![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 74%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC3%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
Hi,
is this Azure AD only or do you have Azure AD Connect?
In case of Azure AD only the "disabled" state is not the same as in Active Directory. You can remove the user account and then it will be basically disabled with configured retention policy before fully deleted. Another way is to disable sign-in. That way user will be available but cannot login.
To get the information of lastlogin, you cannot use AzureAD powershell. It is accessible only using Graph API as stated in docs:
From there on I do not have any script or anything. But I think it might be done either with PowerAutomate or Azure Functions.
And in case of Azure AD Connect you can disable the accounts onpremise and prevent sync of disabled accounts which will remove them in Azure AD. There are many guides on how to check AD for lastlogon timestamps and disable them.