create Azure runbook to send email report of inactives Azure AD users list for 90 days

Question

create runbook to generate list inactives users for the last 90 days

Answer 1

@Parfait Bini Welcome to Microsoft Q & A Community Forum. You can retrieve the list of inactive accounts by evaluating the lastSignInDateTime property exposed by the signInActivity resource type of the Microsoft Graph API. For more information, refer this document.

To access this lastSignInDateTime property, you need to meet the following criteria.

• You should have an Azure Active Directory Premium edition.
• To read this property, you need to grant the AuditLog.Read.All and Directory.Read.All rights to the managed identity.

Here is a sample example on how to get the list of inactive users using Microsoft Graph API.

try  
{  
    "Logging in to Azure..."  
    Connect-AzAccount -Identity  
}  
catch {  
    Write-Error -Message $_.Exception  
    throw $_.Exception  
}  
  
$accessToken = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/"  
  
Write-Output $accessToken  
  
$users = (Invoke-RestMethod -Headers @{Authorization = "Bearer $($accessToken.Token)" } `  
  -Uri "https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2021-12-01T00:00:00Z" `  
  -Method Get).value  
    
$users | Select-Object   

Also note, to generate a lastSignInDateTime timestamp, you need a successful sign-in. Because the lastSignInDateTime property is a new feature, the value of the lastSignInDateTime property can be blank if:

• The last successful sign-in of a user took place before April 2020.
• The affected user account was never used for a successful sign-in.

On how to send email using Azure Automation Runbook, do check this document.