WHAT    

Finds stale Azure Active Directory (AD) devices based on the ApproximateLastLogonTimeStamp attribute.

Targets either Azure AD joined, Azure AD hybrid joined or Azure AD workplace joined devices.

Also finds on-prem computer accounts for Hybrid join.

 

DETAIL

Get-MsolDevice –All is used by the function to get a list of stale devices, as it has built-in logic to skip auto-pilot devices and other system managed devices. It uses the ApproximateLastLogonTimeStamp attribute with the DeviceTrustType attribute value of either 'Azure AD Joined' or 'Domain Joined' or 'Workplace Joined' to find stale Azure AD devices. Device trust types are targeted with the -AaDJoined, -HybridJoined and -WorkPlaceJoined switches.

   
For a cloud device, 'Stale' is defined as the device object in Azure AD as having an ApproximateLastLogonTimeStamp value that is older than the supplied threshold of today minus 60, 90, 120, 150, 180 or 360 days.
   
The distinction between Azure AD joined, Azure AD hybrid joined and Azure AD workplace joined devices is important: the -HybridJoined switch also checks if the computer object is 'Stale', 'NotStale' or 'Orphaned' in Windows Server Active Directory: 
Furthermore, with the -HybridJoined switch, for a Windows 10 device, the function will attempt to match the deviceID of the cloud device to the objectGUID of the on-premises computer account to prove an association. For a down-level device, e.g. Windows 7 or Windows 8, the function will attempt to match the DisplayName of the cloud device to the DisplayName of the on-premises computer account to establish an association. This later method could lead to an innacurate match.
 
There are some additional switches only usable with the -HybridJoin switch:   

IMPORTANT
 
HOW
 
This is an advanced function: it will need dot sourcing.
 
Use the comment based help!
 
See this document for more information on Azure AD and stale devices:
 
https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices