Forum Discussion
Deactivate Inactive Guest Users last 3 months
Hi, I am looking for a quick and easy solution for deactivating all guest users in Azure AD that has not logged in to their account the last 3 months. Appreciate all answers! Br,
Alright, thanks again for all your replies! Then we have to go with powershell, with the Graph Powershell SDK - as I understand we can use the same query as in Graph Explorer.
So if I directly want to identify only guest users with a lastsignindatetime before a specified date (approx. 90 days) it will be like this?
https://graph.microsoft.com/beta/users?$filter=userType eq 'Guest'&$select=displayName,signInActivity/lastSignInDateTime le 2021-09-30T00:00:00Z
So if I directly want to identify only guest users with a lastsignindatetime before a specified date (approx. 90 days) it will be like this?
https://graph.microsoft.com/beta/users?$filter=userType eq 'Guest'&$select=displayName,signInActivity/lastSignInDateTime le 2021-09-30T00:00:00Z
Not exactly, you cannot put filter statements as part of $select. Moreover, it looks like when filtering on lastSignInDateTime, you cannot use other clauses, so the Guest filter will need to be client-side. In other words, get the result of
https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2021-06-01T00:00:00Z&$select=id,displayName,userType
then filter based on userType in PowerShell, or in the exported CSV file.
https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2021-06-01T00:00:00Z&$select=id,displayName,userType
then filter based on userType in PowerShell, or in the exported CSV file.
- This cmdlet is basically a "wrapper" for the Graph queries we discussed above. It's pretty much the same thing. Anyway, to filter out Guest users only, simply check the corresponding property in your results.
$users = Get-MgUser -Filter "signInActivity/lastSignInDateTime le 2021-09-30T00:00:00Z"
$users | ? {$_.UserType -eq "Guest"} | ForEach-Object {@{ UserId=$_.Id}} | Update-MgUser -Settings $DisableUserHash -WhatIf - Hi again VasilMichev,
Maybe I found an even better solution to this problem. This command identify and deactivate all inactive users directly from powershell (got it from a John Savill youtube video). The only question now is how to ensure it only disable guest users, not all users. Anyone know?
$DisableUserHash = @{'accountEnabled' = 'false'}
Get-MgUser -Filter "signInActivity/lastSignInDateTime le 2021-09-30T00:00:00Z" |
ForEach-Object {@{ UserId=$_.Id}} | Update-MgUser -Settings $DisableUserHash -WhatIf
