Automated process to disable inactive accounts?

James M. Arthurs 41 Reputation points
2023-06-01T21:12:22.67+00:00

My company has service accounts that are only in Azure. A manager is reporting that the accounts are being disabled after 2 - 3 weeks of the account not logging into Azure. They have their team logging into a list of accounts every week, to keep them "active".

I'm not able to find any default Microsoft feature that supports this feature. I'm wondering if we have some kind of process running in our environment (using PowerAutomate) that is doing this to ourselves.

Does anyone know of a feature built into Microsoft Azure that would do this?

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
934 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,458 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2023-06-02T00:41:54.8033333+00:00

    Hi @James M. Arthurs ,

    I understand that you looking for a way to avoid having the accounts get disabled and wondering if there might be an automated process in Azure that could be causing this behavior.

    There isn't an automated process in Azure that would cause the accounts to be disabled, but if users are getting disabled unintentionally, it's possible that someone in your org is running a script to disable the users. Alternatively, there might be a conditional access policy that is blocking the users based on some criteria.

    Someone who is using a script to disable the inactive accounts could evaluate the lastSignInDateTime property exposed by the signInActivity resource type of the Microsoft Graph API. Then they could query a list of users whose last lastSignInDateTime is before a specified date and disable those users. This might explain why users are being blocked if they haven't signed in within a three-week timframe. 

    https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z

    https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts

    It is also possible that the service accounts are being disabled due to Conditional Access policies. The accounts could get blocked if you have conditional access policies in place that require MFA, block access from certain locations or devices, or determine that the users do not meet certain risk assessments. You can check the sign-in logs and policy settings to determine if users are getting blocked due to Conditional Access settings.

    https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/how-to-view-applied-conditional-access-policies

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.

    1 person found this answer helpful.