Get disabled or inactive user accounts
Summary
In order to keep your tenant clean (Governance), you might want to ensure that disabled or inactive user accounts will be replaced where oppropriate (Think Owners of sites/groups, assignedto user on tasks/planner and so on). This script will help you find those accounts.
function Get-UserFromGraph
{
$disabledusersfromgraph = @()
$result = Invoke-PnPGraphMethod -Url "users?`$select=displayName,mail, AccountEnabled" -Connection $conn
$result.value.Count
foreach($account in $result.value)
{
if($account.accountEnabled -eq $false)
{
$disabledusersfromgraph += $account.mail
}
}
$disabledusersfromgraph
}
function Get-UserFromSharePointSearch
{
$usersfromsearch = @()
#How you tag an account as disabled varies from org to org, so you might need to change the below
#in one tenant the account name was prefixed with ZZ_[Year of leaving]
#in another tenant they had a custom property called EmployeeStatus, and sometimes a DateLeft property
#SourceId "b09a7990-05ea-4af9-81ef-edfab16c4e31" is the People source in SharePoint
$results = Invoke-PnPSearchQuery -Query "*" -SourceId "b09a7990-05ea-4af9-81ef-edfab16c4e31" -All -Connection $conn
foreach($result in $results.ResultRows)
{
#you can replace this with whatever you use to tag an account as disabled
if($result["SPS-HideFromAddressLists"] -eq $true)
{
$usersfromsearch += $result["WorkEmail"]
}
}
$usersfromsearch
}
function Get-UserFromGraphThatHasntLoggedInResently($duration = 90)
{
$inactiveusersfromgraph = @()
$authToken = Get-PnPGraphAccessToken -Connection $conn
$uri = "https://graph.microsoft.com/v1.0/users"
$Headers = @{
"Authorization" = "Bearer $($authToken)"
"Content-type" = "application/json"
}
$response = Invoke-RestMethod -Headers $Headers -Uri $uri -Method GET
foreach($user in $response.value)
{
# requires the AuditLog.Read.All permission
$signinsUri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=1&$filter=userPrincipalName eq '$($user.userPrincipalName)')"
$response = Invoke-RestMethod -Headers $Headers -Uri $signinsUri -Method GET
if($response.value.Count -eq 0)
{
#no signin found
$inactiveusersfromgraph += $user.userPrincipalName
}
else {
if($response.value[0].createdDateTime -lt (Get-Date).AddDays(-$duration))
{
#user has not signed in for 90 days
$inactiveusersfromgraph += $user.userPrincipalName
}
}
}
$inactiveusersfromgraph
}
$ClientId = "clientid"
$TenantName = "[domain].onmicrosoft.com"
$SharePointAdminSiteURL = "https://[domain]-admin.sharepoint.com/"
#connect to SharePoint using a certificate or similar
$conn = Connect-PnPOnline -Url $SharePointAdminSiteURL -ClientId $ClientId -Tenant $TenantName -CertificatePath "C:\Users\[you]\[CertName].pfx" -CertificatePassword (ConvertTo-SecureString -AsPlainText -Force "ThePassWord") -ReturnConnection
#get user data from graph and log those which are disabled
$userd1 = Get-UserFromGraph
$userd2 = Get-UserFromSharePointSearch
$users3 = Get-UserFromGraphThatHasntLoggedInResently
#output to csv file or use the data in some other way, like checking if the disabled users is a Owner of some site or group
$userd1 | Export-Csv -Path "C:\temp\disabledusers.csv" -NoTypeInformation
Check out the PnP PowerShell to learn more at: https://aka.ms/pnp/powershell
The way you login into PnP PowerShell has changed please read PnP Management Shell EntraID app is deleted : what should I do ?
Contributors
| Author(s) |
|---|
| Kasper Larsen |
Disclaimer
THESE SAMPLES ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.