Never Used Device

A never used device is a device account created in Entra ID that never authenticated for a certain number of days (90 days by default, customizable) since its creation.

Contrary to Active Directory where administrators can sometimes pre-create computer accounts, there is no such feature for pre-creating device accounts in Microsoft Entra ID. However, pre-created device accounts can still exist in Entra ID via Microsoft Entra Connect. When Microsoft Entra hybrid join is enabled, Entra Connect pre-creates the computer accounts in Entra ID corresponding to the Active Directory ones.

Never used device accounts range from being merely unhygienic to being outright suspicious, potentially indicating the use of offensive tools like AADInternals by attackers.

Also, consider the related IoE "Dormant Device" which identifies all previously active devices which have since become inactive.

Note:

1. This IOE relies on the approximateLastSignInDateTime property, which does not update in real time. The current value updates only if the difference exceeds 14 days (+/-5 days).
2. For this reason, Microsoft acknowledges that "some active devices may have a blank time stamp". In such instances, further investigation with sign-in audit logs is necessary to identify more frequent updates on the device.

Tenable recommends that you regularly review and disable or delete never used devices. After identifying them, take the following actions:

1. Disable them.
2. Wait a few months.
3. After this delay, if there are no reported issues, and if the organization's information security policy allows, proceed to delete them.

Microsoft published a guide on How To: Manage stale devices in Microsoft Entra ID, which provides insights into managing stale devices based on their join type (e.g., Microsoft Entra registered, Microsoft Entra joined, etc.). We recommend reviewing it before deleting any devices.

Name: Never Used Device

Codename: NEVER-USED-DEVICE

Severity: Low