011: Offboarding Strategy

Overview

When offboarding users from Microsoft Intune, consider the following best practices based on your specific scenario:

1. Deleting a User:

   • If you're completely removing a user from Azure AD, follow these steps:
     • Retire or remote wipe devices: Ensure all devices associated with the user are retired or wiped before deleting them from Azure AD. This prevents issues with device management.
     • Remove from Intune Administrator groups: Take the user out of any Azure AD security groups assigned Intune Administrator roles.
     • Delete the user from Azure AD: Once deleted, Microsoft Endpoint Manager will automatically remove the user from Intune reports, device enrollment manager (DEM) accounts, and other configurations.

2. Keeping a User:

   • If you want to preserve the user's account in Azure AD but prevent them from enrolling devices:
     • Retire or remote wipe devices: Clean up Intune reports by retiring or wiping devices enrolled by the user.
     • Remove from Intune Administrator groups: Similar to the deletion process, remove the user from any relevant security groups.
     • Restrict device enrollment: Add the user to an Azure AD security group with a device type enrollment restriction blocking all platforms.
     • Revoke Android Enterprise tokens: If applicable, revoke any Android Enterprise tokens granted to prevent new device enrollments.

Reference

• https://techcommunity.microsoft.com/t5/intune-customer-success/offboarding-users-from-microsoft-endpoint-manager-microsoft/ba-p/3260365