Duplicates in Microsoft Entra ID and/or Microsoft Defender

If you are discovering devices from Microsoft Entra ID and Microsoft Defender, you may notice that some devices appear with duplicate names, device IDs, and domains. In most cases, these are not actual duplicate assets, but rather the result of incorrect device onboarding—especially on older Windows versions, such as Windows Server 2012.

Identifying “Duplicates” from Entra ID and Microsoft 365 Defender

When device onboarding is corrupt or incomplete, devices may appear as “duplicates” in vScope, sharing the same domain, name, and device ID. However, you can quickly verify whether Defender reports these as distinct machines. The most common cause is that one of the machines is reported not being registered in the Entra ID. You can view this information in vScope in the column Azure AD Registered.

Note

The table Troubleshoot - Machines gives you all necessary information for identifying duplicates in Entra ID vs. Defender.

Verify AD Register State in Defender

To confirm whether the devices are properly registered in Entra ID:

1. Open Microsoft 365 Defender Admin Portal (security.microsoft.com).
2. Navigate to Hunting > Advanced hunting.
3. Run the following query:

DeviceInfo
| DeviceName, AzureADDeviceId, IsAzureADJoined

4. Locate the devices in question and check the IsAzureADJoined value:
   • If IsAzureADJoined = 0, the device is not registered in Entra ID.
   • Since vScope relies on Entra ID for device identification, it cannot consider the same device from Defender as a match.

Resolving Stale Objects in Microsoft Entra ID

If vScope displays multiple computer objects with the same name from Microsoft Entra ID, you are likely dealing with stale objects—devices that are no longer active but remain listed in Entra ID.

To resolve this issue, follow Microsoft’s best practices for managing stale devices:

🔗 How to manage stale devices in Microsoft Entra ID - Microsoft Learn