How to detect and investigate inactive user accounts
Artikel
In large environments, user accounts aren't always deleted when employees leave an organization. As an IT administrator, you want to detect and resolve these obsolete user accounts because they represent a security risk.
This article explains a method to handle obsolete user accounts in Microsoft Entra ID.
Note
This article applies only to finding inactive user accounts in Microsoft Entra ID. It does not apply to finding inactive accounts in Azure AD B2C.
Prerequisites
To access the lastSignInDateTime property using Microsoft Graph:
You need a Microsoft Entra ID P1 or P2 license.
You need to grant the app the following Microsoft Graph permissions:
AuditLog.Read.All
User.Read.All
Reports Reader is the least privileged role required to access the activity logs.
Inactive accounts are user accounts that aren't required anymore by members of your organization to gain access to your resources. One key identifier for inactive accounts is that they haven't been used for a while to sign in to your environment. Because inactive accounts are tied to the sign-in activity, you can use the timestamp of the last time an account attempted to sign in to detect inactive accounts.
The challenge of this method is to define what for a while means for your environment. For example, users might not sign in to an environment for a while, because they are on vacation. You need to consider all legitimate reasons for not signing in to your environment. In many organizations, a reasonable window for inactive user accounts is between 90 and 180 days.
The last sign-in date provides potential insights into a user's continued need for access to resources. It can help with determining if group membership or app access is still needed or could be removed. For external user management, you can determine if an external user is still active within the tenant or should be removed.
How to find inactive user accounts
You can use the Microsoft Entra admin center or the Microsoft Graph API to find inactive user accounts. While there isn't a built-in report for inactive user accounts, you can use the last sign-in date and time to determine if a user account is inactive.
To find the last sign-in time for a user, you can look at your user list in the Microsoft Entra admin center. While all users can see the list of users, some columns and details are only available to users with the appropriate permissions.
From the list, select + Add column, select Last interactive sign-in time from the list, then select Save.
With the column now visible in the all users list, select Add filter and set a time frame for your search using the filter options.
Select < = as the Operator, then select the date to find the last sign-in before that selected date.
You can detect inactive accounts by evaluating several properties. The lastSignInDateTime property exposed by the signInActivity resource type of the Microsoft Graph API. The lastSignInDateTime property shows the last time a user attempted to make an interactive sign-in attempt in Microsoft Entra ID. Using this property, you can implement a solution for the following scenarios:
Last sign-in date and time for all users
Generate a report of the last sign-in date of all users. The response provides a list of all users, and the last lastSignInDateTime for each respective user.
This query is similar to adding the last sign-in date to the users list and filtering by a specific date in the Microsoft Entra admin center. You can request a list of users with a lastSuccessfulSignInDateTime or lastSignInDateTimebefore a specified date. The response for this query provides the user's details, but doesn't provide the users's sign-in activity. To see those details, try the query in the Users by name scenario.
https://graph.microsoft.com/v1.0/users?$filter=signInActivity/lastSuccessfulSignInDateTime le 2024-06-01T00:00:00Z
https://graph.microsoft.com/v1.0/users?$filter=signInActivity/lastSignInDateTime le 2024-06-01T00:00:00Z
Users by name
In this scenario, you search for a specific user by name. The response for this query includes the date, time, and request ID for their last sign-ins.
Request:
GET `https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'Isabella Simonsen')&$select=displayName,signInActivity`
lastSignInDateTime: The date and time of the last interactive sign-in attempt, including sign-in failures. In the case where the last sign-in attempt was successful, the date and time of this property will be the same as the lastSuccessfulSignInDateTime.
lastNonInteractiveSignInDateTime: The date and time of the last non-interactive sign-in attempt.
lastSuccessfulSignInDateTime: The date and time of the last successful interactive sign-in.
Note
The signInActivity property supports $filter (eq, ne, not, ge, le) but not with any other filterable properties. You must specify $select=signInActivity or $filter=signInActivity while listing users, as the signInActivity property is not returned by default.
Considerations for the lastSignInDateTime property
The following details relate to the lastSignInDateTime property.
The property is not available through the Get-MgAuditLogDirectoryAudit cmdlet.
Each interactive sign-in attempt results in an update of the underlying data store. Typically, sign-ins show up in the related sign-in report within 6 hours.
To generate a lastSignInDateTime timestamp, you must attempt a sign-in. Either a failed or successful sign-in attempt, as long as it's recorded in the Microsoft Entra sign-in logs, generates a lastSignInDateTime timestamp. The value of the lastSignInDateTime property might be blank if:
The last attempted sign-in of a user took place before April 2020.
The affected user account was never used for a sign-in attempt.
The last sign-in date is associated with the user object. The value is retained until the next sign-in of the user. It might take up to 24 hours to update.
How to investigate a single user in the Microsoft Entra admin center
If you need to view the latest sign-in activity for a user, you can view the user's sign-in details in Microsoft Entra ID. You can also use the Microsoft Graph users by name scenario described in the previous section.
In the My Feed area of the user's Overview, locate the Sign-ins tile.
The last sign-in date and time shown on this tile might take up to 24 hours to update, which means the date and time might not be current. If you need to see the activity in near real time, select the See all sign-ins link on the Sign-ins tile to view all sign-in activity for that user.
