Disable any account that has not logged on for over 6 months

CourtneyEdwards-321 46 Reputation points
2021-02-28T13:42:12.437+00:00

Hi All,

We have over 200's Azure AD accounts. We need to be able to disable any account that has not logged on for over 6 months. Is there any way we can do this, maybe by using a policy, PowerShell script, or Intune ?

Thanks
CE

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,188 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Michal Barták 231 Reputation points
    2021-02-28T17:34:52.193+00:00

    Hi,

    is this Azure AD only or do you have Azure AD Connect?

    In case of Azure AD only the "disabled" state is not the same as in Active Directory. You can remove the user account and then it will be basically disabled with configured retention policy before fully deleted. Another way is to disable sign-in. That way user will be available but cannot login.

    To get the information of lastlogin, you cannot use AzureAD powershell. It is accessible only using Graph API as stated in docs:

    https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts

    From there on I do not have any script or anything. But I think it might be done either with PowerAutomate or Azure Functions.

    And in case of Azure AD Connect you can disable the accounts onpremise and prevent sync of disabled accounts which will remove them in Azure AD. There are many guides on how to check AD for lastlogon timestamps and disable them.

    0 comments No comments