Windows 7/8.1 devices do not synchronize device state to Azure AD for Hybrid-Registered devices that are removed or disabled on-premises. This works for Windows 10, through AD Connect (when synchronizing the correct OUs), but is not supported for down-level.

This PowerShell module uses the RSAT AD PS module and AzureAD Powershell module and we recommend running this on a scheduled basis. For testing, this may be easiest to use the AD Connect server. You can also test as domain user and Azure AD user without needing an elevated account (until you want to do the remove).

This script is written to query all AD computer objects (that aren't of Server OS or Windows 10), get all Azure AD Hybrid-Registered devices (that aren't Server or Windows 10), compare the object Names and remove the objects that are no longer on-prem or that have been disabled (but were registered at one point).

Future revisions will have further PS check and error handling, and we plan on adapting this for Azure Automation at some point.

If you plan on leveraging this, we HIGHLY recommend running it without the Remove-AzureADDevice cmdlets first!

Enjoy!