Forum Discussion
Azure AD account expiration date
We are in need of having expiration date for Azure AD User accounts. How do we acomplish that?
- In the end I solved my issue by creating a list in Sharepoint online containing user accounts object ID and the last day of employment as a date.
Then in Microsoft Power Automate I created a flow running every night checking if any records in the list are the same or earlier than today and if so setting AzureAD account to be disabled in Azure AD. When on it I also remove the account from the Azure AD security group providing Microsoft 365 licenses.
So by not having account expire date in Azure AD in the end was giving me the opportunity to do more. Thanks Microsoft. 😄
In Azure AD, you can set an account expiration date for user accounts to restrict access to resources for a specific period. To set an expiration date for a user account in Azure AD, follow these steps:
Connect to Azure AD using PowerShell or Graph API: You can use either Azure AD PowerShell or Azure AD Graph API to manage Azure AD user accounts. To connect to Azure AD using PowerShell, you will need to install the Azure AD PowerShell module and authenticate with your Azure AD tenant. To connect to Azure AD using Graph API, you will need to create an Azure AD app and authenticate with the app's client ID and secret.
Retrieve the user object: Once you have connected to Azure AD, you can retrieve the user object that you want to set the expiration date for. You can use the user's User Principal Name (UPN) or Object ID to retrieve the user object. For example, to retrieve a user object using PowerShell, you can use the following command:
Get-AzureADUser -ObjectId <user_object_id>
Set the account expiration date: After you have retrieved the user object, you can set the account expiration date using the "AccountExpirationDate" attribute of the user object. The "AccountExpirationDate" attribute is a DateTime attribute that can be set to a specific date and time or to a relative time. For example, to set the account expiration date for a user account to July 1, 2023, you can use the following command in PowerShell:
Set-AzureADUser -ObjectId <user_object_id> -AccountExpirationDate "2023-07-01T00:00:00Z"
This will set the account expiration date to July 1, 2023, at midnight UTC time.
Verify the account expiration date: To verify that the account expiration date has been set correctly, you can use the "Get-AzureADUser" cmdlet or the Azure AD Graph API to retrieve the user object again. The "AccountExpirationDate" attribute of the user object should now be set to the date and time that you specified.
It's important to note that setting an account expiration date will prevent the user from signing in after the expiration date, but it will not remove the user account or any associated data. If you want to delete the user account and associated data after the expiration date has passed, you will need to do so manually or through an automated process.
Connect to Azure AD using PowerShell or Graph API: You can use either Azure AD PowerShell or Azure AD Graph API to manage Azure AD user accounts. To connect to Azure AD using PowerShell, you will need to install the Azure AD PowerShell module and authenticate with your Azure AD tenant. To connect to Azure AD using Graph API, you will need to create an Azure AD app and authenticate with the app's client ID and secret.
Retrieve the user object: Once you have connected to Azure AD, you can retrieve the user object that you want to set the expiration date for. You can use the user's User Principal Name (UPN) or Object ID to retrieve the user object. For example, to retrieve a user object using PowerShell, you can use the following command:
Get-AzureADUser -ObjectId <user_object_id>
Set the account expiration date: After you have retrieved the user object, you can set the account expiration date using the "AccountExpirationDate" attribute of the user object. The "AccountExpirationDate" attribute is a DateTime attribute that can be set to a specific date and time or to a relative time. For example, to set the account expiration date for a user account to July 1, 2023, you can use the following command in PowerShell:
Set-AzureADUser -ObjectId <user_object_id> -AccountExpirationDate "2023-07-01T00:00:00Z"
This will set the account expiration date to July 1, 2023, at midnight UTC time.
Verify the account expiration date: To verify that the account expiration date has been set correctly, you can use the "Get-AzureADUser" cmdlet or the Azure AD Graph API to retrieve the user object again. The "AccountExpirationDate" attribute of the user object should now be set to the date and time that you specified.
It's important to note that setting an account expiration date will prevent the user from signing in after the expiration date, but it will not remove the user account or any associated data. If you want to delete the user account and associated data after the expiration date has passed, you will need to do so manually or through an automated process.
infocloud posting AI generated and unverified content that you didn't test and that doesn't even work (the parameter doesn't even exist)... Why are you doing this? You are not gaining anything from it. In fact you are wasting your own, but more importantly, everyone else's time. Maybe you didn't know but AI can often make up stuff so always best to verify.
infocloud
I do not see '-AccountExpirationDate' switch with Set-AzureADUser cmdlet
I also do not see AccountExpirationDate attribute when getting user details using Get-AzureADuser
