove button on the page where end user can view own devices, but this only works if the end user has un-enrolled and disjoined gracefully. There are so many senarios where this is not an viable option, i.e. reinstall, factory reset, lost or stolen, re-enrolled, device discarded/deposed of, ungracefull disconnect, etc.

    Please add a force button if nessecary.

  • Bård Magnus Bergersen commented  ·   ·  Flag as inappropriate

    We are using conditional access and are Azure joining computers, mobile devices and workplace joining BYODs so is a big problem for us as well we might reach 30 000 devices and we will never give support personal global admin. We are having users reaching the device limit and not able to enroll device. We dont't want to increase the device enrollment limit for several reasons, one of them being slow update of dynamic device groups.

    Even Intune Administrator can't delete a device! This needs to be fixed asap.

Feedback and Knowledge Base