This Article Has Been Retired!
Warning: I have chosen to “retire” this article. As time has marched on, and more information has been revealed, the blogs in this series have slowly become less and less up-to-date, and frankly, more and more of the information I was told as gospel has proved flawed or muddied. As such, I’m creating a new article to bring all of that hindsight together and document the saga this topic has become. To be clear, the tools for automated detection and removal are still up to date, but I am putting out new articles to cover them as well as the history and information surrounding this topic. Once available, I will link it below.
Take a look at my new article on Everything I Know on Subscription Activation.
Large Scale Deployment Results:
I am happy to announce that my large-scale deployment of the Automated Removal of Secondary Entra Accounts tool was a success on all fronts!
The tool successfully detected and removed secondary accounts, allowing machines to then return to an Enterprise activated OS state, all with minimal to no interruption to the employees.
Details:
To give some extra details – Despite deployment to thousands of devices with hundreds targeted for true impact, there were zero reports of issues or user interruption, nor did we have any failures. Some devices did require multiple executions, but this is expected given the needs of the script. As described in part three, the cleanup simply resulted in a normal login prompt to the employee to restore the account on a per-app basis, something so simple that no calls or tickets could be tied to this action as nobody had an issue figuring it out. In other words, we didn’t see any spike in tickets as a result of this. Reporting both via the Secondary Account Detection and monitoring of day-to-day Enterprise versus Pro OS results showed success across the board, although keep in mind that a flip back to Enterprise does require a reboot at the employee’s choosing.
Moving out of Beta:
As such, I’ve gone ahead and moved the project out of beta and to a V1.0 point which you can download here. To be clear, there is no difference between the V0.4 and V1.0 versions, I simply declared some extra confidence in the solution by moving to V1.0.
My plans are to roll this project out including detection, disabling of Entra Registering, and ultimately removal of secondary accounts to additional tenants as time allows. Fingers crossed that I won’t run into anything that makes me need to put out another update.
That said, I want to say that this is still ultimately a community solution and not endorsed by Microsoft as an official solution to this problem. Recognition would be pretty cool, but the stance they seem to have taken on this topic doesn’t give me any warm fuzzy feelings of positive developments coming from their end. See my update from February of 2025 on part two of this series for more details.
Another Thank You to Rudy:
Lastly, I want to give another huge shout out to Rudy Ooms for helping me realize my mistake (I quite literally didn’t think to stop the service, see part three) and providing the key that made this machine work. Thank you!!!
Disclaimer:
The following is the disclaimer that applies to all scripts, functions, one-liners, setup examples, documentation, etc. This disclaimer supersedes any disclaimer included in any script, function, one-liner, article, post, etc.
You running this script/function or following the setup example(s) means you will not blame the author(s) if this breaks your stuff. This script/function/setup-example is provided AS IS without warranty of any kind. Author(s) disclaim all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall author(s) be held liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the script or documentation. Neither this script/function/example/documentation, nor any part of it other than those parts that are explicitly copied from others, may be republished without author(s) express written permission. Author(s) retain the right to alter this disclaimer at any time.
It is entirely up to you and/or your business to understand and evaluate the full direct and indirect consequences of using one of these examples or following this documentation.
The latest version of this disclaimer can be found at: https://azuretothemax.net/disclaimer/
Azure to the Max 