How to find and remove inactive users after a while automatically in Azure Portal

Question

Hi folks!
I would like to ask for help. In my company we use Azure Cloud Services (DevOps, Portal, etc). For intern reasons, we need to remove users (send to trash is enough) after 45 days of inactivity, in other words, users that not logged-in in the past 45 days on Azure DevOps. I searched a lot online and tried some things throw Portal (using Logic Apps, for example) but was unsuccessful. So, that's the logic that we have:

Once a week, an auto routine scan the users list on Azure Portal and, if their last login on Azure DevOps was 45 days ago, send them to the trash.

That's it. But we couldn't find anyway to do this.
Best regards,
Aldair

Answer 1

You could use an Azure Automation account or Azure function (or Azure Logic App) to do what you want.

Look at those solutions to run on a schedule, for example an Azure Automation powershell runbook with a weekly schedule, that checks Azure AD, and then the Azure DevOps API, then emails a report - or delete it.

https://learn.microsoft.com/en-us/azure/automation/overview
https://learn.microsoft.com/en-us/rest/api/azure/devops/account/?view=azure-devops-rest-7.1
https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0

If your users are accessing Azure DevOps through Azure AD group membership - take a look at Access Review, before you look at creating a custom solution: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review

Answer 2

Hi, @AldairdeBritoVicente-2217

but was unsuccessful

How did the logic you created fail?
It's better to have specific discussions that focus on your logic problems

Or you can look for another approach.

For example, if your retirement date is federated in Azure AD P2, you can use lifecycle workflows to automate the offboarding process.

https://learn.microsoft.com/en-us/azure/active-directory/governance/create-lifecycle-workflow