We need to add an 'unenroll' option (perhaps to aad-tool?), otherwise Himmelblau just fails to authenticate when the device object is deleted from the directory.
Right now the only work around is to delete everything in /var/cache/himmelblaud/ (and maybe /var/lib/himmelblaud/hsm-pin also?).