some1somewhere avatar image
0 Votes"
some1somewhere asked MarileeTurscak-MSFT edited

Unjoin a past user after deletion

A new Microsoft365 Standard (desktop apps+exchange) user was added to a PC before deleting the old user. The old user was simply deleted and not "disconnected" from the AAD first. The PC has also since been renamed.

Now some items are saying that the new user does not have access. In the AAD admin console, the PC still appears with the old PC name and user says None. I've renamed again, I've had it resave the bitlocker key in hopes it would cause it to update to the new user. I tried under the new user [Disconnect] under "work or school" ... connected to XXXXX's Azure AD; it doesn't work. It asks for credentials of a local admin account which can be a MS account or a local account - I've tried both this new user and the ticket desk Azure AD user which also exists. The credentials are valid. it says "account info doesn't work"

dsregcmd /status shows

DEVICE state:
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
USER state:
WorkplaceJoined: NO

I noted that there is an "Azure AD removal tool" - The download contains five folders for v 1709 to 2004; does not include a folder for 20H2. Is this the correct solution to resolve this issue ? Will the 2004 version work for 20H2 ? Will I lose the profile of the current user and need to redo everything ?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

After deleting the old user, have you tried deleting the user permanently to make sure it is not still in the recycling bin?

0 Votes 0 ·

oh, i didn't know about that !

Will permanently deleting in AAD remove whatever is left behind of his join on the device ? The device was listed under his name but is now listed only under "all devices" with user=None

OR am I better to restore him in AAD and re-add him to the device (would he get the same SID?) then do whatever process I evidently missed to disconnect him/unjoin the device properly?

0 Votes 0 ·

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT edited

You should remove the Azure AD join, remove the device, and turn off automatic registration.

You can remove the Azure AD join by running dsregcmd /status.

Then, if you know the object ID of the device you can try removing the device with this command:

 Remove-AzureADDevice -ObjectId "deviceIDhere"

See also: How do I remove an Azure AD registered state for a device locally?

As mentioned in the documentation, deleting an Azure AD device does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g Conditional Access). When a user is deleted or disabled in Azure AD, it's not immediately known to the Windows device. So users who signed in previously can access the desktop with the cached username and password, typically for ~4 hours after deletion.

I would unjoin the device, remove the device, remove the user from the organization, and permanently delete the user.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.