Collaboration between Azure Active Directory tenants typically involves Azure AD Guest accounts. After a few years, the proliferation of ‘Guest’ accounts usually becomes a focus, especially for larger tenants. As Azure AD has matured the meta data associated with accounts, along with Microsoft Graph improvements is making it easier to define and locate stale Azure AD B2B Guest Accounts. In this post I investigate Azure AD with Microsoft Graph API’s to find stale Azure AD B2B Guest Accounts.
Retention of logs/reports for Azure AD Sign-Ins is dependent on your licensing level. The Azure AD Sign-Ins Report (which you can get through the Azure AD Admin Portal and via Microsoft Graph) is limited to at most, 30 days. If you are exporting your Azure AD Logs to Azure Monitor you can keep a longer history of this data. However, for our purpose this isn’t an option, and is only shown here for completeness.
With the summary above of what attributes we have to work with, let’s summarise a plan on how to accurately identify stale accounts.
The example script in this post utilizes an additional PowerShell Module to simplify the process. You will require:
You will need to register an Azure AD Application with Application Permissions for the AuditLog.Read.All and User.Read.All scopes. The script example below uses both these scopes. The registered application will need to be authorized (Admin consent) for the tenant. You will need to record the registered Application (client) ID and Directory (tenant) ID from the Overview page of the registered application for use in the script. Finally, generate a secret from the Certificates & secrets tab and record the secret also for use in the script.
The screenshot below shows the output from the PowerShell script. After identifying the stale accounts based on the criteria logic listed above, each categorization is a collection containing the associated accounts. A series of Write-Host statements in the script give a summary of what was identified in the analysis as detailed above. The output below is based on inactivity greater than 90 days.
The PowerShell script contains four functions. One to perform authentication to Microsoft Graph using the Tenant ID and Application (client) ID and Client Secret of the AAD Registered Application that contains AuditLog.Read.All and User.Read.All Application permissions. A second to obtain Azure AD Users’ that have not signed in for a specified period. A third to get a user’s last sign-in date and time and a fourth to get all ‘pending’ Guest Invitations.
As mentioned above there is a function that leverages the MSAL.PS PowerShell Module to simplify authentication to Microsoft Graph. The AuthN function takes the -credential and -tenantID parameters. The credential parameter is the ClientID and ClientSecret from the AAD registered application. The tenantID parameter is the objectID of the Azure AD Tenant where the application is registered.
The GetAADSignIns function is used to get Azure AD accounts whose last sign in is older than the specified period.
The GetAADUserSignInActivity function will return the date and time of the last sign-in for a user. It takes a single parameter (-ID) which is the objectID of an Azure AD User object. The BETA Microsoft Graph Users API is used, so by default returns all attributes on the Azure AD User Object.
The GetAADPendingGuests function will return all B2B Guest invitations that are ‘PendingAcceptance‘.
The script is parameterized. Make the following updates with your configuration information;
Using Microsoft Graph API’s we can determine the status of Azure AD Guest Accounts. The example above could be easily adapted to perform similar analysis on Member Accounts. Keep in mind, if you want to retrieve the actual last sign-in date and time for many member accounts it will take time to retrieve it as it requires an API call per account.
The collections could also be output directly into an Excel spreadsheet as I showed in my recent post for Getting Microsoft 365 Individual User Usage Reports with PowerShell.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.