|
| 1 | +--- |
| 2 | +title: How to manage inactive user accounts in Azure AD | Microsoft Docs |
| 3 | +description: Learn about how to detect and handle user accounts in Azure AD that have become obsolete |
| 4 | +services: active-directory |
| 5 | +documentationcenter: '' |
| 6 | +author: MarkusVi |
| 7 | +manager: daveba |
| 8 | +editor: '' |
| 9 | + |
| 10 | +ms.assetid: ada19f69-665c-452a-8452-701029bf4252 |
| 11 | +ms.service: active-directory |
| 12 | +ms.devlang: na |
| 13 | +ms.topic: conceptual |
| 14 | +ms.tgt_pltfrm: na |
| 15 | +ms.workload: identity |
| 16 | +ms.subservice: report-monitor |
| 17 | +ms.date: 03/11/2020 |
| 18 | +ms.author: markvi |
| 19 | +ms.reviewer: dhanyahk |
| 20 | + |
| 21 | +ms.collection: M365-identity-device-management |
| 22 | +--- |
| 23 | +# How To: Manage inactive user accounts in Azure AD |
| 24 | + |
| 25 | +In large environments, user accounts are not always deleted when employees leave an organization. As an IT administrator, you want to detect and handle these obsolete user accounts because they represent a security risk. |
| 26 | + |
| 27 | +This article explains a method to handle obsolete user accounts in Azure AD. |
| 28 | + |
| 29 | +## What are inactive user accounts? |
| 30 | + |
| 31 | +Inactive accounts are user accounts that are not required anymore by members of your organization to gain access to your resources. One key identifier for inactive accounts is that they haven't been used *for a while* to sign-in to your environment. Because inactive accounts are tied to the sign-in activity, you can use the timestamp of the last sign-in that was successful to detect them. |
| 32 | + |
| 33 | +The challenge of this method is to define what *for a while* means in the case of your environment. For example, users might not sign-in to an environment *for a while*, because they are on vacation. When defining what your delta for inactive user accounts is, you need to factor in all legitimate reasons for not signing in to your environment. In many organizations, the delta for inactive user accounts is between 90 and 180 days. |
| 34 | + |
| 35 | +The last successful sign-in provides potential insights into a user's continued need for access to resources. It can help with determining if group membership or app access is still needed or could be removed. For external user management, you can understand if an external user is still active within the tenant or should be cleaned up. |
| 36 | + |
| 37 | + |
| 38 | +## How to detect inactive user accounts |
| 39 | + |
| 40 | +You detect inactive accounts by evaluating the **lastSignInDateTime** property exposed by the **signInActivity** resource type of the **Microsoft Graph** API. Using this property, you can implement a solution for the following scenarios: |
| 41 | + |
| 42 | +- **Users by name**: In this scenario, you search for a specific user by name, which enables you to evaluate the lastSignInDate: `https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivity` |
| 43 | + |
| 44 | +- **Users by date**: In this scenario, you request a list of users with a lastSignInDateTime before a specified date: `https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z` |
| 45 | + |
| 46 | + |
| 47 | + |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | +## What you need to know |
| 52 | + |
| 53 | +This section lists what you need to know about the lastSignInDateTime property. |
| 54 | + |
| 55 | +### How can I access this property? |
| 56 | + |
| 57 | +The **lastSignInDateTime** property is exposed by the [signInActivity resource type](https://docs.microsoft.com/graph/api/resources/signinactivity?view=graph-rest-beta) of the [Microsoft Graph REST API](https://docs.microsoft.com/graph/overview?view=graph-rest-beta#whats-in-microsoft-graph). |
| 58 | + |
| 59 | +### Is the lastSignInDateTime property available through the Get-AzureAdUser cmdlet? |
| 60 | + |
| 61 | +No. |
| 62 | + |
| 63 | +### What edition of Azure AD do I need to access the property? |
| 64 | + |
| 65 | +To access this property using the related API, you need an Azure AD Premium edition. |
| 66 | + |
| 67 | +### What permission do I need to read the property? |
| 68 | + |
| 69 | +To read this property, you need to grant the following right: **AuditLogs.Read.All** |
| 70 | + |
| 71 | + |
| 72 | +### When does Azure AD update the property? |
| 73 | + |
| 74 | +Each interactive sign-in that was successful results in an update of the underlying data store. Typically, successful sign-ins show up in the related sign-in report within 10 minutes. |
| 75 | + |
| 76 | + |
| 77 | +### What does a blank property value mean? |
| 78 | + |
| 79 | +To generate a lastSignInDateTime timestamp, you need a successful sign-in. Because the lastSignInDateTime property is a new feature, the value of the lastSignInDateTime property can be blank if: |
| 80 | + |
| 81 | +- The last successful sign-in of a user took place before this feature was released. |
| 82 | +- The affected user account was never used for a successful sign-in. |
| 83 | + |
| 84 | +## Next steps |
| 85 | + |
| 86 | +* [Get data using the Azure Active Directory reporting API with certificates](tutorial-access-api-with-certificates.md) |
| 87 | +* [Audit API reference](https://developer.microsoft.com/graph/docs/api-reference/beta/resources/directoryaudit) |
| 88 | +* [Sign-in activity report API reference](https://developer.microsoft.com/graph/docs/api-reference/beta/resources/signin) |
0 commit comments