Orphaned site users

Question

I am attempting to scan all sites to identify orphaned users using the CSOM API by loading the AadObjectId property for each site user. However, the response time is extremely slow, and it often times out even when processing around 10,000 users. Additionally, I have observed many users with unknown titles, such as SLinkClaim, and with empty UPNs and object IDs.

I am looking for the most efficient method to retrieve all orphaned users across all site collections.

Answer 1

Hi Dinesh,

Thank you for posting your question in the Microsoft Q&A forum. 

Regarding the behavior you described: “the response time is extremely slow, and it often times out even when processing around 10,000 users when loading the AadObjectId property”. I have explained the underlying reasons in this thread: https://learn.microsoft.com/en-us/answers/questions/5639237/retrieving-aadobjectid-for-site-users-via-csom-cau?page=1&orderby=Helpful&translated=false#answers. Please review that discussion and consider some of the suggested approaches there to efficiently retrieve orphaned users across all site collections.

Additionally, I’d like to share insights on what you observed: “many users with unknown titles, such as SLinkClaim, and with empty UPNs and object IDs.” Although there is no single official article that explains this in detail, based on available references and practical experience, this behavior is likely related to SharePoint Online’s claims-based identity model. Certain entries like Login Name in the User Information List represent claim principals (for example, linked to Microsoft 365 Groups or directory claims) rather than standard user accounts. These entries often appear with titles like SLinkClaim, and they do not have UPNs or AadObjectIds because they are not mapped to individual Azure AD users.

References:

• Claims-based identity and concepts in SharePoint
• Understanding SPO claims
• Claims-based identity in SharePoint

Hope the insights above are helpful. If you have any further questions, please feel free to share.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

To efficiently identify orphaned users across all site collections in SharePoint, consider the following strategies:

1. Batch Processing: Instead of processing all users at once, break down the user list into smaller batches. This can help manage the load and reduce the chances of timeouts.
2. Optimize Queries: Ensure that your queries are optimized for performance. Review the properties you are loading and only request those necessary for your orphaned user detection logic. Avoid loading unnecessary data that could slow down the response time.
3. Use Asynchronous Calls: If possible, use asynchronous methods to retrieve user data. This allows your application to continue processing while waiting for responses, which can improve overall performance.
4. Logging and Monitoring: Implement logging to capture errors and performance metrics. This will help you identify specific bottlenecks in your process.
5. Review User Properties: For users with unknown titles (like SLinkClaim) and empty UPNs, ensure that you are correctly handling these cases in your logic. You may need to filter out such users or handle them differently based on your requirements.
6. Utilize SharePoint APIs: Leverage SharePoint's built-in APIs and tools designed for user management and orphaned user detection, which may provide more efficient methods than custom implementations.

By applying these strategies, you should be able to improve the efficiency of your orphaned user detection process across site collections.

---

References:

• Troubleshoot orphaned users (SQL Server)
• Bulk update custom user profile properties for SharePoint Online