A modern PowerShell-based GUI tool for managing and offboarding devices from Microsoft Intune, Autopilot, and Entra ID (formerly Azure AD). This tool provides a streamlined interface for device lifecycle management across Microsoft services.
- ⚙️ Device Offboarding Manager
Important: All commands must be run in a PowerShell 7 session. The script will not work in PowerShell 5.1 or earlier versions.
# Install Microsoft Graph Authentication Modul
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser# Install from PowerShell Gallery
Install-PSResource DeviceOffboardingManager# Open a new PowerShell 7 session to run the script with
DeviceOffboardingManagerIf you encounter any issues during installation, try reinstalling:
Install-PSResource DeviceOffboardingManager -Reinstall# Install Microsoft Graph Authentication Modul
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
# Download and run the script
.\DeviceOffboardingManager.ps1# Restart the PowerShell Session after installing the new version
Update-PSResource DeviceOffboardingManager- Multi-Service Integration: Manage devices across Intune, Autopilot, and Entra ID
- Bulk Operations: Support for bulk device imports and operations
- Real-time Dashboard: View device statistics and distribution
- Secure Authentication: Multiple authentication methods including interactive, certificate, and client secret
- Search devices by name or serial number
- View device details including:
- Last contact times
- Operating system
- Primary user
- Management status across services
- Bulk device offboarding with confirmation
- Automatic retrieval of BitLocker/FileVault keys
- Total device counts per service
- Stale device tracking (30/90/180 days)
- Personal vs Corporate device distribution
- Platform distribution visualization
- Real-time statistics updates
- Automated device management tasks
- Pre-built reports and analyses
- Custom playbook support for specific scenarios
- PowerShell 7.0 or higher
- Microsoft.Graph.Authentication module
- Required Microsoft Graph API permissions:
- Device.Read.All
- DeviceManagementApps.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementServiceConfig.ReadWrite.All
- Group.Read.All
- User.Read.All
The tool supports three authentication methods:
- Interactive Login: Best for admin users with appropriate permissions
- Certificate-based: For automated or service principal authentication
- Client Secret: Alternative service principal authentication method
To connect:
- Click "Connect to MS Graph" in the sidebar
- Choose your authentication method
- Provide required credentials
- Verify connection status in the tenant information section
-
Search for Devices:
- Select search type (Device name/Serial number)
- Enter search terms (supports multiple values with comma separation)
- Click Search to retrieve device information
-
Bulk Import:
- Click "Bulk Import"
- Select a CSV/TXT file containing device names or serial numbers
- Verify imported devices in the search field
-
Device Offboarding:
- Select devices in the results grid
- Click "Offboard device(s)"
- Review the confirmation dialog
- Note any encryption recovery keys
- Confirm the operation
The dashboard provides real-time insights into your device management environment:
- Device counts across services
- Stale device tracking
- Ownership distribution
- Platform distribution
- Quick access to common tasks
Automated tasks for common scenarios:
- Find Autopilot devices not in Intune
- List Intune devices not in Autopilot
- Generate corporate device inventory
- View personal device inventory
- Analyze stale devices
- OS-specific device reports
- Encryption key reports
- Fork the repository
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
