Identifying and removing inactive users with Microsoft M365 E3
Detexian’s CTO Adrian Kitto explores a poorly understood topic of Inactive Users in M365. These users present security risk and cost wastage so vital for the modern IT admin to get a handle on!
In case you missed it last time, please check out:
Part 1: Who / What / Why does the mid-market all have Microsoft M365 E3 licenses
Part 2: How does Microsoft M365 E3 work with the non-Microsoft ecosystem applications?
Part 3: Discovering user consented apps with Microsoft M365 E3
In today's modern workplace, managing user accounts efficiently is crucial for organizations using Microsoft 365 (M365) E3. With numerous users accessing various services, it becomes essential to identify and remove inactive accounts. In this blog post, we will explore the process of identifying and cleaning up inactive users to reduce risk and cost.
Understanding the Importance of Managing Inactive Users
There are a number of reasons why it is important for an organization to actively manage inactive users. Here is a few important ones:
Security: Inactive accounts pose a significant security risk to organizations. These accounts may remain unnoticed and become potential entry points for unauthorized access or data breaches. Cybercriminals often target inactive accounts as they are more likely to have weak passwords or outdated security configurations. By proactively identifying and removing inactive accounts, organizations can reduce the attack surface and strengthen their overall security posture.
Cost: Inactive user accounts often consume valuable licenses that could be allocated to active users who need access to Microsoft 365 services. With Microsoft M365 E3, organizations pay for licenses based on the number of assigned users. By removing inactive accounts, organizations can optimize license utilization, reducing unnecessary costs and potentially avoiding the need to purchase additional licenses.
Data: Over time, inactive user accounts accumulate unnecessary data, such as old emails, files, and collaboration history. This buildup of data can clutter the system and make it challenging to locate relevant information.
Compliance and Regulatory Requirements: Many industries are subject to compliance and regulatory frameworks that require organizations to maintain control over user accounts and data. Inactive accounts may violate these requirements, as organizations must demonstrate active management and control over user access.
User Experience: Inactive accounts can create confusion and frustration for active users. When inactive accounts appear in contact lists, shared documents, or collaboration groups, it can lead to miscommunication and delays in work.
Administrative Effort: Managing a large number of user accounts requires administrative resources. These resources can be better allocated to other critical tasks, such as user onboarding, training, or support.
Identifying Inactive Users
M365 has a number of ways to identify inactive users, from using the Admin Centre, to scripting it up using PowerShell to connecting to the Graph API. Here I will give a highlight of the different methods. It may be that the best version for you might be a combination of tools or a dedicated solution such as Detexian for Identity Lifecycle Management.
Admin Center: The Microsoft 365 Admin Center provides a user-friendly interface to manage user accounts. It offers built-in reports and tools that can help identify inactive users.
User Sign-In Activity Report: The User Sign-In Activity report in the Admin Center provides insights into user sign-in activities. It displays information such as the last sign-in date and the number of sign-ins for each user.
License Usage Reports: The Admin Center also provides reports on license usage, which can help identify users who have not utilized their assigned licenses.
PowerShell: As we’ve used in previous blog posts PowerShell can be used to automate the process of identifying and managing inactive users in Microsoft 365.
Get-MailboxStatistics Cmdlet: With PowerShell, you can use the Get-MailboxStatistics cmdlet to retrieve information about users' mailbox activity, such as the last logon time. By comparing this information with a specified threshold (e.g., 90 days of inactivity), you can identify inactive users.
Get-MsolUser Cmdlet: The Get-MsolUser cmdlet allows you to retrieve user account information from Azure Active Directory (AAD). By examining attributes like LastSignInDateTime, you can identify users who have not signed in within a specified timeframe, indicating potential inactivity.
Microsoft Graph API: The Microsoft Graph API provides programmatic access to Microsoft 365 data, including user information. By leveraging the API, you can identify inactive users.
User Activity Reports: The Microsoft Graph API offers user activity reports, such as the "getOffice365ActiveUserDetail" or "getSharePointActivityUserDetail" endpoints.
