Finding and Disabling Non-Active Users in Azure

Non-active users in your Azure account might be costing your organization money and introducing security risks. In this guide, we'll show you how to find and delete non-active users.

Patrick Londa
Jun 13, 2022
 min read
Share this post

When employees leave a company, their user account may remain behind in Azure AD. In addition to posing a security risk, letting inactive user accounts hang around adds to your licensing costs. Larger companies can be especially prone to having service or guest accounts housed within Azure that are no longer necessary. 

You should ensure that you have organizational security and access processes that include protocols for looking up and disabling inactive users within an Azure environment.

Defining a Non-Active User Account

Generally speaking, an inactive user account is one that is no longer needed by a company. If an account hasn’t been used to sign in for a while, it should likely be a target for deactivation. The easiest way to figure out what accounts are inactive is by looking at the timestamp of their last sign-in.

The biggest issue with this method is deciding on a set period for deactivation. For example, if an account hasn’t been used in 30 days, the employee could be out on personal leave or because of a health issue. You need to account for any legitimate reasons for an account to remain non-active for an extended period when determining whether it should be deactivated.

azure logo
slack logo
Blink Automation: Find and Disable Non-Active Azure Users with Slack Approval
Azure + Slack
Get Started

Querying Non-Active Azure Users With Graph API

The Microsoft Graph API contains a property called “lastSignInDateTime”, which gets exposed by the “signInActivity” resource type. The property tells you the last time a user successfully logged into Azure AD. You can use “lastSignInDateTime” to find inactive users in the following ways. Every time there is a successful login, it gets updated and reflects on a generated report within 10 minutes.

By User Name

Look up the user’s name by using the following query syntax: $filter=startswith(displayName,'lastname')&$select=displayName,signInActivity

By Date

Here, you can get a list of all users who have not signed in since a specific time using the “lastSignInTime” property: le 2022-07-01T00:00:00Z

If you need to create a report of the sign-in dates for every user, you can get that information with the following query:$select=displayName,signInActivity

If the property comes up blank, that can mean one of two things:

  1. The user last signed into the environment before April 2020. This is because “lastSignInDateTime” is a relatively new Azure feature.
  2. The account never managed to log in successfully.

Disabling Non-Active Azure Users

Once you have located non-active users, you can remove them from your Azure AD in a few different ways.

Deleting Users with Provisioning

Provisioning is a way of syncing your Azure AD account with other HR applications your organization is using for user management, like Workday or SuccessFactors.

As long as the non-active employees are updated in the linked HR management tool, you can use Azure AD provisioning to delete the user entirely and keep all the settings established for the user’s Azure setup. You just need to make sure that the “Provisioning Status” is set to “On”. You can read more about provisioning here.

Deleting Users with the Azure Portal

If you want to directly delete a user via the Azure portal, you first need to sign in with Admin permissions. Go to the Azure Active Directory, select the user you want to delete, and then click “Delete user”.

You can verify that this user was actually deleted by navigating to the “Deleted users” section.

Deleting Users with the Azure CLI

For scripting purposes, you can also use the Azure CLI and run the “ad ad user delete” command. Here’s an example of that:

az ad user delete --id

This will soft-delete the user and free up their license. After 30 days, they will be hard-deleted from your Azure AD.

Run User Checks Regularly with Blink

Running manual checks like this will help you clean up your Azure account, but it requires context-switching to make it a routine practice.

With a free Blink account, you can schedule automated checks just like this one so you can ensure optimal Azure account management in just a couple of clicks.

Get started with Blink today to see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo