lapse

Entra ID device hygiene

One timestamp can lie. lapse is a defensive review tool that compares stale device signals with human sign-in context before a cleanup decision is made.

Open repository Try the stale device test Back to identity work
risk:approximate device timestamps can reflect background activity
second signal:interactive person sign-in context
safe path:dry run, report, review, disable, delete only after approval
Scope Entra ID device hygiene
Method Compare device age with human sign-in context
Output Dry-run report before disable or delete
Limit Review support, not ownership authority

Local decision model

The Stale Device Test

Change the signals and watch the review path shift. Nothing is sent anywhere, saved, or scored.

Rule No access removal from device age alone.
Device activity
Person sign-in
MFA context
Endpoint signal
SIEM signal
Problem

A stale device field is not a cleanup decision.

Device hygiene work can look simple until one field starts carrying too much authority. A device may appear stale while a person attached to it has recent activity that changes the review path.

Principle

Compare signals before action.

lapse treats cleanup as a review workflow. It narrows scope, checks a second signal, and produces a report before any disable or delete step is considered.

What changes after context

The important part is not the device age by itself. The important part is what happens when the person signal is checked beside it.

lapse stale device comparison examples
Device Device signal Person signal Result Review note
NYC-WIN-014 recent recent healthy keep visible
BK-MAC-022 old recent review do not remove from one timestamp
LAB-WIN-007 old none found stale candidate document and approve before change
Guardrails

The tool is built to slow down risky cleanup.

  • dry-run first
  • company-owned scope only
  • skip VDI-style registrations
  • report before disable
  • delete only after approval
Limit

lapse supports review. It does not replace ownership context.

The tool should not decide business need, device ownership, exception status, or final removal by itself. It helps produce a cleaner review path so a human can make a safer decision.

Public note

The public case stays sanitized.

This page uses mock device names and review states. It does not publish tenant identifiers, user records, real device inventory, Graph tokens, export files, or cleanup reports.