tontontools.

Products

Obsolete Device Management

Find, audit, and remove stale devices from Microsoft Entra ID and Microsoft Intune. Filterable scans by inactivity window, operating system, compliance, ownership, and account state. Bulk selection, CSV export, and registered-owner resolution — with detailed CMTrace logging.

Overview

Stale devices accumulate silently in cloud directories: laptops that have not signed in for six months, phones that stopped syncing a year ago, retired hardware whose records were never cleaned up. They inflate license counts, distort compliance reports, and clutter every directory query an analyst runs.

Obsolete Device Management (ODM) is built for periodic cleanup campaigns: scan a directory with the inactivity threshold that matches your retention policy, review the results, then either export a report or delete in bulk.

Entra ID or Intune

Toggle between Microsoft Entra ID device records and Microsoft Intune managed devices. Each source has its own obsolescence criterion and its own column layout, adapted automatically.

Six filter axes

Inactivity window (7 days to 10 years), operating system, compliance state, device ownership, account enabled (Entra only), and free-text search — all combinable in a single query.

Bulk selection and delete

Select rows individually or all-at-once, review the deletion list (preview of 20 names + count), then confirm. Per-device HTTP status logged.

CSV export and owner lookup

Export the current view to CSV with configurable separator. For Entra ID rows, resolve registered owners via Graph in one click.

When to use ODM vs Delete Device Everywhere

Both tools are in the Enterprise tier, and the choice depends on whether you are starting from a list of device names or from a directory you want to scan. The two tools are complementary, not redundant.

AspectDelete Device EverywhereObsolete Device Management
Starting pointA device name you already knowA directory you want to scan with filters
Systems coveredAD + SCCM + Intune + Entra ID — atomic, in one shotEntra ID or Intune (toggle, not simultaneous)
FilteringNo filtering — one named device at a time (or a CSV list)Inactivity window + OS + compliance + ownership + account state + text search
Bulk importCSV/TXT of device names known in advanceBulk selection from a search result grid
Preview before deleteYes — Dry-Run scan reports FOUND / NOT FOUND per systemImplicit — the search result IS the preview; review then click Delete
Rollback snapshotYes (Preview feature in v1.0.0)No — Graph deletions are not reversible
Use case fitEndpoint decommissioning: a known device leaves the companyPeriodic hygiene: clean six months of accumulated stale records

Prerequisites

RequirementMinimum
Operating systemWindows 10 22H2 or Windows 11 (administrator workstation only — not the target devices)
.NET Framework4.7.2 or later
Microsoft GraphAn App Registration in your tenant with the required permissions (see below)
NetworkOutbound HTTPS to graph.microsoft.com (TLS 1.2+)
License tierEnterprise subscription or active 14-day trial

Microsoft Graph permissions

The exact application permissions ODM requires on your App Registration. Grant admin consent after assigning them.

PermissionRequired forType
Device.Read.AllSearch Entra ID devicesApplication
Device.ReadWrite.AllDelete Entra ID devicesApplication
User.Read.AllGet Owners (resolve registered owners on Entra ID devices)Application
DeviceManagementManagedDevices.Read.AllSearch Intune managed devicesApplication
DeviceManagementManagedDevices.PrivilegedOperations.AllDelete Intune managed devicesApplication

Initial configuration

On first launch, ODM verifies the license, then asks for Microsoft Graph credentials via the standard TontonTools credentials dialog. Credentials are shared across the suite — if you have already configured them for another tool on the same workstation and user profile, ODM picks them up automatically.

Graph authentication modes

ODM supports the three standard TontonTools Graph authentication modes. Choose the one that matches your security policy.

  • Client Secret (App-only) Classic application authentication via client_credentials grant. Suitable for lab environments and small deployments. The secret is stored DPAPI-encrypted locally.
  • Certificate (App-only, JWT client assertion) — Recommended for production Stronger than client secrets, no rotation. ODM signs a JWT client assertion with the certificate private key (RS256, RFC 7523) and exchanges it for an access token. The certificate must live in Cert:\CurrentUser\My on the workstation; only the thumbprint is stored.
  • Interactive (Delegated, with PKCE) The administrator signs in with their own Microsoft 365 account through a browser. All Graph operations execute under the user's own permissions and appear in Entra ID sign-in logs. No secret is stored. Requires Authentication → Allow public client flows = Yes and a public-client redirect URI (http://localhost) in the App Registration.

For full details on the three modes (App Registration setup, required prerequisites for Interactive, certificate management), see the Delete Device Everywhere documentation — the credentials flow is identical across both tools.

