Azure Active Directory Stale Users and Devices
If you are managing an active directory of a large organization and, normally, often new employees join, and old employees leave. To keep the active directory running smooth and without issues, one of the tasks is to remove the stale users and devices from the Azure directory or on-premises active directory. In this article, we will see, how we can find a list of stale users and devices in the azure active directory.
Stale Devices in Azure Active Directory
You need to connect to Azure Active Directory using PowerShell.
Open PowerShell with administrative rights and run the following commands.
Install-Module -Name AzureAD
Import-Module -Name AzureAD
You will be prompted for credentials. Provide and you will be connected.
Once you are connected, you can run the following command to export the list of Azure stale devices in CSV format. You will find the date column and you can sort that to see which devices are not logged.
Get-MsolDevice -all | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv “C:\temp\az-devices.csv”
You can also automate this process by setting up in Azure AD by following steps.
- Login https://azure.portal.com
- Search Intune and open Intune blade
- Select Devices from the left menu
- Select Device cleanup rules
- Turn on “Delete devices based on last check-in date”
- Set number of days, so the device will be removed automatically if not checked in for this many days.
Stale Users / Accounts in Azure Active Directory
Finding stale users’ accounts is not as easy azure devices, the reason is that there is no attribute like “ApproximateLastLogonTimestamp”, however, Microsoft provides a way to get the lastSignInDateTime property using Microsoft Graph and this is still in Beta. I found a very handy PowerShell script and setup graph permission. You can find the script and the way to use it in the below link.