InactiveGuests

Find and clean up dormant guest accounts in Entra

← Toolkit

Connect to your tenant

InactiveGuests runs entirely in your browser. It signs you in with Microsoft (PKCE) and queries Microsoft Graph as you. No backend, no telemetry, no data leaves your browser.

Required delegated permissions:

  • User.Read.All - list guest users
  • AuditLog.Read.All - read sign-in activity for each guest
  • Directory.Read.All - list deleted users (recycle bin)
  • User.Read - sign-in identity
  • User.ReadWrite.All + Directory.AccessAsUser.All (only when you actually disable, delete or restore)

To act on guests you also need an Entra role that can manage users: User Administrator or Global Administrator. Without one of those, Graph returns 403 on the action.

Recently deleted guests

Entra keeps deleted users in the recycle bin for 30 days. After that, they are gone for good.

Debug log


      

    


    
    

      

        
About InactiveGuests

        
InactiveGuests is part of the LCToolkit by Lieben Consultancy. It surfaces dormant guest accounts in your Entra ID tenant so you can disable, delete or restore them in bulk.


        
What it can do

        
    
          
  • List every guest user in the tenant with creation date, redemption state, enabled status and last sign-in (interactive + non-interactive).
    • 
          
  • Filter on inactivity threshold, account age, redemption state, enabled state and "never signed in" - then sort and select what you want to act on.
    • 
          
  • Bulk disable, re-enable or delete the selected guests with an explicit confirmation dialog.
    • 
          
  • Export the filtered or selected set to XLSX or CSV.
    • 
          
  • Browse the recycle bin (deleted users from the last 30 days) and restore any guest you didn't mean to delete.
    • 
        


        
How it works

        
    
          
  • Listing guests: GET /beta/users?$filter=userType eq 'Guest'&$select=...,signInActivity&$top=999 with ConsistencyLevel: eventual.
    • 
          
  • Inactivity: takes the most recent of lastSignInDateTime and lastNonInteractiveSignInDateTime; if neither exists, falls back to createdDateTime so brand-new guests don't look "inactive forever".
    • 
          
  • Disable / enable: PATCH /v1.0/users/{id} with {accountEnabled: false|true}.
    • 
          
  • Delete: DELETE /v1.0/users/{id}. The user lands in /directory/deletedItems for 30 days.
    • 
          
  • Restore: POST /v1.0/directory/deletedItems/{id}/restore.
    • 
        


        
Required permissions

        
Read-only browsing only needs User.Read.All, AuditLog.Read.All and Directory.Read.All. The first time you save a change, InactiveGuests asks for User.ReadWrite.All and Directory.AccessAsUser.All. To actually disable / delete / restore you need to hold a privileged Entra role: User Administrator or Global Administrator.


        
Sign-in activity caveat

        
signInActivity requires an Entra ID P1 or P2 license to be assigned somewhere in the tenant. If you don't have it, the field is empty and InactiveGuests falls back to account age for the inactivity filter. Filtering on "Never signed in" won't be very useful in that case (everyone looks the same).