Find Azure users who have not signed in within 90 day's / Inactive users.

Question

Find Azure users who have not signed in within 90 day's / Inactive users.

Synthetic-Sentience 26

Looking to list all inactive users using powershell.

Ive tried many methods such as Get-Aduser etc. but I always find recent users within the list.

Looking to query Azure AD so I can also get cloud accounts

Ive arrived at below.

$users = Get-AzureADUser -All:$true | Where-Object { $_.AccountEnabled -eq $true }

 

$inactiveUsers = $users | Where-Object {

    $_.SignInActivity.DateTime -lt (Get-Date).AddDays(-90)

} | Select-Object DisplayName, UserPrincipalName, UserType, CreationType

$inactiveUsers

However i find far too many results in the list and when I query some of these users I seen they have signed in within the last week showing that the script is not working as intended.

I'm wondering if what I'm looking to do is possible.

Find all users who have not signed in within the last 90 days?

Thanks

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2023-05-08T19:49:02.4066667+00:00

Hi @Synthetic-Sentience , did you need any more help with this question? If not could you please mark the appropriate answer as "Verified" so other users can reference it?

Thank you,

James
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2023-06-02T21:07:10.12+00:00

Hi @Synthetic-Sentience , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James
Maju Sesay 0 Reputation points

2024-02-18T18:14:11.1733333+00:00

Hi, Can some please post the graphical representation of this script into the filter array. I get lost in this section. Thanks!
Maju Sesay 0 Reputation points

2024-02-18T18:14:23.5533333+00:00

Hi, Can some please post the graphical representation of this script into the filter array. I get lost in this section. Thanks!

1 answer

Your answer

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2023-05-08T19:49:02.4066667+00:00

Hi @Synthetic-Sentience , did you need any more help with this question? If not could you please mark the appropriate answer as "Verified" so other users can reference it?

Thank you,

James
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2023-06-02T21:07:10.12+00:00

Hi @Synthetic-Sentience , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James
Maju Sesay 0 Reputation points

2024-02-18T18:14:11.1733333+00:00

Hi, Can some please post the graphical representation of this script into the filter array. I get lost in this section. Thanks!
Maju Sesay 0 Reputation points

2024-02-18T18:14:23.5533333+00:00

Hi, Can some please post the graphical representation of this script into the filter array. I get lost in this section. Thanks!

Answer 1

James Hamil 27,221 Microsoft Employee Moderator

Hi @Synthetic-Sentience , to find Azure users who have not signed in within the last 90 days, you can use the Microsoft Graph API to query the lastSignInDateTime property. The PowerShell script you provided uses the AzureAD module, which doesn't expose the lastSignInDateTime property. Instead, you should use the Microsoft Graph API to get the desired information.

Here's a PowerShell script that uses the Microsoft Graph API to find inactive users:


Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph

$inactiveDate = (Get-Date).AddDays(-90)

$users = Get-MgUser -All:$true -Property Id, DisplayName, UserPrincipalName, UserType, SignInActivity | Where-Object { $_.AccountEnabled -eq $true }

$inactiveUsers = $users | Where-Object {
    $_.SignInActivity.LastSignInDateTime -lt $inactiveDate
} | Select-Object DisplayName, UserPrincipalName, UserType

$inactiveUsers

This script installs the Microsoft.Graph module, connects to the Microsoft Graph API, and retrieves all users with their SignInActivity. It then filters the users based on their lastSignInDateTime property and the specified inactive date (90 days ago).

Please note that you need to have the necessary permissions to access the lastSignInDateTime property. You need to grant the following rights: AuditLog.Read.All and Directory.Read.All.

Keep in mind that the lastSignInDateTime property might be blank if the last successful sign-in of a user took place before April 2020 or the affected user account was never used for a successful sign-in. More information here.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark it as "Verified" so other users can reference it.

Thank you,

James

Admin Richard 0 Reputation points

2023-06-13T08:32:15.6866667+00:00

Hi James,

I have the permissions set and have granted consent in the PowerShell Graph API enterprise application but still do not get any results for lastsignindatetime.

Oddly the "| Where-Object { $_.AccountEnabled -eq $true }" also fails and shows 0 results.

have tried using
Connect-MgGraph -Scopes AuditLog.Read.All, Organization.Read.All, user.read.all, Directory.Read.All Still fails any ideas?

Eric Pritchett 0

The line

$users = Get-MgUser -All:$true -Property Id, DisplayName, UserPrincipalName, UserType, SignInActivity | Where-Object { $_.AccountEnabled -eq $true }

should include AccountEnabled in the Property parameter to fix the issue you're having of it returning no results. In other words, it should read like this:

$users = Get-MgUser -All:$true -Property Id, DisplayName, UserPrincipalName, UserType, AccountEnabled, SignInActivity | Where-Object { $_.AccountEnabled -eq $true }

Akbar Nayebkhil 0 Reputation points

2024-01-24T17:43:00.6566667+00:00

Hi, anyone can assist so the script gets only the users with specific start-name like "all users where the name start with CSP"
Sander Matthijsse 25 Reputation points

2024-05-22T07:51:10.3+00:00

How do i do this? Is this enough?
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All","AuditLog.Read.All","Directory.Read.All"

Sander Matthijsse 25

I running this code but even then, I get Total Users Retrieved 0.

# Ensure the required module is installed and connect to Microsoft Graph
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph

# Define the date for inactivity (130 days ago from today)
$inactiveDate = (Get-Date).AddDays(-130)

# Retrieve all users with specified properties
$users = Get-MgUser -All:$true -Property Id, DisplayName, UserPrincipalName, UserType, SignInActivity | Where-Object { $_.AccountEnabled -eq $true }

# Debug: Output the count of retrieved users
Write-Output "Total users retrieved: $($users.Count)"

# Filter users who have been inactive since the specified date
$inactiveUsers = $users | Where-Object {
    $_.SignInActivity.LastSignInDateTime -and $_.SignInActivity.LastSignInDateTime -lt $inactiveDate
} | Select-Object DisplayName, UserPrincipalName, UserType

# Debug: Output the count of inactive users
Write-Output "Inactive users count: $($inactiveUsers.Count)"

# Define the path for the CSV file
$csvPath = "C:\temp\InactiveUsers.csv"

# Export the results to the CSV file
$inactiveUsers | Export-Csv -Path $csvPath -NoTypeInformation

# Optional: Output the path to the CSV file for confirmation
Write-Output "Inactive users have been exported to $csvPath"

Share via

Find Azure users who have not signed in within 90 day's / Inactive users.

1 answer

Your answer