Main features

Source selection: Entra ID or Intune

The Source drop-down at the top of the filter bar switches the entire view between two data sources. The two sources expose different fields, so the data grid columns adapt automatically: Entra ID shows Display Name, Trust Type, Account Enabled, Object ID, On-Prem sync data; Intune shows Device Name, User Name (UPN), Manufacturer, Model, Compliance, Last Sync, and Intune Device ID.

Switching the source clears the current results and resets the column visibility. ODM does not query both sources simultaneously — you scan one directory at a time.

Obsolescence criterion: not the same field for both sources

The "Stale Days" drop-down defines what counts as obsolete. The threshold is the same — N days of inactivity — but the underlying field is different per source:

SourceField usedGraph filter
Entra IDapproximateLastSignInDateTimele {now − N days}
IntunelastSyncDateTimelt {now − N days}

Available thresholds range from 7 days (one week) to 3650 days (ten years), with sensible steps in between. The default selection is 180 days (six months) — a balanced starting point for a first cleanup campaign. You can also select "(all - no date filter)" to retrieve every device in the source, then use the other filters to narrow down.

Additional filters (applied client-side)

The Graph filter handles the date cutoff and the OS pre-filter where supported, but Compliance, Ownership, Account Enabled, and free-text matching are applied on the workstation after the page returns. This means the filters compose cleanly without exhausting Graph filter expression limits, at the cost of slightly more data over the wire.

  • Operating System Windows, macOS, iPhone, iPad, Android, AndroidEnterprise, AndroidForWork, Unknown. Useful to scope a campaign to a single platform.
  • Compliance state compliant, noncompliant, unknown, notApplicable, inGracePeriod, configManager. Especially useful in Intune for surfacing devices that have been non-compliant for months.
  • Device ownership company, personal, unknown. Lets you focus on corporate hardware first.
  • Account Enabled (Entra ID only) Enabled or Disabled. The filter is hidden when the source is Intune (the concept does not apply there).
  • Free-text filter Matches device name, OS, version, user name, model, manufacturer, Trust Type, IDs. Case-insensitive substring match.

Search and result paging

The Search button launches the Graph query with $top=999 per page and follows @odata.nextLink until all matching records are retrieved. Progress is shown in the status bar and a busy indicator appears in the action row. The result count and the selected count are displayed at the bottom; the Activity Log on disk records the query parameters and final count.

Bulk selection and deletion

Each row has a checkbox in the first column. A header checkbox toggles all visible rows. A confirmation dialog appears before any deletion, showing a preview of up to 20 device names with the total count beyond that, and an explicit IRREVERSIBLE warning. Deletions are sequential, with full per-device CMTrace logging including the HTTP status code and response body on failure. Aggregated success/failure counts are summarised at the end.

Get Owners (Entra ID only)

For Entra ID devices, the Get Owners button resolves registered owners by calling /v1.0/devices/{id}/registeredOwners for each selected row. The result populates the Owner column with the concatenated display names. This is a per-device Graph call and is the most network-intensive operation in ODM — selecting hundreds of rows before clicking Get Owners will issue hundreds of requests. The User.Read.All permission is required.

CSV export

The Export CSV button writes the current grid view to a CSV file with a configurable separator (semicolon by default, also comma or pipe), UTF-8 with BOM for Excel compatibility, and a meaningful default file name like StaleDevices_EntraID_180days_20260615.csv. The export covers all devices currently displayed in the grid — including those you have not selected — so it captures the full result set of a search. Selecting rows is only relevant for Delete and Get Owners.

Device details dialog (double-click a row)

Double-clicking any row opens a detail window with four tabs: Identity (display name, IDs, OS, manufacturer, user), Status (compliance, management state, ownership, trust type, account state), Dates (last sign-in, last sync, enrollment date, registration date, on-prem sync), and All Properties (a plain-text dump suitable for copy-pasting into a ticket). The Days Since field is colour-coded: green under 90 days, yellow at 90+, orange at 180+, red at 365+.

CMTrace logging

ODM writes a CMTrace-compatible log to C:\TEMP\ObsoleteDeviceMgmt_yyyyMMdd.log — one file per day for easier triage across multiple sessions. Every entry includes the operator (DOMAIN\User), the auth mode, the tenant, and timestamp with millisecond precision. Major operations are marked with section separators: APPLICATION STARTUP, GRAPH CONNECTION, SEARCH, DELETION, DELETION SUMMARY, APPLICATION SHUTDOWN. Open the log with CMTrace.exe (shipped with SCCM) for colored, real-time viewing.

