How to Fetch Inactive Users Using Graph PowerShell?

Inactive user accounts can pose security risks and consume unnecessary Microsoft 365 licenses. Identifying these accounts helps administrators optimize resource usage and enforce security policies. In this guide, we’ll explore what defines an inactive user, how long a user account should be inactive before being flagged, and how to fetch inactive user accounts using Microsoft Graph PowerShell.

Who is an Inactive User?

An inactive user is an account that has not signed into Microsoft 365 services for a defined period. These accounts may belong to employees who have left the organization, temporary users, or accounts that were created but never used.

Inactive accounts can:

• Increase security risks if they remain unmonitored.
• Consume unnecessary licenses.
• Impact compliance with IT policies.

Time Frame for Labeling User Accounts as Inactive

Organizations define inactivity based on their policies, but common benchmarks include:

• 30 Days: Short-term inactivity, useful for tracking temporary inactivity.
• 60 Days: Medium-term inactivity, used to monitor dormant accounts.
• 90+ Days: Long-term inactivity, generally considered for account deactivation or license removal

In this guide, we will fetch users who have been inactive for 90 days, but this value can be adjusted as per your organization’s needs.

Graph PowerShell Script for Fetching Inactive Users

You can use the following Graph PowerShell script to identify inactive users in your Microsoft 365 tenant.

Prerequisites:

Ensure you have installed the Microsoft Graph PowerShell module and are signed in with the necessary permissions.

Connect-MgGraph -Scopes "User.Read.All"

PowerShell Script to Fetch Inactive Users

# Define the inactivity period (e.g., users inactive for the past 90 days)
$daysInactive = 90
$inactiveSince = (Get-Date).AddDays(-$daysInactive).ToString("yyyy-MM-ddTHH:mm:ssZ")
                                            
# Get all users with sign-in activity data
$inactiveUsers = @()
$allUsers = Get-MgUser -All -Property Id, DisplayName, UserPrincipalName, SignInActivity
                                            
foreach ($user in $allUsers) {
    $lastSignInDate = $user.SignInActivity.LastSignInDateTime
                                                
    if (-not $lastSignInDate -or ($lastSignInDate -lt $inactiveSince)) {
        $inactiveUsers += [PSCustomObject]@{
        "User Principal Name" = $user.UserPrincipalName
        "Last Sign-in" = if ($lastSignInDate) { $lastSignInDate } else { "Never Signed In" }
    }
}
}
                                            
# Display inactive users in a table format
if ($inactiveUsers.Count -eq 0) {
    Write-Host "No inactive users found within the last $daysInactive days."
} else {
    $inactiveUsers | Format-Table -AutoSize
}
                                            

Explanation of the Script:

1. Defines a date range for identifying inactive users (default: 90 days).
2. Fetches all users and their SignInActivity data.
3. Filters out users who have not signed in within the specified period.
4. Displays inactive users in a tabular format.

Use Cases

Here’s why tracking inactive users is beneficial:

• Security Management: Detect and deactivate dormant accounts to reduce security risks.
• License Optimization: Identify inactive users and free up unused Microsoft 365 licenses.
• Compliance & Audits: Ensure that only active employees have access to company resources
• User Lifecycle Management: Improve onboarding/offboarding processes by tracking inactive accounts.

Frequently Asked Questions (FAQs)

1. What permissions are required to run this script?

You need User.Read.All permissions in Microsoft Graph PowerShell.

2. How do I modify the script for a different inactivity period?

Change $daysInactive = 90 to any desired number of days

3. Why am I seeing users with "Never Signed In"?

Some accounts might have been created but never used. These can be flagged for further investigation.

4. How do I export the results to a CSV file?

Modify the script to include:

$inactiveUsers | Export-Csv -Path "InactiveUsers.csv" -NoTypeInformation

Conclusion

Tracking inactive users is a key part of security, compliance, and license management in Microsoft 365. Using Microsoft Graph PowerShell, administrators can quickly generate reports on inactive users and take necessary actions. This script provides a simple yet powerful way to monitor user activity and optimize your Microsoft 365 environment.