{"id":3790,"date":"2021-12-16T15:57:32","date_gmt":"2021-12-16T14:57:32","guid":{"rendered":"https:\/\/www.lieben.nu\/liebensraum\/?p=3790"},"modified":"2021-12-16T15:57:32","modified_gmt":"2021-12-16T14:57:32","slug":"guest-user-last-sign-in-date-time-in-azure-active-directory-and-automatic-cleanup","status":"publish","type":"post","link":"https:\/\/lieben.nu\/liebensraum\/2021\/12\/guest-user-last-sign-in-date-time-in-azure-active-directory-and-automatic-cleanup\/","title":{"rendered":"Guest User Last Sign-in date time in Azure Active Directory and automatic cleanup"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-4.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1354\" height=\"518\" src=\"https:\/\/www.lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-4.png\" alt=\"\" class=\"wp-image-3791\" srcset=\"https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-4.png 1354w, https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-4-300x115.png 300w, https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-4-1024x392.png 1024w, https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-4-768x294.png 768w\" sizes=\"auto, (max-width: 1354px) 100vw, 1354px\" \/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Azure AD&#8217;s sign in logs also only go back 30 days, which makes it highly recommended to <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/reports-monitoring\/howto-integrate-activity-logs-with-log-analytics\" target=\"_blank\">stream Azure AD&#8217;s sign in logs to a Log Analytics workspace<\/a> (Azure Monitor). You just need one single P1 license in your tenant to be able to enable this.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, even if you don&#8217;t stream your sign in logs, <a href=\"https:\/\/docs.microsoft.com\/en-us\/graph\/api\/resources\/signinactivity?view=graph-rest-beta\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft does keep track of when an account last signed in.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">My script gets the last sign in data of all guest accounts in your tenant, without any dependencies other than the Az PS module.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If a guest user has never signed in, the creationDate is used to determine inactivity. Otherwise either the last interactive or last non interactive sign in is used (whichever is most recent).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-5.png\"><img loading=\"lazy\" decoding=\"async\" width=\"919\" height=\"219\" src=\"https:\/\/www.lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-5.png\" alt=\"\" class=\"wp-image-3792\" srcset=\"https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-5.png 919w, https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-5-300x71.png 300w, https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2021\/12\/image-5-768x183.png 768w\" sizes=\"auto, (max-width: 919px) 100vw, 919px\" \/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Additionally, the script can also be configured to <strong>automatically clean up any guest accounts that have been inactive<\/strong> for a given number of days by using the -removeInactiveGuests switch.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Even in large environments, processing only takes a few minutes at most.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Download<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Download the script from my Gitlab here:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/gitlab.com\/Lieben\/assortedFunctions\/-\/blob\/master\/get-AzureAdInactiveGuestUsers.ps1\">https:\/\/gitlab.com\/Lieben\/assortedFunctions\/-\/blob\/master\/get-AzureAdInactiveGuestUsers.ps1<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Limitations<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft started using these properties in april 2020, so accounts active before that will seem like they have never been active.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Scheduling<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This script supports running non-interactive as a runbook in Azure Automation if you supply the -nonInteractive switch. Before this will work, you&#8217;ll have to enable Managed Identity on your automation account and run a <a href=\"https:\/\/gitlab.com\/Lieben\/assortedFunctions\/-\/blob\/master\/add-roleToManagedIdentity.ps1\" target=\"_blank\" rel=\"noreferrer noopener\">small script to assign graph permissions to the Managed Identity<\/a>: AuditLog.Read.All and Organization.Read.All and if you also want it to be able to execute deletions: <code>User.ReadWrite.All<\/code> and <a href=\"https:\/\/portal.azure.com\/#view\/Microsoft_AAD_IAM\/RolesManagementMenuBlade\/~\/AllRoles\/adminUnitObjectId\/\/resourceScope\/%2F\">assign the MI the &#8216;Privileged Authentication Administrator&#8217; role in Entra.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Reports<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you wish, you can also let the script mail you a report in CSV format. Add the Mail.Send graph permissions like you did with device permissions and give the MailFrom and MailTo parameters a value.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Disclaimer<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As always this script is provided as-is and should be reviewed and then used at your own risk.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Azure AD&#8217;s sign in logs also only go back 30 days, which makes it highly recommended to stream Azure AD&#8217;s sign in logs to a Log Analytics workspace (Azure Monitor). You just need one single P1 license in your tenant to be able to enable this. However, even if you don&#8217;t stream your sign in &hellip; <a href=\"https:\/\/lieben.nu\/liebensraum\/2021\/12\/guest-user-last-sign-in-date-time-in-azure-active-directory-and-automatic-cleanup\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Guest User Last Sign-in date time in Azure Active Directory and automatic cleanup<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[4,7,21,32,39,43],"tags":[],"class_list":["post-3790","post","type-post","status-publish","format-standard","hentry","category-automation","category-azuread","category-identity","category-office-365","category-powershell","category-security"],"_links":{"self":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/comments?post=3790"}],"version-history":[{"count":0,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3790\/revisions"}],"wp:attachment":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/media?parent=3790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/categories?post=3790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/tags?post=3790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}