Control 3.6: Orphaned Agent Detection and Remediation - Troubleshooting
This playbook provides troubleshooting guidance for Control 3.6.
Common Issues and Resolutions
Issue: False Positives in Detection
Symptoms: Active agents flagged as orphaned
Resolution:
- Verify user lookup against correct Entra ID tenant
- Check for guest vs. member user types
- Adjust inactivity threshold if too aggressive
- Add exclusions for service accounts
Issue: Reassignment Fails
Symptoms: Unable to transfer ownership
Resolution:
- Verify new owner has appropriate license
- Check environment access permissions
- Ensure new owner exists in tenant
- Try using Admin PowerShell module
Issue: Archived Agent Still Accessible
Symptoms: Disabled agent still responding
Resolution:
- Verify disable command completed
- Check for cached sessions
- Clear CDN cache if applicable
- Force refresh agent status
Issue: Detection Script Timeout
Symptoms: Script fails on large tenant
Resolution:
- Run detection by environment batches
- Increase PowerShell timeout
- Use pagination for large user lists
- Consider parallel processing
Diagnostic Commands
# Verify agent status
Get-AdminPowerApp -AppName "agent-id" -EnvironmentName "environment" | Select-Object DisplayName, AppType, IsDeleted
# Check user status
Get-MgUser -UserId "owner@company.com" | Select-Object DisplayName, AccountEnabled
# List disabled agents
Get-AdminPowerApp -EnvironmentName "environment" | Where-Object { $_.Internal.properties.isDisabled -eq $true }
Escalation Path
| Issue Severity | Escalate To | Response Time |
|---|---|---|
| Detection failure | Platform Admin | 4 hours |
| Ownership dispute | AI Governance Lead | 24 hours |
| Data loss risk | Compliance + Legal | Immediate |
| Bulk orphan discovery | Director | 4 hours |
Next Steps
- Portal Walkthrough - Manual configuration
- PowerShell Setup - Automation scripts
- Verification & Testing - Test procedures
Updated: January 2026 | Version: v1.2