After configuring "Enable Azure AD Joined Device Management"  stale machine objects are not automatically removed from AAD. 

- Made a custom aad role with the following permissions: microsoft.directory/devices/standard/read microsoft.directory/devices/delete

- Assigned this role to the spn we use for the connections

- Through powershell changed this from false to true to CustomProperties: xsi:type="StringProperty" Name="AzureAdDeviceManagement" Value="true"

 

However stale machine objects did not automatically get removed from AAD.

Currently, the functionality is not available for customers environment [ static/persistent machines ]
- Current available (limited) functionality is only available for non-persistent machines.

- DaaS does not delete Azure AD device records when deleting the VMs.
   ** It only deletes Azure AD device records when power cycling VMs to prevent duplicate Azure AD device records of a non-persistent VM block subsequence Azure AD join.

- DaaS does not delete Intune device records when deleting or power cycling VMs.
    ** [Feature Enhancement: PMCS-38968] - Engineering efforts are being tracked to support deleting Azure AD device records + Intune device records when deleting VMs.

- "DeviceManagementManagedDevices.ReadWrite.All" is for managing Intune devices, DaaS doesn't require it when performing Azure AD device management for now.
    ** However, it maybe revisited to be required (depending on the progress made in Feature Enhancement: PMCS-38968)
 

---

Problem Cause

Product Design / Functionality Limitation by design.