Here's a quick resume of the current setup I am using. I've been using AD groups to deploy applications from SCCM with query-based collection membership for devices. In short, this means that in AD a computer is added to a group and whenever SCCM runs AD Group discovery and sees a change, the collection which queries that group also updates that group and the application is deployed on the target computer. This was done in order to preserve the historical AD structure and method of deploying applications (previously done with GPOs). This works flawlessly and is relatively quick.
Since we do not have a way to remove applications as of now, I am trying to trigger an uninstall deployment whenever a computer is removed from an AD group. I cannot push an uninstall deployment method on a collection that would include all systems except those that are members of the deployment group since this would break systems with the target application installed before SCCM implementation.
There is however something that I have tested with a single application which consists of deploying a configuration baseline to all systems that detects if that particular application is installed. I then create a collection that excludes the "Install target software" collection and queries for compliant computers. I then deploy an uninstall application on the resulting collection therefore uninstall the application from the member systems. It seems to work properly for now. I am using configuration baselines because of their ability to run powershell scripts as part of the compliance process.
My question is, is it against best practice to have a lot of configuration baselines? I have around 40+ applications that are deployed through SCCM and it would require the same amount of configuration baselines to ensure application are uninstalled in sync with AD group membership.