Nov 18 2020
- last edited on
Jan 14 2022
To be able to detect all inactive Guest users (eg in the last 90 or 180 days), as suggested in the "Manage inactive user accounts in Azure AD" article, I built a script calling the Graph API checking the lastSignInDateTime property.
To my surprise, I noticed that very few guest accounts have the property actually filled in or with a date much older than their recent activities.
To further troubleshoot this weird behavior, I performed some "guest" activities (eg switching to the "guest" tenant in the Teams desktop and chatting, reading files and starting a meeting as a guest user). Then I checked the AAD sign-ins logs but all of my guest user sign-ins (coming from switching to the "guest" tenant) are all recorded as "non-interactive" sign-ins, nothing in interactive sign-ins!
And, as the lastSignInDateTime property is only updated with interactive sign-ins, that explains the strange behavior I reported above.
This clearly makes this property pretty useless to detect inactive Guest accounts!
So, why is that lastSignInDateTime property only updated with interactive sign-ins and not also with non-interactive sign-ins? That would really help to detect the actual last sign-in activity for guest users.
Feb 24 2021 05:49 AM
Having the same problem, where I am not sure that I can trust the lastSignInDateTime. What is the maximum allowed duration between interactive signins for the guest user?
Does anyone have some ideas about this?
Hoping that this will be changed so that also non-interactive signins will trigger an update of the lastSignInDateTime.
Aug 31 2021 11:41 AM
@Franck Silvestre Sorry to hijack your post, but I have a question for you. Just wondering how much you've monitored the lastSignInDateTime property and how consistently accurate you find it to be? I'm in a use case where it's OK that it only is updated by interactive sign-ins, but I remember looking at it in the past and finding it to not be accurate.
In hindsight, I think I may have been fooled by not realizing that it only deals with interactive sign-ins, so I may have been assuming that the non-interactive sign-ins were supposed to be updating lastSignInDateTime (mistakenly assuming, that is).
Thanks in advance.