Identify and Remove Inactive Users in Microsoft 365

On Day 29/31 of the Cybersecurity Awareness Month, learn how to find and delete inactive users in Microsoft 365. Stay tuned for more blogs in our M365 Cybersecurity blog series.

Every organization should implement various security measures and follow certain practices to avoid threats and loopholes. One such loophole is the presence of inactive user accounts in Microsoft 365. Attackers can exploit these inactive accounts to gain initial access and carry out further actions. Also, these inactive accounts consume unnecessary licenses. Therefore, it is essential for admins to find and delete inactive users accounts periodically within their organization.

Let’s explore how to find and remove inactive Microsoft 365 users in detail.

Admins can find inactive user accounts either using the Microsoft Entra admin center or PowerShell. Based on the requirements, use any one of the below.

• Identify and delete inactive users using Microsoft Entra admin center
• Find and delete inactive Microsoft 365 users using PowerShell

To find the inactive users in Microsoft Entra ID, it is essential to verify the user’s last sign-in time. Follow the steps given below to find the last interactive and non-interactive sign-ins. Remember it is not the exact last successful sign-in time and can either be successful or interrupted attempts. Click on ‘See all sign-ins’ to view the sign-in logs and identify the last successful sign-in of a user.

• Sign in to the Microsoft Entra admin center.
• Navigate to Users –> All users –> select a specific user.
• Under ‘My Feed –> Sign-ins’ section, you will find the users’ last interactive and non-interactive sign-in time.

• To delete the user account, choose the ‘Delete’ option available on the top.
• Then, select ‘Delete’ on the flyout page.

Note: You can also identify inactive users using access reviews in the Microsoft Entra admin center.

In the Entra admin center, there isn’t a straightforward way to view all inactive user accounts. Instead, admins must check each user’s last sign-in individually to identify inactivity and delete accounts, making it a time-consuming task. To avoid this hassle, we have developed a PowerShell script to solve various use cases and save your time efficiently!

Download Script: DeleteInactiveUsers.zip

By utilizing this script, you can generate inactive users report and delete these accounts or disable their sign-ins as per your requirements. Let’s see the use cases that this PowerShell script solves effectively in detail.

1. Generate Microsoft 365 inactive users report
2. Find and delete inactive users excluding never logged in users
3. Identify and disable sign-in enabled inactive users
4. Find and delete sign-in blocked inactive users in M365
5. Reuse licenses by deleting inactive licensed users in M365
6. Find and remove inactive external users in Microsoft 365
7. Delete or disable inactive user accounts in Microsoft 365
8. Automate inactive user removal in Microsoft 365

Admins might want to get a list of all inactive users in their organization for n days. To achieve this, run the script with the ‘GenerateReportOnly’ and ‘InactiveDays’ parameters.

The above cmdlet generates the report with a list of users who have been inactive for more than 90 days.

Sample Output:

You can also run the script with certificate-based authentication (CBA) by registering app in Entra ID. Below is the cmdlet to run the script with CBA.

You can create a self-signed certificate or CA certificate based on your requirement.

While generating the inactive users report, never logged in users will also be included. To exclude the never logged in user accounts and delete the inactive user accounts, run the script with the ‘ExcludeNeverLoggedInUsers’ and ‘Actions’ parameters.

The above example will generate a list of users who have been inactive for over 90 days, omitting never logged-in users, and subsequently deleting these accounts. Before deletion, you will be prompted with a confirmation for deleting the inactive users. After confirmation, a log file will be generated with deleted user account details as shown below.

If you don’t want to delete the inactive user accounts, you can disable their sign-ins to enhance security. To filter out sign-in enabled inactive users and disable their accounts, run the script with ‘EnabledUsersOnly’ and ‘Action’ parameters.

The above cmdlet identifies the sign-in enabled inactive users who have been inactive for 90 days and blocks their sign-in upon confirmation.

Admins can delete sign-in blocked inactive users if they’re no longer needed by the organization. Also, there is a chance that the account can be re-enabled and gained access in the future. For security concerns, these accounts can be deleted. To find and delete sign-in disabled inactive users, run the script with the ‘DisabledUsersOnly’ and ‘Action’ parameters.

The above cmdlet retrieves the sign-in disabled users who have been inactive for more than 90 days and deletes these accounts upon confirmation.

Microsoft 365 licensed users being inactive for a longer period is a severe threat. If attackers gain access to such accounts, they can access our resources and steal the data. Thus, it is essential to delete the inactive licensed users. Also, the licenses can be reused to reduce costs.

To identify and delete the inactive licensed users, run the script with the ‘LicensedUsersOnly’ and ‘Action’ parameters.

This cmdlet retrieves the licensed inactive users who have been inactive for more than 180 days and deletes these accounts. Thus, admins can efficiently reclaim these licenses.

External user accounts are more dangerous than internal inactive accounts as they are from outside the organization and admins can’t take full control over these accounts. To maintain security and prevent data abuse, it is essential to delete external inactive user accounts immediately. To find and delete the inactive external users, run the script with ‘ExternalUsersOnly’ and ‘Action’ parameters.

This cmdlet finds the external users who have been inactive for more than 180 days and deletes these accounts efficiently after the confirmation.

Note: You can also create an access review to remove inactive guest users in Microsoft 365.

Admins can also use the already generated report and customize the list of inactive users and take actions (i.e., disable or delete). For example, if you don’t want to delete all the users generated in the report, you can remove a few users from the list and delete or disable the remaining users.

To delete or disable inactive user accounts using the previously generated report, run the script with ImportCSV and Action parameters.

The above cmdlet deletes the list of users available in the CSV upon confirmation. Remember that only the report generated using this script can be used as a CSV file. Other customized CSVs are not supported.

If you prefer not to ask for confirmation, you can run the cmdlet with the ‘Force’ parameter as shown below.

This will directly delete the list of inactive users without asking for confirmation. You can use this parameter in any of the above use cases respectively.

Automating the inactive account removal or disabling will be helpful to clean up those accounts periodically without manual efforts. You can schedule the script using task scheduler or Azure automation.

In the ‘Add arguments‘ field, include the script path with the arguments as below.

The above example disables the user accounts who are inactive for more than 180 days. You must include the full path of the script and you can also customize the InactiveDays and Action parameters as per your requirements.

I hope this blog will help admins to find and delete inactive users efficiently using the developed PowerShell script. For any queries, reach us through the comment section.