How to Find and Disable Non-Active Users in Azure
Learn how to find and delete non-active users in your Azure account to reduce costs and minimize security risks.
Learn how to find and delete non-active users in your Azure account to reduce costs and minimize security risks.
When employees leave a company, their user account may remain behind in Azure AD. In addition to posing a security risk, letting inactive user accounts hang around adds to your licensing costs. Larger companies can be especially prone to having service or guest accounts housed within Azure that are no longer necessary.
You should ensure that you have organizational security and access processes that include protocols for looking up and disabling inactive users within an Azure environment.
Generally speaking, an inactive user account is one that is no longer needed by a company. If an account hasn’t been used to sign in for a while, it should likely be a target for deactivation. The easiest way to figure out what accounts are inactive is by looking at the timestamp of their last sign-in.
The biggest issue with this method is deciding on a set period for deactivation. For example, if an account hasn’t been used in 30 days, the employee could be out on personal leave or because of a health issue. You need to account for any legitimate reasons for an account to remain non-active for an extended period when determining whether it should be deactivated.
The Microsoft Graph API contains a property called “lastSignInDateTime”, which gets exposed by the “signInActivity” resource type. The property tells you the last time a user successfully logged into Azure AD. You can use “lastSignInDateTime” to find inactive users in the following ways. Every time there is a successful login, it gets updated and reflects on a generated report within 10 minutes.
Look up the user’s name by using the following query syntax:
Here, you can get a list of all users who have not signed in since a specific time using the “lastSignInTime” property:
If you need to create a report of the sign-in dates for every user, you can get that information with the following query:
If the property comes up blank, that can mean one of two things:
Once you have located non-active users, you can remove them from your Azure AD in a few different ways.
Provisioning is a way of syncing your Azure AD account with other HR applications your organization is using for user management, like Workday or SuccessFactors.
As long as the non-active employees are updated in the linked HR management tool, you can use Azure AD provisioning to delete the user entirely and keep all the settings established for the user’s Azure setup. You just need to make sure that the “Provisioning Status” is set to “On”. You can read more about provisioning here.
If you want to directly delete a user via the Azure portal, you first need to sign in with Admin permissions. Go to the Azure Active Directory, select the user you want to delete, and then click “Delete user”.
You can verify that this user was actually deleted by navigating to the “Deleted users” section.
For scripting purposes, you can also use the Azure CLI and run the “ad ad user delete” command. Here’s an example of that:
This will soft-delete the user and free up their license. After 30 days, they will be hard-deleted from your Azure AD.
Running manual checks like this will help you clean up your Azure account, but it requires context-switching to make it a routine practice.
With a free Blink account, you can schedule automated checks just like this one so you can ensure optimal Azure account management in just a couple of clicks.
Get started with Blink today to see how easy automation can be.
Blink is secure, decentralized, and cloud-native. Get modern cloud and security operations today.