When it comes to auditing orphaned devices, scripts can be an incredibly effective tool for automation. They can help you save time, especially when dealing with multiple tenants. However, there will be times when scripting isn’t feasible.
This is often true for inherited environments, audit-restricted tenants, and teams that want low-risk, UI-based methods.
In these situations, you’ll have to stick with manual auditing. The good news is that Microsoft has built-in filters and cross-tenant dashboards to help you manually identify stale or unmanaged devices.
Today, we’ll show you how to manually audit and clean up orphaned devices without relying on scripts or automation.
Auditing orphaned devices: A practical guide to using portal views and filters on Microsoft
If you’re trying to manually clean up stale or orphaned devices across tenant environments, you can use native tools like Microsoft Entra, Intune, and Defender XDR to do an audit. Here’s how:
Step 1: Define what qualifies as an orphaned device
To start, you need to define what an orphaned device looks like in a tenant environment. The definition could vary depending on your policies, but some of the most common identifiers of an unmanaged device include:
- No recent sign-in or check-in for over 30 days.
- No assigned primary user in Entra ID or Intune.
- No management status (not onboarded to Defender XDR or Intune).
- Inactive Defender sensor or no recent security alerts.
Listing down your criteria for orphaned evices will make filtering them out easier.
Step 2: Filter devices using the right admin tools
Now that you know what an orphaned device looks like, it’s time to surface them using the appropriate admin tools. You can choose from the two options below, depending on whether you manage a single or multiple tenants.
A. Surfacing devices using Entra or Intune Portals
📌 Use Case: This method is best for single-tenant environments.
- Navigate to Devices > All devices.
- Add columns relevant to your platform:
- Entra
- Join type
- MDM
- Compliant status
- Activity Timestamp (ApproximateLastSignInDateTime)
- Intune
- Enrollment state
- Compliance status
- Last check-in or last sync
- Entra
- Manually apply filters, such as:
- “Last sign: more than 30 days ago”
- “No owner assigned”
- “Not enrolled” or “Not compliant”
These filters will give you a snapshot of which devices in a tenant environment need your attention.
B. Surfacing devices using Microsoft 365 Lighthouse or Defender XDR
📌 Use Case: This method is ideal for MSPs handling multiple tenants.
- Navigate to Tenant Overview > Devices.
- Sort devices by:
- Last activity date
- Sensor health or Onboarding status
- Missing endpoint detection and response (EDR)
- Filter and export the devices with missing signals, users, or stale timestamps.
Step 3: Apply tags or manual status labels
Once you’ve filtered out all unmanaged devices, it’s time to organize them. There are a few ways to do this:
- Tag orphaned endpoints using Entra or Intune’s device category feature or custom naming standards (e.g., “StaleReview”).
- Export your orphaned device list to Excel or a CSV file.
- Track key details like device name, tenant, last seen date, and appropriate action.
Organizing your list of orphaned devices will make following up easier.
Step 4: Clean up your orphaned devices
Now for the clean up. You have a few options to choose from, these include:
- Retire the device using the built-in Entra or Intune action menus.
- Reassign ownership, if applicable.
- Disable or delete stale records after a final validation check.
- Keep a changelog of all removed or archived devices for auditing and traceability.
You can perform all of these actions through the portals mentioned in this guide; there is no need to use scripts.
Step 5: Set up a manual hygiene review cycle
Finally, you should set up a manual hygiene review cycle to ensure no orphaned device slips through the cracks. This step is not required, but it’s highly recommended.
- Open tenant dashboards.
- Apply saved views or filters.
- Export or tag devices to track remediation status.
- Create a calendar reminder so the review process becomes part of your device management routine.
Establishing a recurring review process will help keep all your tenant environments clean and optimized.
⚠️ Things to look out for
Keep these pitfalls in mind when using the two filtering options we’ve discussed:
| Risks | Potential consequences | Reversal |
| Over/Under-filtering in Entra and Intune portals | May flag active devices as stale and miss actual orphaned endpoints | Cross-check audit results with last known activity, user assignment, and Defender signals before taking action. |
| Misinterpreting data in Lighthouse/Defender XDR | Inaccurate reports across tenants; high risk of false positives or negatives | Use multiple indicators to validate device status. |
| Exporting incomplete data | Missing context for remediation | Make sure to include key fields such as device name, tenant, last seen data, and management status in your exports. |
Why tracking down and cleaning up orphaned devices is important
Stale devices don’t just clutter up your tenants’ environments; they also:
Create security gaps
If abandoned endpoints are left unmanaged for a long time, they become walking targets for cyberattackers. They can use these assets to steal sensitive data or, worse, as entry points to your tenant’s infrastructure.
Cleaning these devices up can significantly reduce an organization’s attack surface.
Increase license waste
Orphaned devices will continue to consume licenses unless they’re decommissioned properly. This means you’re potentially spending hundreds of dollars on endpoints that no longer serve a purpose.
Lead to inaccurate reports
Stale endpoints linger in your RMM and PSA tools, leading to inaccurate reports. They can also inflate device counts, skew performance metrics, and distort compliance status, which could cause poor decision-making.
How NinjaOne can make manual device auditing easier
Although you can’t use scripting, you can leverage NinjaOne to simplify the process of auditing and managing orphaned devices.
| NinjaOne Service | What it is | How it helps |
| Device Policy Filters | It creates sophisticated device filters to quickly surface orphaned devices (e.g., last check-in >30 days and no associated user). | Simplifies the process of spotting inactive or unassigned devices |
| Device Dashboard | Exports filtered device list to Excel or CSV | Makes extracting and sharing device data easier |
| Device Tagging | Creates custom tags, such as “To Review” and “Stale” | Helps you visually organize and track devices that need remediation |
| Ticketing Integration | Creates tickets directly from the device dashboard to track clean-up actions | Helps you maintain clear documentation of remediation steps |
Practical approach to auditing and tracking orphaned devices
Maintaining a script-free auditing process for orphaned devices gives you a practical fallback when automation isn’t possible. By leveraging native tools like Microsoft Entra and combining them with regular review cycles, you can keep your tenant inventories clean and accurate even in the most complex environments.
Related topics:
