How to get AzureAD Users LastLogin for stale accounts PowerShell

Which property comes closest to the LastLogin property?

LastLogin is an attribute known from Active Directory, but this property is not present in AzureAD.

Property RefreshTokensValidFromDateTime is closest to the LastLogin property. This property determines how long the token is valid for the last Login and when the local token must renew.

Unfortunately this is not a good property, as an alternative I can give you the lastlogin with the Microsoft Graph API.

What about audit logs and Microsoft Graph API?

You can get the last login from the audit log. You can get this with the Microsoft Graph API.

Let’s just get the stale Users accounts in AzureAD

Before we can start…

We need the following:

  • Optimized.Mga module
  • AzureAD registered application
    With permissions:
    1. User.ReadWrite.All
    2. AuditLog.Read.All

PowerShell module Optimized.Mga

I made the Optimized.Mga module myself.
If you have feedback for me, you can leave a comment on this post, or on Github.

AzureAD registered application

Not sure how to get started with an AzureAD registered application for the Microsoft Graph API?

I wrote a page for this which you can find here:
How to start with Microsoft Graph in PowerShell by Bas Wijdenes

Microsoft also created a blog post about how to get started with an AzureAD registered application for the Microsoft Graph API.

You can find that here:
Manage app registration and API permission for Microsoft Graph notifications – Microsoft Graph | Microsoft Docs

The script contains two functions

UPDATED: you can now install a module containing these functions including Optimized.mga

You can also download the script from Github.

The script contains 2 functions:

  • Get-AzureADUsers
  • Remove-AzureADUsers

Both functions contain -Verbose you can use for troubleshooting.

Import the module and connect with Microsoft Graph with the below cmdlets.
Change the XXX’s to the correct values.

Import-Module Optimized.Mga

Connect-Mga `
    -ApplicationID 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' `
    -Tenant 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' `
    -ClientSecret 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Get-AzureADUsers

Now that you are logged in, we can start with the first function in the script.
This is Get-AzureADUsers.

This function contains one parameter, UserType. This is a ValidateSet with the choice of Guest or Member. Those speak for themselves and we will use Guest in this blog.
By adding this parameter we retrieve all Guest accounts from AzureAD.

$Users = Get-AzureADUsers -UserType Guest -Verbose

When the SignInActivity is empty the user either didn’t log in, or didn’t log in for the past 90 days.

The output already contains the LastLogin. So you can stick with this.

Or… since these are stale accounts, I want to help you with a nicer report or even remove the stale accounts from AzureAD.

Remove-AzureADUsers

This command expects data back from Get-AzureADUsers. So always use that function before Remove-AzureADUsers.

This function contains 4 parameters:

  • Users
    • This parameter expects data back from Get-AzureADUsers. This is a list of (Guest) users.
  • DaysOld
    • This one is more specific. I ran this script in our working environment and 1-2 days later I got messages that Guest accounts had been deleted that had just been added to the tenant.
      Okay, a new guest user who is not yet logged in does of course not have any Sign-In Activity.
      The Sign-In Activity Audit does not go back further than 90 days. So I assumed that users who have not logged in for 90 days could be removed. So, this caused me to delete the new accounts.
      Hence this parameter… With this parameter you can specify how long an account may not be deleted since the created datetime.
  • DeleteAfterDays
    • With this parameter you can indicate after how many days of inactivity you want to delete an account.
      90+ days will only delete accounts that do not have a sign in.
  • ReportOnly
    • The ReportOnly parameter does not delete accounts. This is a switch that you can add if you only want to generate a Report that you can edit with the above parameters.
$List = Remove-AzureADUsers -Users $Users -daysOld 30 -DeleteAfterDays 60 -Verbose

You can also export the output to .csv format with this command.

$List | Export-CSV filename.csv -NoTypeInformation

Feedback needed!

I need feedback on these types of blogs regarding PowerShell and scripting.
What could be improved, what are you missing, and what else do you need help with?

You can also leave feedback on Github when it’s script specific.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work as a PowerShell DevOps Engineer. In my spare time I write about interesting stuff that I encounter during my work.

2 thoughts on “How to get AzureAD Users LastLogin for stale accounts PowerShell”

  1. How can I get this module or edit it to point to GCC High graphs? graph.microsoft.us?

    I have tried editing the modules and importing them that way but everything is failing

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *