Under normal circumstances, when powering off Azure Active Directory (AAD) joined non-persistent VM, MCS agent inside VM will perform Azure AD leave and remove device record from Azure Active Directory. Occasionally, the action may fail, it will leave stale device in Azure AD. Recently, Azure AD started blocking Azure AD join when a device with same hostname is already registered.  There is a known issue recorded, refer to Known issues | Citrix DaaS

Before Citrix officially resolve this issue in product, customer admin can use the Microsoft Graph API to filter out the eligible device records of the Azure AD devices based on the NamingScheme of the non-persistent Azure AD joined Machine Catalog, and then delete device records of those VMs that no longer exist in Azure AD.  Then new VM with same host name can join Azure AD. We recommend the operation to be run as a scheduled task to ensure the stale device records can be removed in time.

You can use the script CleanDeviceByAzureFunction.ps1 in the Azure Function (run as a regular task to clean the stale device, set to run every N minute to make sure the stale device can be removed timely):

1. Create an Azure function, and “Runtime stack” is “Powershell Core”.
   Should uncomment the line below  “# 'Az' = '9.*'” in “requirements.psd1” file under “App files” of Azure function, to use the Az module in your function app.
   

2. Enable “System assigned” managed identity or “User assigned” managed identity.
   

3. Assign at least “Reader” role assignment to the managed identity, and scope should be subscription/resource groups of those deleted VMs whose Azure AD devices are requested to be cleaned up.

4. Assign the managed identity with Azure AD role of “Cloud Device Administrator” and API permission of "DeviceManagementManagedDevices.ReadWrite.All".

5. Download the CleanDeviceByAzureFunction.ps1 and copy code into Azure function.
   Note: depending on the template used to create a function, some changes are required:

   1. If use User assigned managed identity, modify file “profile.ps1” under “App files” of Azure function.
      Connect-AzAccount -Identity -AccountId "The Client ID of managed identity"
      

   2. Set “$CleanIntuneDevice” to be $True if want to clean Azure AD device's record in Intune.

   3. Set "$NamingScheme", and the naming scheme should be between 2 and 15 characters