Hi,I am looking for a quick and easy solution for deactivating all guest users in Azure AD that has not logged in to their account the last 3 months. Appreciate all answers!Br,

Take a look at this article by Tony: https://petri.com/guest-account-obsolete-activityIf you are looking for UI-based approach, try Access reviews: https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews

It's not fully automatic, but you can use the "No sign-in within 30 days" setting to "suggest" to reviewers that such guests can be removed. Combine it with the appropriate action, and it's almost automated.

Here you go:https://graph.microsoft.com/beta/users?$filter=userType eq 'Guest'&$select=displayName,signInActivity

No, there's no way to export via the Graph explorer, afaik, unless you want to do manual copy/paste. You can always use PowerShell to query the Graph though, and exporting there is easy. The "Microsoft Graph" package can help you as well, in case you don't want to issue web requests directly: https://docs.microsoft.com/en-us/graph/powershell/installation

Not exactly, you cannot put filter statements as part of $select. Moreover, it looks like when filtering on lastSignInDateTime, you cannot use other clauses, so the Guest filter will need to be client-side. In other words, get the result ofhttps://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2021-06-01T00:00:00Z&$select=id,displayName,userTypethen filter based on userType in PowerShell, or in the exported CSV file.

Deactivate Inactive Guest Users last 3 months

13 Replies

Nathan_OBryan
MVP
Dec 05, 2024
This was all too complex for me, here's a simpler solution...

Get a csv with the UPNs of the accounts you want to disable

$Guests = Import-Csv .\Guests.csv

ForEach ($Guest in $Guests) { $params = @{accountEnabled = $false} ; Update-MgUser -UserId $guest.upn -BodyParameter $params }
VasilMichev
MVP
Dec 21, 2021
Take a look at this article by Tony: https://petri.com/guest-account-obsolete-activity

If you are looking for UI-based approach, try Access reviews: https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews
- Anonymous
  Dec 21, 2021
  Hi and thanks for the reply!
  Just a question, I know abot the access review functionality, but have not discovered yet how that can be used for this purpose. What configuration in that review can be used to automatically deactivate a guest account based on last sign in date?
  - VasilMichev
    MVP
    Dec 22, 2021
    It's not fully automatic, but you can use the "No sign-in within 30 days" setting to "suggest" to reviewers that such guests can be removed. Combine it with the appropriate action, and it's almost automated.

Forum Discussion

Deactivate Inactive Guest Users last 3 months

13 Replies

Resources