m365Corner
M365 Blogs

How to Fetch Disabled Users Using Graph PowerShell?

Managing user accounts efficiently is a crucial task for IT administrators. One common scenario is identifying and tracking disabled user accounts. In this blog, we’ll discuss who disabled users are, why accounts get disabled, and how to fetch disabled user accounts using Microsoft Graph PowerShell.

Who Are Disabled Users?

Disabled users are accounts that have been manually or automatically deactivated in an organization’s Microsoft 365 tenant. A disabled user cannot sign in or access company resources until their account is reactivated. This is an essential security measure, especially when employees leave the company or are temporarily suspended.

Why Disable User Accounts?

There are several reasons why administrators disable user accounts:

  • Employee Departure: When employees leave, their accounts are disabled to prevent unauthorized access.
  • Security Risks: If an account is compromised or suspected of malicious activity, disabling it prevents further damage.
  • Temporary Suspension: Some organizations disable accounts for employees on long-term leave or sabbaticals.
  • Policy Compliance: Certain regulatory requirements necessitate account deactivation after a specified period of inactivity.

How to Fetch Disabled User Accounts Using Graph PowerShell?

You can use Graph PowerShell to retrieve recently disabled users by analyzing Microsoft Entra (Azure AD) audit logs. The following script fetches user accounts that were disabled in the last 30 days.

Prerequisites:

Before running the script, ensure you have the Microsoft Graph PowerShell module installed and that you are signed in with appropriate permissions.

Connect-MgGraph -Scopes "AuditLog.Read.All"

Script to Fetch Disabled Users:

# Define the date range for fetching disabled users (customize as needed)
$startDateTime = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")  # Past 30 days
                                            
# Fetch all DirectoryAudit logs related to 'Update user' in the past 30 days
$allAuditLogs = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Update user' and activityDateTime ge $startDateTime"
                                            
# Create an array to store the formatted results
$disabledUserDetails = @()
                                            
# Loop through the audit logs to process 'Update user' events
foreach ($event in $allAuditLogs) {
    $disabledTime = $event.ActivityDateTime
    $disabledUser = ($event.TargetResources | Where-Object { $_.UserPrincipalName }).UserPrincipalName
    $disabledBy = $event.InitiatedBy.User.UserPrincipalName
    $resultStatus = if ($event.Result -eq 'success') { 'Success' } else { 'Failed' }
                                                
    # Create an object for each record
        $userDetail = [pscustomobject]@{
        "Disabled Time"  = $disabledTime
        "Disabled User"  = $disabledUser
        "Disabled By"    = $disabledBy
        "Result Status"  = $resultStatus
    }
                                                
    # Add the object to the results array
    $disabledUserDetails += $userDetail
}
                                            
# Output the results in a tabular format
if ($disabledUserDetails.Count -eq 0) {
    Write-Host "No disabled user events found in the given date range."
} else {
    $disabledUserDetails | Format-Table -AutoSize
}

Explanation of the Script:

  1. Defines a date range to look for disabled users (last 30 days).
  2. Fetches audit logs where the activity was ‘Update user’ using Get-MgAuditLogDirectoryAudit.
  3. Filters the logs to identify accounts that were disabled.
  4. Formats the output in a table with details like:
    • Time of disablement
    • User who was disabled
    • Administrator who performed the action
    • Whether the action was successful

Frequently Asked Questions (FAQs)

  1. What permissions are required to run this script?

    2. You need the AuditLog.Read.All permission in Microsoft Graph PowerShell.

  2. Can I change the date range?

    3. Yes, modify the AddDays(-30) value to any number of days you want.

  3. Why am I not seeing any disabled users?

    4. Ensure that you have audit logging enabled in your Microsoft 365 tenant and that users were disabled within the specified date range.

  4. How can I export the results to a CSV file?

    5. You can modify the script like this:

    $disabledUserDetails | Export-Csv -Path "DisabledUsers.csv" -NoTypeInformation

Use Cases

Here are some practical scenarios where this script is useful:

  • Security Audits: Identify and verify user accounts disabled by administrators.
  • Incident Investigation: Track accounts disabled due to security breaches.
  • HR & Compliance: Ensure former employees’ accounts are deactivated as per company policy.
  • Periodic Review: Generate reports on disabled users for management review.

Conclusion

Tracking disabled user accounts is crucial for security and compliance. With Microsoft Graph PowerShell, you can efficiently fetch and analyze user disablement events. This script not only simplifies user management but also ensures transparency in administrative actions. Try it out today and enhance your Microsoft 365 security posture!

Did You Know? Managing Microsoft 365 applications is even easier with automation. Try our Graph PowerShell scripts to automate tasks like generating reports, cleaning up inactive Teams, or assigning licenses efficiently.

Ready to get the most out of Microsoft 365 tools? Explore our free Microsoft 365 administration tools to simplify your administrative tasks and boost productivity.

© Your Site Name. All Rights Reserved. Design by HTML Codex