The details from the event message body are stored in the event XML. You can convert the event to XML and then extract each of the XML fields. The thing to keep in mind is that you should only query multiple event IDs when they share a common schema, otherwise the event properties may not be consistent in the output. There is a good write-up explaining the process and event schema issue here.
There is a cmdlet on GitHub called Get-WinEventData that does all the heavy lifting for you. The output contains properties for all the main event fields like machine name, provider name, and message. It also contains properties for all of the XML event data. To use this, simply pipe your Get-WinEvent command into Get-WinEventData, select the properties you want, then export to CSV. Of course you will need to import the Get-WinEventData function beforehand.
Example usage:
Get-WinEvent -FilterHashtable @{LogName="Security";Id=4624,4672;StartTime=(Get-Date).AddDays(-1)} | Get-WinEventData | Select-Object TimeCreated,Id,EventDataSubjectUserSid,EventDataSubjectUserName,EventDataSubjectDomainName,EventDataSubjectLogonId | Export-CSV "Output.csv" -NoTypeInformation
Best Answer
You can remove a user from a device using the Azure User Details Devices Page or using the command line tool Remove-AzureADDeviceRegisteredUser.
Additional information: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Devices/userId/(User GUID)
https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureaddeviceregistereduser?view=azureadps-2.0