32 C
Dubai
Monday, March 27, 2023

Find Azure AD Inactive Users using Powershell and Graph

Finding Inactive users with the Last Logon Date from the Azure Active Directory has never been easier. LastSignInDateTime property was introduced in Microsoft Graph to make it easier for Admins to retrieve so that cleanup can be done periodically.

There are numerous ways to retrieve this property, Simplified the whole process with a few lines of code so that it doesn’t complicate starters to retrieve them from Azure AD. Please note this requires the tenant to have Azure AD P1 or P2 license
if you don’t have the required license to retrieve this property, you will get the below error.

“error”:{“code”:”Authentication_RequestFromNonPremiumTenantOrB2CTenant”,”message”:”Neither tenant is B2C or tenant doesn’t have premium license”

Firstly we need an Azure AD App Registration with a few permissions like AuditLog.Read.All and Directory.Read.All
Let’s create an App Registration,

I have named it UserSigninLogs

App is Created

Client Secret is Created.

Add the required permissions, AuditLog.Read.All and Directory.Read.All and Grant Admin Consent.

Now we have the Application ID and Directory ID and Client Secret for our Script to retrieve data via Microsoft Graph.

After replacing the above value you can retrieve them into a CSV file. You can change the number and CSV file name as per your requirements, or run without parameters it will take default values.

.\AzureAD_Inactive_Users.ps1 -LastLogonDays 90 -CSVFileName 90daysinactive.csv


.\AzureAD_Inactive_Users.ps1 -LastLogonDays 60 


.\AzureAD_Inactive_Users.ps1 

CSV Format

Download from GitHub –

AzureAD_Inactive_Users/AzureAD_Inactive_Users.ps1 at main ยท azure365pro/AzureAD_Inactive_Users (github.com)

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

11 COMMENTS

  1. Does this script account for users who have never logged in? Example: a user was created 2 years ago and has never logged in. Will this script mark the account as inactive?

  2. Thank you for helping is out. I do get an error. Do you have any ideas?

    At C:\Users\DannyVe\AzureAD_Inactive_Users.ps1:57 char:1
    + | Export-Csv $CSVFileName
    + ~
    An empty pipe element is not allowed.
    + CategoryInfo : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : EmptyPipeElement

    • Dear Danny,

      just press backspace in front of that | Export-Csv
      This line spoosed to join with it’s previous list to give output. Cheers mate

      • Dear Danny,

        just press backspace in front of that | Export-Csv
        This line supposed to join with it’s previous list to give output. Cheers mate

  3. HI, im new to this, but on the line
    $ExpiredUsers = (Invoke-RestMethod -Headers @{Authorization = ‘Bearer $($token)’} -Uri $LoginUrl -Method Get).value
    I get a 401 unauthourized error.
    The app registration has the correct details and token. If i query the $token i can see the token.
    Any ideas how to fix this please?
    Thank you

  4. Thanks for this really useful – how can I automate the CSV to be sent to an email every week?
    From Powershell can I script it to export the CSV into a storage account, and then perhaps an ADF pipeline to send the csv file on a weekly scheduled basis?

    Finally – how can I add a column on the csv for user domain? e.g. if user is blue@gmail.com then a DOMAIN COLUMN with gmail.com | hotmail.com etc

    Many thanks!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?