Finding Inactive users with the Last Logon Date from the Azure Active Directory has never been easier. LastSignInDateTime property was introduced in Microsoft Graph to make it easier for Admins to retrieve so that cleanup can be done periodically.
There are numerous ways to retrieve this property, Simplified the whole process with a few lines of code so that it doesn’t complicate starters to retrieve them from Azure AD. Please note this requires the tenant to have Azure AD P1 or P2 license
if you don’t have the required license to retrieve this property, you will get the below error.
“error”:{“code”:”Authentication_RequestFromNonPremiumTenantOrB2CTenant”,”message”:”Neither tenant is B2C or tenant doesn’t have premium license”
Firstly we need an Azure AD App Registration with a few permissions like AuditLog.Read.All and Directory.Read.All
Let’s create an App Registration,
I have named it UserSigninLogs
App is Created
Client Secret is Created.
Add the required permissions, AuditLog.Read.All and Directory.Read.All and Grant Admin Consent.
Now we have the Application ID and Directory ID and Client Secret for our Script to retrieve data via Microsoft Graph.
After replacing the above value you can retrieve them into a CSV file. You can change the number and CSV file name as per your requirements, or run without parameters it will take default values.
.\AzureAD_Inactive_Users.ps1 -LastLogonDays 90 -CSVFileName 90daysinactive.csv
.\AzureAD_Inactive_Users.ps1 -LastLogonDays 60
.\AzureAD_Inactive_Users.ps1
CSV Format
Download from GitHub –
Does this script account for users who have never logged in? Example: a user was created 2 years ago and has never logged in. Will this script mark the account as inactive?
it has a maximum storage of x days. but it cannot can check up to 2 years for sure.
That is not what I mean. Example: a user was created 60 days ago. User has *NEVER LOGGED IN*. Will this script mark the account as inactive?
Thanks! It helped me a lot!
How can I filter by a specific assigned license?
I want to know this too. Currently when I add in assignedLicenses to the script, it outputs System.Object[] over and over
Check out this script. It will resolve your requirements.
https://blog.admindroid.com/get-last-successful-sign-in-date-report-for-microsoft-365-users/
Thank you for helping is out. I do get an error. Do you have any ideas?
At C:\Users\DannyVe\AzureAD_Inactive_Users.ps1:57 char:1
+ | Export-Csv $CSVFileName
+ ~
An empty pipe element is not allowed.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : EmptyPipeElement
Dear Danny,
just press backspace in front of that | Export-Csv
This line spoosed to join with it’s previous list to give output. Cheers mate
Dear Danny,
just press backspace in front of that | Export-Csv
This line supposed to join with it’s previous list to give output. Cheers mate
HI, im new to this, but on the line
$ExpiredUsers = (Invoke-RestMethod -Headers @{Authorization = ‘Bearer $($token)’} -Uri $LoginUrl -Method Get).value
I get a 401 unauthourized error.
The app registration has the correct details and token. If i query the $token i can see the token.
Any ideas how to fix this please?
Thank you
what’s the solution for this error .. is this error resolved?
Thanks for this really useful – how can I automate the CSV to be sent to an email every week?
From Powershell can I script it to export the CSV into a storage account, and then perhaps an ADF pipeline to send the csv file on a weekly scheduled basis?
Finally – how can I add a column on the csv for user domain? e.g. if user is blue@gmail.com then a DOMAIN COLUMN with gmail.com | hotmail.com etc
Many thanks!
@DM-did you figured out how to send csv file on a weekly scheduled basis? I am also looking to automate the same, either using logic app or azure automation. Please help me if you have already done.
I get this message when running this script:
cmdlet Export-Csv at command pipeline position 1
Supply values for the following parameters:
InputObject:
Then pressing enter will displa all the inactive accounts but it will not export to CSV.
NVM, I found the fix.
Add | at the end of line 56