User Sign-In Activity: Using the "getSignInActivitySummary" endpoint, you can retrieve information about user sign-in activities, including the last sign-in date and the number of sign-ins.
License Usage: The Microsoft Graph API also provides endpoints to retrieve license usage information, enabling you to identify users who have not utilized their assigned licenses.
These reports and endpoints provide insights into user activities, allowing you to identify users with negligible or no activity over a specified period.
Removing Inactive Users
When it comes time to clean up inactive users it is normal to disable access first then delete when it is confirmed that users no longer need access.
Disable: To disable inactive users without permanently deleting their accounts, you can choose to suspend them temporarily. Suspending users prevents them from accessing Microsoft 365 services while preserving their data. This approach allows you to retain the user's data for a defined period in case they need to be reactivated.
Deletion: After a specified period of inactivity, you may decide to permanently delete inactive users. Deleting inactive accounts frees up licenses, reduces potential security risks, and simplifies user management. However, it is crucial to follow appropriate data backup and communication procedures before deleting any user accounts.
As I like to give you a head start on your clean up, here's a sample PowerShell script to connect to your M365 tenant, identify, remove licenses from, and disable all users inactive for more than 90 days. It then outputs details of the removed user, if you just want to identify users comment out the -BlockCredential and -RemoveLicenses lines.
—-----------------------------------------------------------
# Connect to Microsoft 365 PowerShell module
Connect-MsolService
# Set the threshold for inactivity (e.g., 90 days)
$inactivityThreshold = (Get-Date).AddDays(-90)
# Get all users from Microsoft 365
$users = Get-MsolUser -All
# Iterate through each user
foreach ($user in $users) {
# Check if the user's last sign-in date is older than the threshold
if ($user.LastSignInDateTime -lt $inactivityThreshold) {
# Disable the user
Set-MsolUser -UserPrincipalName $user.UserPrincipalName -BlockCredential $true
# Remove licenses from the user (adjust license SKU names as per your environment)
$licenses = $user.Licenses.AccountSkuId
foreach ($license in $licenses) {
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses $license
}
# Output details of the removed user
Write-Host "Inactive user removed:"
Write-Host "User Principal Name: $($user.UserPrincipalName)"
Write-Host "Display Name: $($user.DisplayName)"
Write-Host "Last Sign-In Date: $($user.LastSignInDateTime)"
Write-Host "------------------------"
}
}
—-----------------------------------------------------------
Adjust the $inactivityThreshold variable to specify your desired threshold for inactivity.
Remember!! to test the script in a non-production environment and thoroughly review the actions before running it in production.
Your CFO will love you when you say you’re able to provide the total number of users / licenses cleaned up.
As you can see user lifecycle management is vital for organizations utilizing Microsoft M365 E3. By effectively identifying and removing inactive accounts, organizations can enhance security, optimize license utilization, and streamline data cleanliness. Leveraging the tools and reports available in Microsoft M365 E3, administrators can identify inactive users and implement a systematic approach to manage their accounts.
Security thought for the week
The Brain virus, created in 1986, is recognized as the world's first computer virus. It was developed by two brothers from Pakistan, Basit Farooq Alvi and Amjad Farooq Alvi, who were running a computer store named Brain Computer Services in Lahore.
The Alvi brothers created the Brain virus as a means of copy protection for their software. They intended for the virus to infect and spread through unauthorized copies of their medical software, acting as a form of digital rights management. The virus was embedded in a boot sector of 5.25-inch floppy disks.
While the Brain virus gained attention as the first notable computer virus, it did not cause widespread harm or significant disruptions. It primarily affected those who obtained unauthorized copies of the Alvi brothers' software.
The creation of the Brain virus highlights an interesting aspect of early computer viruses, where some individuals experimented with coding techniques and inadvertently opened the door to the development of more malicious forms of malware. Since then, the field of cybersecurity has evolved significantly to combat the ever-evolving threats posed by malware and protect computer systems worldwide.
Till then, stay secure.
Adrian