Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Deactivate Inactive Guest Users last 3 months

Deleted
Not applicable

Hi,

I am looking for a quick and easy solution for deactivating all guest users in Azure AD that has not logged in to their account the last 3 months. 

 

Appreciate all answers!

Br,

 

12 Replies
Hi and thanks for the reply!
Just a question, I know abot the access review functionality, but have not discovered yet how that can be used for this purpose. What configuration in that review can be used to automatically deactivate a guest account based on last sign in date?
It's not fully automatic, but you can use the "No sign-in within 30 days" setting to "suggest" to reviewers that such guests can be removed. Combine it with the appropriate action, and it's almost automated.
Hi!
30 days of inactivity is a too low value for this particular organization to define the account as inactive. The value needs to be 90 days since last sign in, retrive a list of these guest users and deactivate their accounts.
I found this article on Microsoft Graph API, retrieving a list of the last sign in date of all users: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-use...
"https://graph.microsoft.com/beta/users?$select=displayName,signInActivity"

Can anyone help me write the same call, but only for guest users? Provide a list of all guest users last sign in date, then extract the output to .csv file? Then I can filter out all accounts not signed in the last 90 days.
Here you go:

https://graph.microsoft.com/beta/users?$filter=userType eq 'Guest'&$select=displayName,signInActivity
Excellent, thanks! So if I directly want to identify only guest users with a lastsignindatetime before a specified date (approx. 90 days) it will be like this?
https://graph.microsoft.com/beta/users?$filter=userType eq 'Guest'&$select=displayName,signInActivity/lastSignInDateTime le 2021-09-30T00:00:00Z

How can the output from Graph Explorer be extracted to a .csv file? We expect results of several thousands of users.
Appreciate if anyone know the answers here, as we plan executing the deactivation of guest users tomorrow.
Thanks!
No, there's no way to export via the Graph explorer, afaik, unless you want to do manual copy/paste. You can always use PowerShell to query the Graph though, and exporting there is easy. The "Microsoft Graph" package can help you as well, in case you don't want to issue web requests directly: https://docs.microsoft.com/en-us/graph/powershell/installation
Alright, thanks again for all your replies! Then we have to go with powershell, with the Graph Powershell SDK - as I understand we can use the same query as in Graph Explorer.
So if I directly want to identify only guest users with a lastsignindatetime before a specified date (approx. 90 days) it will be like this?
https://graph.microsoft.com/beta/users?$filter=userType eq 'Guest'&$select=displayName,signInActivity/lastSignInDateTime le 2021-09-30T00:00:00Z
Not exactly, you cannot put filter statements as part of $select. Moreover, it looks like when filtering on lastSignInDateTime, you cannot use other clauses, so the Guest filter will need to be client-side. In other words, get the result of

https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2021-06-01T00:00:00Z&$select=id,displayName,userType

then filter based on userType in PowerShell, or in the exported CSV file.
Hi again @Vasil Michev,
Maybe I found an even better solution to this problem. This command identify and deactivate all inactive users directly from powershell (got it from a John Savill youtube video). The only question now is how to ensure it only disable guest users, not all users. Anyone know?

$DisableUserHash = @{'accountEnabled' = 'false'}
Get-MgUser -Filter "signInActivity/lastSignInDateTime le 2021-09-30T00:00:00Z" |
ForEach-Object {@{ UserId=$_.Id}} | Update-MgUser -Settings $DisableUserHash -WhatIf
This cmdlet is basically a "wrapper" for the Graph queries we discussed above. It's pretty much the same thing. Anyway, to filter out Guest users only, simply check the corresponding property in your results.

$users = Get-MgUser -Filter "signInActivity/lastSignInDateTime le 2021-09-30T00:00:00Z"
$users | ? {$_.UserType -eq "Guest"} | ForEach-Object {@{ UserId=$_.Id}} | Update-MgUser -Settings $DisableUserHash -WhatIf