|
Measures reported by AzureADDevicesTest
A device identity is an object in Azure Active Directory (Azure AD). This device object is similar to users, groups, or applications. A device identity gives administrators information they can use when making access or configuration decisions.
There are three ways to get a device identity:
Azure AD registration: The goal of Azure AD registered - also known as Workplace joined - devices is to provide your users with support for bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization's resources using a personal device. Azure AD registered devices are signed in to using a local account like a Microsoft account on a Windows 10 or newer device. These devices have an Azure AD account for access to organizational resources. Access to resources in the organization can be limited based on that Azure AD account and Conditional Access policies applied to the device identity. Azure AD join: Any organization can deploy Azure AD joined devices no matter the size or industry. Azure AD join works even in hybrid environments, enabling access to both cloud and on-premises apps and resources. Azure AD joined devices are signed in to using an organizational Azure AD account. Access to resources can be controlled based on Azure AD account and Conditional Access policies applied to the device. Hybrid Azure AD join: Hybrid Azure AD join is seen as an interim step on the road to Azure AD join. Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Azure Active Directory (Azure AD) by implementing hybrid Azure AD joined devices. These devices are joined to your on-premises Active Directory and registered with Azure Active Directory.
Each year, more and more cloud consumers are opting to access their cloud resources on-the-go, using any mobile device they prefer. Owing to this demand, enterprises are compelled to allow their employees to access their cloud-based organizational artefacts using their personal devices. As a result, enterprises are now having to manage a plethora of devices with varying configurations and complexities. One of the key challenges in device management in such environments is 'stale devices'. Stale devices are devices that have not been actively used beyond a configured duration. Besides adding to an administrator's management overheads, stale devices also interfere with the general lifecycle policies for devices in a cloud organization. It would therefore be good practice to identify such devices and remove/deregister them.
Where a large number of device identities are managed, the cumbersome responsibility of tracking the usage of devices over time and identifying the stale ones falls on the administrator. The AzureADDevicesTest seeks to ease the burden of administrators in this regard!
This test periodically monitors the status of devices that are managed by an Azure organization, and promptly alerts administrators to stale devices. Detailed diagnostics reveal which devices are stale, thereby saving administrators the time and trouble involved in identifying the stale devices. Additionally, you can use this test to track the removal/deletion of devices.
Outputs of the test : One set of results for the Azure AD tenant being monitored
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| Total_devices |
Indicates the total number of devices that are registered with Azure AD. |
Number |
|
| Enabled_devices |
Indicates the number of devices that are currently enabled. |
Number |
|
| stale_devices |
Indicates the number of devices that are currently stale. |
Number |
A stale device is a device that has been registered with Azure AD but hasn't been used to access any cloud apps for or beyond the duration configured against the Stale Days Limit parameter of this test. Stale devices have an impact on your ability to manage and support your devices and users in the tenant because:
Duplicate devices can make it difficult for your helpdesk staff to identify which device is currently active. An increased number of devices creates unnecessary device writebacks increasing the time for Azure AD connect syncs. As a general hygiene and to meet compliance, you may want to have a clean state of devices.
Stale devices in Azure AD can interfere with the general lifecycle policies for devices in your organization.
Ideally therefore, the value of this measure should be 0. A non-zero value implies that one/more devices are stale. You can use the detailed diagnosis of this measure to know which are the stale devices. To reduce management pains an d to avert compliance issues, you may want to consider cleaning up stale devices. To efficiently clean up stale devices in your environment, you should define a related policy. This policy helps you to ensure that you capture all considerations that are related to stale devices. |
| rcntly_rgstrd_dvcs |
Indicates the number of devices that were registered recently - i.e., in the past period configured against the Recent Days Limit parameter. |
Number |
|
| rcntly_rmvd_dvcs |
Indicates the number of removed registered recently - i.e., in the past period configured against the Recent Days Limit parameter. |
Number |
|
|