Skip to content
Category: Security
2020-05-19

Getting Inactive Users in Office 365 with PowerShell

One of the biggest problems we encounter when managing any platform is the control of inactive users.

This problem is aggravated in Office365, since between the users who stop using and the guest users we end up having the Azure AD badly managed. In addition, we are faced with the Office365 Security Directives, which require us to monitor users who have not logged in for the last 30 to 90 days.

To obtain these users we will follow the following steps:

1. Modify the PowerShell Script

We start with the PowerShell Script Modification.

https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/InactiveUsersLast90Days.ps1

This script takes us to the directive to create a CSV file with the “UserPrincipalName” of the users to generate a report.

2. Executing the Script

For the execution of this Script, we have to pay attention to which points we have to modify to put the account of a Tenant’s Manager.

#Set admin UPN 
$UPN = 'e.rodado@contoso.com'

In the variable $UPN (UserPrincipalName) we will have to put the login of a Tenant’s administrator. This variable is used to open the connection with the EXO of Exchange Online.

If we need to know the inactive users with another time period we just need to modify the next variable:

$startDate = (Get-Date).AddDays(-90).ToString('MM/dd/yyyy')

If in the variable $startDate we change “-90” by another amount we will generate the report of the inactive users with this period. For example, if we put “-30” the report that will be generated will be the inactive users that have not logged in for 30 days or more.

3. Get History

The script will leave you the report in “C:\Users\”+ $DesktopUser +”\Documents\Return\Auditorias_” + $date +”.csv” so you should have created the “Return” folder in your “Documents” folder. This file that is created will have the date and time of the moment it was created. This way you can have a history of inactive users.

Script GetInactiveUsers.ps1

 import-module MSOnline

#$CredO365 = Get-Credential -Message "Exchange credentials"
        #$SesionO365 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $CredO365 -Authentication Basic -AllowRedirection
        
        #Import-PSSession $SesionO365 -AllowClobber

        #$SessionEOP = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.protection.outlook.com/powershell-liveid/ -Credential $CredO365 -Authentication Basic -AllowRedirection
        
        #Import-PSSession $SessionEOP -AllowClobber


 $date = Get-Date -UFormat "%Y%m%dT%H%M%S"
#$TenantId = "e3b21e9f-0c39-46be-b4db-4ccf9ce8d1f7" #"d2c93295-3e7a-4b26-80b9-295bd8216aaf"
$DesktopUser = $env:USERNAME


    $ReturnFile = "C:\Users\"+ $DesktopUser +"\Documents\Return\Auditorias_" + $date +".csv"

    $Value = "UserPrincipalName"
    Add-Content -Path $ReturnFile -Value $Value

#Set admin UPN
$UPN = 'e.rodado@old.aleson-itc.com'

#This connects to Azure Active Directory & Exchange Online
Connect-MsolService
$EXOSession = New-ExoPSSession -UserPrincipalName $UPN
Import-PSSession $EXOSession -AllowClobber

$startDate = (Get-Date).AddDays(-90).ToString('MM/dd/yyyy')
$endDate = (Get-Date).ToString('MM/dd/yyyy')

$allUsers = @()
$allUsers = Get-MsolUser -All -EnabledFilter EnabledOnly | Select UserPrincipalName, ObjectId


$loggedOnUsers = @()
$loggedOnUsers = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations UserLoggedIn, PasswordLogonInitialAuthUsingPassword, UserLoginFailed, CreationDate -ResultSize 5000

I hope this post was helpful.

You can check my other posts about:

If you want us to help your business or company contact us at info@aleson-itc.com or call us at +34 962 681 242