License & read-only mode

ODM follows the TontonTools licensing model. It validates against the Lemon Squeezy License API on activation, then caches the result locally for 7 days. After that, a successful validation extends the cache; an unreachable license server triggers a 7-day grace period during which ODM continues to operate normally. After 14 days without a successful validation, the product moves to read-only mode.

What read-only mode does in ODM

  • Disables Search — no Graph scan can be launched. The query buttons are greyed out.
  • Disables Delete Selected — destructive operations are blocked.
  • Disables Get Owners — this is also a Graph-intensive call.
  • Keeps Export CSV active — if there are devices already in the grid (from a previous session or rolled-over state), they can still be exported for audit.
  • Keeps the Credentials dialog accessible — you can still update tenant or App Registration settings.
  • Displays a persistent banner offering to enter a license key or contact support.

For the full licensing model — Trial mechanics, machine and tenant binding, moving a license between workstations, subscription cancellation behavior — see the Licensing reference.

Typical workflow — a monthly cleanup campaign

  1. 1

    Configure credentials once

    Click ⚙ Credentials, fill in Tenant ID, Client ID, and your chosen auth mode (Client Secret / Certificate / Interactive). If the credentials are already configured for another TontonTools product, ODM picks them up automatically.

  2. 2

    Pick a source

    Use the Source drop-down to choose Entra ID or Intune. Most teams run two passes: Intune first (stale syncs) then Entra ID (stale sign-ins).

  3. 3

    Set the inactivity window

    The default is 180 days. For a first campaign, start higher — 365 days — to focus on devices that nobody contested as obsolete. Tighten the window on subsequent passes.

  4. 4

    Add filters as needed

    For example: Windows only, ownership = company, account = Disabled. The Activity Log records every filter you applied.

  5. 5

    Click Search

    The grid populates with all matching devices. The bottom-left shows the total count. Sort by clicking any column header.

  6. 6

    Export to CSV before any destructive action

    Even if you intend to delete immediately, save a CSV first. It is your only record once the delete completes. Use the configured separator for your locale.

  7. 7

    Review, then delete

    Select the rows you want to remove (header checkbox toggles all). Click Delete Selected. Review the confirmation preview carefully — it shows up to 20 names and the total count. Confirm only when you are sure.

  8. 8

    Keep the CMTrace log

    The daily log file under C:\TEMP contains the per-device result for the campaign. Attach it to your audit record if your governance process requires it.

Limitations and design choices

  • One source at a time ODM scans Entra ID or Intune, not both in the same query. The two sources have different obsolescence semantics (sign-in vs sync) and different fields, so combining them in one grid would mislead more than help.
  • No rollback snapshot Unlike Delete Device Everywhere, ODM does not capture a JSON snapshot before deletion. Use CSV export as your pre-deletion audit trail.
  • No Active Directory or SCCM coverage ODM is a cloud-directory cleanup tool. For on-premises AD or SCCM cleanup, use the appropriate tool: Orphan Device Cleaner (coming) for SCCM, Delete Device Everywhere for individual cross-system decommissioning.
  • Graph filter limits ODM sends the date filter to Graph and applies other filters client-side. This is by design — it keeps queries simple and avoids Graph filter expression complexity caps — but it means very wide queries (e.g. "all devices" with text search) may return thousands of records before the client-side filter narrows them.
  • Get Owners is per-device Microsoft Graph does not provide a bulk endpoint for registered owners. Selecting 200 devices and clicking Get Owners issues 200 sequential Graph calls. Plan accordingly for large tenants.

Technical notes

A few implementation details that may matter for security review or change-management documentation.

  • Graph API versions Search operations use /v1.0 endpoints. Device deletions use /beta endpoints — this is the Microsoft-recommended channel for device deletion today, as the v1.0 channel does not currently expose device deletion.
  • Page size ODM requests $top=999 per page and follows @odata.nextLink until exhaustion. There is no client-imposed cap on the total number of devices returned.
  • Credential storage DPAPI-encrypted under the current Windows user profile at %AppData%\TontonTools\credentials.dat — shared across all TontonTools products on the same user account on the same workstation.
  • No telemetry, no agent ODM runs entirely from the administrator workstation. The only outbound connections are to graph.microsoft.com (for the scans and deletes) and to api.lemonsqueezy.com (for license validation, at most weekly).

Related documentation