A modern PowerShell-based GUI tool for managing and offboarding devices from Microsoft Intune, Autopilot, and Entra ID (formerly Azure AD). This tool provides a streamlined interface for device lifecycle management across Microsoft services.
Note: Version 0.3 is the final release of the PowerShell script. Development has moved to a native Windows app (WinUI 3) that will replace the script as version 0.4 — same features, no PowerShell setup required. Follow the progress in Issue #60. The script remains available on the PowerShell Gallery and critical bugs in 0.3 will still be fixed.
- ⚙️ Device Offboarding Manager
Important: All commands must be run in a PowerShell 7 session. The script will not work in PowerShell 5.1 or earlier versions.
# Install Microsoft Graph Authentication Modul
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser# Install from PowerShell Gallery
Install-Script DeviceOffboardingManager# Open a new PowerShell 7 session to run the script with
DeviceOffboardingManager# Install Microsoft Graph Authentication Modul
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
# Download and run the script
.\DeviceOffboardingManager.ps1# Restart the PowerShell Session after installing the new version
Install-Script DeviceOffboardingManager -Force- Multi-Service Integration: Manage devices across Intune, Autopilot, and Entra ID
- Bulk Operations: Support for bulk device imports and operations
- Real-time Dashboard: View device statistics and distribution
- Secure Authentication: Multiple authentication methods including interactive, certificate, and client secret
- Search devices by name or serial number
- View device details including:
- Last contact times
- Operating system
- Primary user
- Management status across services
- Bulk device offboarding with confirmation
- Automatic retrieval of BitLocker/FileVault keys
- Total device counts per service
- Stale device tracking (30/90/180 days)
- Personal vs Corporate device distribution
- Platform distribution visualization
- Real-time statistics updates
- Automated device management tasks
- Pre-built reports and analyses
- Custom playbook support for specific scenarios
- PowerShell 7.0 or higher
- Microsoft.Graph.Authentication module
- Required Microsoft Graph API permissions:
- Device.ReadWrite.All
- DeviceManagementApps.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementServiceConfig.ReadWrite.All
- Group.Read.All
- User.Read.All
- BitlockerKey.Read.All
- DeviceLocalCredential.Read.All (for LAPS passwords)
- Optional: MSAL.PS module (only if you enable the Defender for Endpoint integration)
The built-in Prerequisites dialog (sidebar) checks all of this for you and can install missing modules.
The Graph permissions above are not sufficient on their own when you sign in interactively — your admin account also needs directory/Intune roles, otherwise offboarding fails with 403 Forbidden:
| Operation | Required role |
|---|---|
| Delete device from Entra ID | Cloud Device Administrator (or Intune Administrator) |
| Delete device from Intune | Intune Administrator, or an Intune RBAC role with Managed devices – Delete |
| Delete device from Autopilot / set group tags | Intune Administrator |
| Read BitLocker recovery keys | A role permitted to read BitLocker keys (e.g. Cloud Device Administrator, Intune Administrator, Helpdesk Administrator) |
| Read LAPS passwords | Cloud Device Administrator or Intune Administrator |
Since 0.3 the tool detects 403 responses and tells you which role is likely missing instead of showing raw JSON. If your tenant uses Multi-Admin Approval (MAA) for protected operations, deletions are reported as "Requires Multi-Admin Approval" — approve the request in Intune and re-run.
For app-only authentication (certificate or client secret), the application permissions listed under Prerequisites are sufficient; directory roles do not apply.
The tool supports four authentication methods:
- Interactive Login: Best for admin users with appropriate permissions
- Device Code Login: Interactive login without a browser redirect — use this if the normal interactive login fails with localhost-redirect or WAM errors (common on locked-down machines and in remote sessions)
- Certificate-based: For automated or service principal authentication
- Client Secret: Alternative service principal authentication method
To connect:
- Click "Connect to MS Graph" in the sidebar
- Choose your authentication method
- Provide required credentials
- Verify connection status in the tenant information section
Certificate and client secret configurations can be saved and are auto-loaded on the next start (stored in %LocalAppData%/DeviceOffboardingManager; the client secret itself is never persisted).
Offboarding devices from Microsoft Defender for Endpoint is available as an opt-in integration, disabled by default:
- Open the Prerequisites dialog from the sidebar
- Enable the Defender for Endpoint integration toggle (persisted in
settings.json) - Install the optional MSAL.PS module when prompted
Once enabled, Defender appears as an additional offboarding target. It requires WindowsDefenderATP permissions (Machine.ReadWrite.All, Machine.Offboard) on your app registration. Both app-only (certificate / client secret) and delegated authentication are supported.
-
Search for Devices:
- Select search type (Device name / Serial number / Device ID / Contains partial match)
- Enter search terms (supports multiple values with comma separation)
- Click Search to retrieve device information
- Filter the results grid live via the filter boxes above each column; shift-click checkboxes to select ranges
-
Bulk Import:
- Click "Bulk Import"
- Select a CSV/TXT file containing device names or serial numbers
- Verify imported devices in the search field
-
Device Offboarding:
- Select devices in the results grid
- Click "Offboard device(s)"
- Review the confirmation dialog (shows the exact Entra/Intune/Autopilot IDs that will be affected, plus co-management warnings)
- Note any encryption recovery keys and LAPS passwords
- Confirm the operation
-
Set Autopilot Group Tags:
- Select devices in the results grid
- Click "Set Group Tag" to assign or clear the Autopilot group tag for all selected devices
The dashboard provides real-time insights into your device management environment:
- Device counts across services
- Stale device tracking
- Ownership distribution
- Platform distribution
- Quick access to common tasks
Automated tasks for common scenarios:
- Find Autopilot devices not in Intune
- List Intune devices not in Autopilot
- Generate corporate device inventory
- View personal device inventory
- Analyze stale devices
- OS-specific, outdated-OS, and end-of-life-OS device reports
- BitLocker and FileVault key reports
- Corporate identifier stale report
Playbooks are bundled inside the script, so they also work when installed via Install-Script from the PowerShell Gallery.
- Fork the repository
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.


