How is user inactivity calculated in Azure Identity Governance Access Reviews?

Rick Angel 91 Reputation points
2023-04-17T16:29:11.6233333+00:00

I want to use Identity Governance Access Reviews to report inactive guest users who haven't signed in within the last 60 days. Block sign-in then delete the account after 30 more days.
A couple of things were a bit confusing: I can set Days Inactive to 60 via "New access review > Review type", but from the Settings sub-option "Enable Reviewer Decision Helpers" heading, there is no option for any timeframe other than within 30 days. So when the reviewer receives the access report it includes guests who last signed in 40 days ago, for example, which is not what we intended. Is there a way to set the report so that inactive guests between 30 and 60 days are not included?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,890 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 22,431 Reputation points Microsoft Employee
    2023-04-27T23:08:51.8+00:00

    Hi @Rick Angel , There are two attributes available on user objects - lastSignInDateTime and lastNonInteractiveSignInDateTime. When you configure an Access Review you can scope that review to only guests who have a sign-in (based on either one of the above attributes) longer than the specified timeframe.

    MicrosoftTeams-image (23)

    If either attribute is within the number of configured days (ie they have an interactive or noninteractive sign-in within X days) they will be excluded from the review.

    So for example, you can use this to clean up guest accounts that haven't signed in in the last 180 days. Clean up stale guest accounts - Microsoft Entra | Microsoft Learn

    I hope this helps! Please let me know if you have any questions.

    If this answer helped you please mark it as "Verified" so other users can reference it.

    Thank you,

    James