Guest User Last Sign-in date time in Azure Active Directory and automatic cleanup

Azure AD’s sign in logs also only go back 30 days, which makes it highly recommended to stream Azure AD’s sign in logs to a Log Analytics workspace (Azure Monitor). You just need one single P1 license in your tenant to be able to enable this.

However, even if you don’t stream your sign in logs, Microsoft does keep track of when an account last signed in.

My script gets the last sign in data of all guest accounts in your tenant, without any dependencies other than the Az PS module.

If a guest user has never signed in, the creationDate is used to determine inactivity. Otherwise either the last interactive or last non interactive sign in is used (whichever is most recent).

Additionally, the script can also be configured to automatically clean up any guest accounts that have been inactive for a given number of days by using the -removeInactiveGuests switch.

Even in large environments, processing only takes a few minutes at most.

Download

Download the script from my Gitlab here:

https://gitlab.com/Lieben/assortedFunctions/-/blob/master/get-AzureAdInactiveGuestUsers.ps1

Limitations

Microsoft started using these properties in april 2020, so accounts active before that will seem like they have never been active.

Scheduling

This script supports running non-interactive as a runbook in Azure Automation if you supply the -nonInteractive switch. Before this will work, you’ll have to enable Managed Identity on your automation account and run a small script to assign graph permissions to the Managed Identity: AuditLog.Read.All and Organization.Read.All

Disclaimer

As always this script is provided as-is and should be reviewed and then used at your own risk.

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

17 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Kelly
Kelly
13 days ago

Hi, Thanks for this script. its exactly what we need. when i run the script. i get no progress at all. is there something im missing? looks like it hangs. any help would be hugely appreciated

Amir
Amir
2 months ago

Hi Jos, Thank you for posting this. So far it’s the only script that worked for me! Can this be used for All AAD users and not just guests? I modified your script and removed the guest filter, it pulled all users, but their Last Sign-in was set to Never for all!

Regarding the permissions, I’m running it as GA. Do I still need to modify anything?

Please advise.

Thank you,
Amir-

Martin
Martin
3 months ago

Im sure this great script worked. But now I get a message:

Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
At C:\Temp\Guest.ps1:50 char:13
+ $userData = Invoke-RestMethod -Uri “https://graph.microsoft.com/beta/ ..

trackback

[…] with cleaning up inactive guest users, inactive devices also pose several issues for […]

Ludwig
Ludwig
6 months ago

With the Graph it is possible to get the signInActivity.lastSignInDateTime property. Is there a benefit for this purpose of the blog to use the workspace solution over this property?

maxcoder88
maxcoder88
6 months ago

Hi,

first of all thanks for your script. I have two simple question.

1- We have already Azure AD Premium P1.

I will choose only “Sign-in Logs”. correct ?

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

2 – if I use this log analytics then Are there any extra costs?

thanks,