How is user inactivity calculated in Azure Identity Governance Access Reviews?

Rick Angel 91

I want to use Identity Governance Access Reviews to report inactive guest users who haven't signed in within the last 60 days. Block sign-in then delete the account after 30 more days.
A couple of things were a bit confusing: I can set Days Inactive to 60 via "New access review > Review type", but from the Settings sub-option "Enable Reviewer Decision Helpers" heading, there is no option for any timeframe other than within 30 days. So when the reviewer receives the access report it includes guests who last signed in 40 days ago, for example, which is not what we intended. Is there a way to set the report so that inactive guests between 30 and 60 days are not included?

James Hamil 23,216 Reputation points Microsoft Employee

2023-04-17T23:39:20.6233333+00:00

Hi @Rick Angel , You can create an access review for the dynamic group of guest users you want to review. To report inactive guest users who haven't signed in within the last 60 days, you can select the Inactive users (on tenant level) only option and enter 60 in the Days inactive field. However, as you mentioned, the Enable Reviewer Decision Helpers section only allows you to select No sign-in within 30 days.Therefore, you cannot set the report so that inactive guests between 30 and 60 days are not included. Please let me know if you have any questions and I can help you further. If this answer helped you please mark it as "Verified" so other users can reference it. Thank you, James
Rick Angel 91 Reputation points

2023-04-18T14:38:37.4133333+00:00

James, thanks for your reply. You confirmed what I stated, but I'm still a bit confused. If the only option for the Reviewer Decision Helper is "No sign-in within 30 days" and the report includes guests who have not signed in between 30 and 60 days and beyond, then why is there an option in the Review Type to input any value other than 30 days inactive? The report lists the same set of guest users when I key in 30, 60, or 180 day inactive. It seems like the option to change the number of inactive days has no meaning. Am I thinking about this the wrong way?
James Hamil 23,216 Reputation points Microsoft Employee

2023-04-27T00:43:16.9566667+00:00

Hi @Rick Angel , sorry for the delay in response. I'm doing some research on this and will let you know when I have an answer.

Best,

James
Rick Angel 91 Reputation points

2023-04-27T12:42:05.29+00:00

Thanks. Much appreciated.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 answer

James Hamil 23,216 Reputation points Microsoft Employee

2023-04-27T23:08:51.8+00:00

Hi @Rick Angel , There are two attributes available on user objects - lastSignInDateTime and lastNonInteractiveSignInDateTime. When you configure an Access Review you can scope that review to only guests who have a sign-in (based on either one of the above attributes) longer than the specified timeframe.

If either attribute is within the number of configured days (ie they have an interactive or noninteractive sign-in within X days) they will be excluded from the review.

So for example, you can use this to clean up guest accounts that haven't signed in in the last 180 days. Clean up stale guest accounts - Microsoft Entra | Microsoft Learn

I hope this helps! Please let me know if you have any questions.

If this answer helped you please mark it as "Verified" so other users can reference it.

Thank you,

James
Please sign in to rate this answer.
Rick Angel 91 Reputation points

2023-04-28T21:27:21.5866667+00:00

Jim, I follow what you are saying. I'm just saying that in reality it does not behave that way. I configured several access reviews at different time intervals for inactive accounts like 60, 90, 180 days. When you check the Decision Helper box "No sign-in within 30 days" that seems to override whatever you selected for the inactivity period because everyone from 30 days inactive shows up in the review, and they are disabled at the end of the review. So a large number of guest users are getting disabled before they should. And you can't not select the Decision Helper.

James Hamil 23,216 Reputation points Microsoft Employee

2023-04-29T02:36:41.23+00:00

Hi @Rick Angel , thanks for the follow up. I'll keep looking for a resolution to this. We might need to file a bug report. I'll keep you posted and reply by Monday.

Best,

James

James Hamil 23,216 Reputation points Microsoft Employee

2023-05-01T23:31:44.2266667+00:00

Hi @Rick Angel , We've been running some tests and are in the process of reproducing this issue to see what the cause is, and if it's a bug. Thanks for bringing this to our attention, as this is not the intended behavior. I'll let you know when I have an update.

Best,

James

Rick Angel 91 Reputation points

2023-05-02T00:07:38.7033333+00:00

Thanks for the update. FYI. My tenant is GCC High in case that makes any difference.

James Hamil 23,216 Reputation points Microsoft Employee

2023-05-02T18:16:48.3833333+00:00

@Rick Angel would you mind sending me an email at "azcommunity@microsoft.com" with subject "ATTN: James Hamil" and link this thread? I would like to get on a call with you if possible.

Thanks,

James
Sign in to comment

Share via

How is user inactivity calculated in Azure Identity Governance Access Reviews?

1 answer