How to set the Entra ID User or Guest account expiry date to prevent login / disabled?

EnterpriseArchitect 5,646 Reputation points
2025-01-30T06:21:57.39+00:00

Using PowerShell Graph SDK or any other means, how can I set the Expiration date of my Entra ID User, or Guest 7 days from now or today?

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users/update-mguser?view=graph-powershell-1.0#-employeeleavedatetime

Any help would be greatly appreciated.

Thanks,

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,006 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,797 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,019 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,164 questions
{count} votes

Accepted answer
  1. Kavya 490 Reputation points
    2025-01-30T08:26:55.1533333+00:00

    You can set EmployeeLeaveDateTime while guest creation by adding 7 days from the creation date. For example,
    $EmployeeLeaveDateTime=((Get-Date).AddDays).Date

    Schedule the below script (You can use certificate based authentication to run the script unattended) to run daily in the Task scheduler.

    Get-Mguser -All | foreach {
     $UserId=$.Id
     $AccountStatus=$_.AccountEnabled
     $EmployeeLeaveDateTime=$_.EmployeeLeaveDateTime
     If(($EmployeeLeaveDateTime -lt (Get-date)) -and ($Account -eq $True))
     { 
      Update-MgUser -UserId $UserId -AccountEnabled $false
     }
    }
    

    This will disable users who are in enabled state and EmployeeLeaveDateTime exceeds the current date.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Zafer KAYA 90 Reputation points MVP
    2025-01-30T06:35:56.93+00:00

    Install the Microsoft Graph PowerShell Module

    Install-Module Microsoft.Graph -Scope CurrentUser

    Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.AccessAsUser.All"

    $UserId = "user@example.com" # Replace with the User or Guest ID

    $ExpirationDate = (Get-Date).AddDays(7).ToString("yyyy-MM-ddTHH:mm:ssZ") # 7 days from now

    Update-MgUser -UserId $UserId -EmployeeLeaveDateTime $ExpirationDate

    Update-MgUser -UserId $UserId -AccountEnabled $false

    Get-MgUser -UserId $UserId | Select-Object DisplayName, EmployeeLeaveDateTime, AccountEnabled


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.