How to show inactive user detail

Frequent Contributor

I need to be able to report on users who have not been active for more than 180 days. I also need to drill down to be able to list the individual users and their last activity date.


How can this be achieved?

13 Replies

Hi Julian,


There are various powershell scripts about. I'm currently browsing for one which looks trustworthy. It amazes me that there isn't a standard report in 365 to show this though!



Hi Pete, yes and not a single response from anyone in Microsoft - which is my experience of over 3 years of trying to raise this issue with them both directly and via forums like this.


Clearly there is no way to actually produce this information and that creates a real risk to using O365. It should be this report that people use to ensure that inactive accounts are shut down, not leaving them open for abuse.



I've just used this one. I was hoping to get a csv export but this at least listed the mailboxes I was after:





Unfortunately, that has the common issue that it ONLY looks at mailbox logins and is based on Exchange data. 


Microsoft seem unable to realise that not everyone is using Exchange Online and that logins may occur for different reasons.


The most reliable method I've found so far requires you to run a complex script against the combined audit log. Last time I ran it, it took over 10 hours against 7k accounts.


If Exchange Online logins are a reliable measure of user activity in your case then you will be fine and there are plenty of examples of scripts to do what you want.

@Julian Knight 

I'd suggest using below script for getting Office 365 Inactive users with last logon time, Inactive days, Mailbox type, Assigned license and Admin roles.

Export Office 365 Inactive Users 


Script Highlights:

  • Result can be filtered based on inactive days.
  • Result can be filtered based on user / mailbox type.
  • Result can be filtered to lists never logged in mailbox alone.
  • Export results to CSV file.
  • Shows result with user’s administrative roles in O365 environment.
  • The assigned licenses column will show you the user-friendly-name like 'Office 365 Enterprise E3' rather than 'ENTERPRISEPACK'.



Hi Kathy, thanks for your response but this does NOT answer the question I'm afraid. This script, like the others mentioned only reports when users last logged into their Exchange Online mailboxes.


That is far from being the only service on Office 365 and if the user is not using their mailbox but is using other aspects of Office 365, this will result in an incorrect report.


I have yet to find any reliable way to understand inactive users without having to grab the detailed combined log and aggregating it over the number of days you need to check (unless the number of days is less than the available log data).


This remains a major security failing of Office 365 since there is no simple way to find truly inactive users and suspend them as best practice would suggest.

@Julian Knight 

Yes, Get-mailboxStatistics shows the time a user last accessed their mailbox.

As you said, exact login time can be retrieved from Search-UnifiedAuditLog, which requires analysis of extensive data. I'd suggest using a tool that is specifically designed for the job. You can try AdminDroid Office 365 Reporter to get actual last login time for each service.

Last Active Time of Users by Office 365 Services:

This report will show the user's last active in O365 services like Exchange, OneDrive, SharePoint, Skype, Yammer and Teams.

User's Last Lagon Time:

This report shows last logon time in Azure AD.MicrosoftTeams-image (1).png

@Kathy_Cooper Not true I'm afraid. Get-MailboxStats shows the last time a Mailbox was "fettled" by either a user, or critically, Exchange (Database Services or Discovery Services). Therefore the last logon date of a mailbox will be inaccurate. 


As for AdminDroid, it's slow, clunky, and costs money if you want any of the decent premium features.


I appreciate that MS want to cream money from tenants by hoping the keep users active, and therefore, paying for a licence, but there should be an easy to find report that shows users who have not authenticated against Azure or O365 for x number of days, either through the GUI or PS


You are right. I have seen similar comments in my blog post. So decided to dig Get-MailboxStatistics cmdlet more.
From that, I found a reliable way to get 'real' users' last activity on Exchange mailbox. Instead of LastLogonTime, I have used LastUserActionTime(Which gets updated only for 'real' user actions).
I have posted an updated version of the script here: Export Office 365 Inactive Users Report
Note: This script focuses on users' activity in Exchange Online.
can we trust this app because this app required a global admin account?


Yes. You can trust the app. For more info, you can check their website:

The script still does not answer the question though - it only looks at users with active mailboxes. What if the user does not use Exchange Online? There are lots of services in O365, not just EXO.

The closest thing to an answer is actually to regularly process the audit log and subtract users with activity from your full AAD enabled user list. Potentially you could also get the active users from the usage & adoption Graph data that is available but be warned that it only covers the previous full month so you need to take care when you run your query.

It is crazy that Microsoft have not addressed this basic need.
This is an old discussion but seems to have some recent interest, so I thought I would chime in and mention one tool already mentioned above, and 2 others that no-one has mentioned here.

1. Search-UnifiedAuditLog -- This is a powerful free tool if used right, but can take time to learn how to use it properly so it is efficient.
2. Even better than that, and possibly still free or at the minimum super cheap, is Log Analytics Workspace. You have to set it up, but you can set it up the way you want it by configuring which App logins you retain and which types of logins as well (Interactive vs non-interactive). Again, it has a little overhead to learn it if you have never used it, but it is not complicated.
3. Lastly, and by far the most efficient would be using Graph API. A quick search can lead you to gold :), but here are a couple I found on my first site I went to for GRAPH. And let me say that I support GRAPH because of the efficiency, Powershell is running on GRAPH APIs in most instances because it is SO fast at data mining.
1. Get Users and their sign in activity:$filter=startswith(displayName,'markvi')&$select=displayName,...
2. Get all users with a specific last logon date or older: le 2019-06-01T00:00:00Z
3. Last Logon date of all users:$select=displayName,signInActivity

Below is a link to the page I got these from, and it is a Microsoft Site, so it isn't a well kept secret :).