tontontools.
Pro

Find and clean devices owned by deleted, disabled or non-existent users.

Recover M365 licenses, eliminate ghost devices, and reduce your Entra ID attack surface. Four orphan categories detected automatically. One-click reassignment or deletion.

Start free trialSee pricing

Included in the Pro tier · 14-day trial, no card

Orphan Device Cleaner

The problem

Every time someone leaves your company, their workstation might stay registered in Entra ID — long after their account is disabled or deleted.

  • License consumptionorphan devices keep consuming the M365 licenses you are still paying for.
  • Compliance noisethey appear in reports as "unknown" or "orphaned" and pollute your green percentage.
  • Security surfacestale identities provide a foothold for lateral movement during incidents.
  • Hidden volumemost enterprises carry 3-8% of total devices as orphans — and have no visibility into the number.

The TontonTools way

Orphan Device Cleaner scans Intune and Entra ID for owner validity and classifies every device into one of four categories.

  • NO_USERno owner attribute set on the device record.
  • DELETED_USERowner UPN no longer exists in AD / Entra ID.
  • DISABLED_USERowner account is disabled — device may be stuck on a leaver.
  • SHAREDmultiple owners on the same device — kiosks and conference rooms by design, flagged but never recommended for deletion.

Key features

Built for high-stakes operations where forgetting a system is not an option.

  • Four orphan categories

    NO_USER, DELETED_USER, DISABLED_USER, SHARED — color-coded badges. Each category gets the action it deserves.

  • Bulk owner resolution

    Queries thousands of devices against AD and Entra ID in minutes. Side-by-side display of the claimed owner versus the verified reality.

  • Per-category bulk actions

    Delete from Intune, delete from Entra, both, or reassign to a new owner. Choose the right action per category in one panel.

  • License recovery report

    "X devices × €Y per month = €Z annual saving" — turns orphan cleanup into a concrete budget conversation with finance.

  • Stale identity reduction

    Every deleted orphan is one less stale device identity in your tenant. Direct improvement to your attack surface metrics.

  • CMTrace audit log

    Every action timestamped in C:\TEMP\OrphanDeviceCleaner.log. JSON snapshot before every deletion for traceability.

See it in action

Real screens. No marketing renders.

  • Detect orphans and sort them into four buckets — no user, disabled, deleted, or shared — with live counts.
  • Add an inactivity threshold, from 30 days to never-active, to surface devices that are truly safe to clean.
  • Filter by OS, and shared or kiosk devices stay flagged in yellow so a live endpoint is never deleted.
  • One cross-platform grid — Windows, macOS, iOS, Android — with Owner UPN resolution and one-click export.

Technical details

What runs where. What it writes to disk. What permissions it needs.

Authentication

Microsoft Graph — Client Secret or Certificate (JWT Client Assertion)

Systems

Microsoft Intune

Microsoft Entra ID

Active Directory (on-prem) — for hybrid owner verification

Audit log

CMTrace-compatible — C:\TEMP\OrphanDeviceCleaner.log

Snapshots

C:\TEMP\ODC_Snapshots\<timestamp>\ — JSON record before every deletion

Min permissions

Microsoft Graph permissions reference

Who it's for

IT Ops managers and Modern Workplace leads who need to justify their license spend, improve their compliance reporting accuracy, or harden their security posture against stale identities. CFOs ask "how many M365 licenses are we wasting?" — this tool gives the answer.

Related products

Other tools in the suite that pair well with this one.

Recover M365 licenses you're paying for in vain.

Try Orphan Device Cleaner — included in Pro and Enterprise tiers.

Start free trialSee pricing