GitHub Icon Image
GitHub

Get disabled or inactive user accounts

Summary

In order to keep your tenant clean (Governance), you might want to ensure that disabled or inactive user accounts will be replaced where oppropriate (Think Owners of sites/groups, assignedto user on tasks/planner and so on). This script will help you find those accounts.

Example Screenshot

  • PnP PowerShell


function Get-UserFromGraph 
{
    $disabledusersfromgraph = @()
    $result = Invoke-PnPGraphMethod -Url "users?`$select=displayName,mail, AccountEnabled" -Connection $conn

    $result.value.Count
    foreach($account in $result.value)
    {
        if($account.accountEnabled -eq $false)
        {
            $disabledusersfromgraph += $account.mail
        }
    }
    $disabledusersfromgraph
}
function Get-UserFromSharePointSearch 
{
    $usersfromsearch = @()
    #How you tag an account as disabled varies from org to org, so you might need to change the below
    #in one tenant the account name was prefixed with ZZ_[Year of leaving]
    #in another tenant they had a custom property called EmployeeStatus, and sometimes a DateLeft property
    #SourceId "b09a7990-05ea-4af9-81ef-edfab16c4e31"  is the People source in SharePoint
    $results = Invoke-PnPSearchQuery -Query "*" -SourceId "b09a7990-05ea-4af9-81ef-edfab16c4e31" -All -Connection $conn    
    
    foreach($result in $results.ResultRows)
    {
        #you can replace this with whatever you use to tag an account as disabled
        if($result["SPS-HideFromAddressLists"] -eq $true)
        {
            $usersfromsearch += $result["WorkEmail"]
        }
    }
    $usersfromsearch
}
function Get-UserFromGraphThatHasntLoggedInResently($duration = 90) 
{
    $inactiveusersfromgraph = @()
    $authToken = Get-PnPGraphAccessToken -Connection $conn
    $uri = "https://graph.microsoft.com/v1.0/users"
    $Headers = @{
        "Authorization" = "Bearer $($authToken)"
        "Content-type"  = "application/json"
    }
    $response = Invoke-RestMethod -Headers $Headers -Uri $uri -Method GET
    foreach($user in $response.value)
    {
        # requires the AuditLog.Read.All permission
        $signinsUri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=1&$filter=userPrincipalName eq '$($user.userPrincipalName)')"
        $response = Invoke-RestMethod -Headers $Headers -Uri $signinsUri -Method GET
        
        if($response.value.Count -eq 0)
        {
            #no signin found
            $inactiveusersfromgraph += $user.userPrincipalName
        }
        else {
            if($response.value[0].createdDateTime -lt (Get-Date).AddDays(-$duration))
            {
                #user has not signed in for 90 days
                $inactiveusersfromgraph += $user.userPrincipalName
                
            }
        }
    }
    $inactiveusersfromgraph
}




$ClientId = "clientid"
$TenantName = "[domain].onmicrosoft.com"
$SharePointAdminSiteURL = "https://[domain]-admin.sharepoint.com/"
#connect to SharePoint using a certificate or similar
$conn = Connect-PnPOnline -Url $SharePointAdminSiteURL -ClientId $ClientId -Tenant $TenantName -CertificatePath "C:\Users\[you]\[CertName].pfx" -CertificatePassword (ConvertTo-SecureString -AsPlainText -Force "ThePassWord") -ReturnConnection

#get user data from graph and log those which are disabled
$userd1 = Get-UserFromGraph
$userd2 = Get-UserFromSharePointSearch
$users3 = Get-UserFromGraphThatHasntLoggedInResently

#output to csv file or use the data in some other way, like checking if the disabled users is a Owner of some site or group
$userd1 | Export-Csv -Path "C:\temp\disabledusers.csv" -NoTypeInformation 

Check out the PnP PowerShell to learn more at: https://aka.ms/pnp/powershell

The way you login into PnP PowerShell has changed please read PnP Management Shell EntraID app is deleted : what should I do ?

Contributors

Author(s)
Kasper Larsen

Disclaimer

THESE SAMPLES ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.

Back to top Script Samples
Generated by DocFX with Material UI