Removing Inactive Entra ID User Accounts with PowerShell

Posted on by Tony Redmond

Buy Entra Governance Licenses or Use PowerShell to Remove Inactive User Accounts

Some time ago, I discussed how to manage Entra ID guest accounts and the choice that exists between using Microsoft Entra ID Governance (lifecycle workflows and access reviews) or creating your own processes with PowerShell. I made the point that the steps required to find and deal with inactive guest accounts do not require difficult code and pointed out the many available scripts to do the job.

The intention behind highlighting scripts to replace Entra ID Governance functionality is not to say that Entra ID Governance is useless. That’s obviously not the case. It’s always nice to have someone else be responsible for maintaining and supporting code. However, not every tenant can afford to invest in Entra P2 licenses and, in some cases, tenants with Entra P2 licenses might prefer to create customized versions of account lifecycle processes.

Lifecycle Workflow to Remove Inactive User Accounts

All of which brings me to the latest preview offering in Entra ID Governance, the ability to manage inactive user accounts through lifecycle workflows. Essentially, Entra ID looks for accounts that haven’t signed in for a set number of days and deems those accounts to be in active. The workflow can then remove the inactive accounts to free up licenses or simply clean up the directory.

No one wants to pay for licenses that are unused and there’s no sense in having inactive user accounts cluttering up the directory. An inactive user lifecycle workflow is a good idea and I’m sure the tenants with Entra P2 licenses will happily implement workflows to make sure that their directories are spanking clean.

The PowerShell Alternative

But just like the lifecycle workflows to manage guest accounts, the PowerShell code to find and process inactive user accounts is straightforward. In fact, I’ve been over this ground before with a script to find unused mailboxes. In this case, the script focuses on user accounts instead of mailboxes. The steps are:

  • Find the user accounts to process. This could be all licensed user accounts (there’s no point in processing user accounts created for room or shared mailboxes) or a subset defined by a group.
  • Check each account to establish when it last signed in. If the number of days since the last sign in doesn’t meet a set threshold, mark the account as inactive by setting custom attribute 10 to “Inactive.” In addition, the account is disabled. The script uses a 90-day threshold, which should be enough for absences such as sabbaticals.
  • Subsequent runs of the job remove the disabled accounts marked by this workflow. Using a two-phase approach allows administrators to recover accounts disabled in error without doing too much harm.
  • Instead of simply deleting the inactive accounts, the accounts are placed on litigation hold before deletion to make their mailboxes inactive and capable of recovery. It’s also possible to convert user mailboxes into shared mailboxes, but overall, I think it’s better to use inactive mailboxes (if only because inactive mailboxes avoid the potential need to license shared mailboxes for MDO or if the mailbox has an archive). Deleting an account frees up its assigned licenses. If you convert mailboxes to be shared mailboxes, remember to remove licenses from the account.
  • Report what’s been done by sending details of the processed accounts in an email to administrators (Figure 1).

If an account is deleted in error, it can be recovered through the Entra admin center for up to 30 days after removal. Once that period lapses, Entra ID permanently removes the account.

Email notification that some inactive user accounts have been processed.
Figure 1: Email notification that some inactive user accounts have been processed.

A process like this is well suited to executing as a scheduled Azure Automation runbook, perhaps on a biweekly basis. You can download the script from the Office 365 for IT Pros repository. Make sure to amend the addresses used for the message sender and recipient to match accounts in your tenant.

Choosing Between Off-the-Shelf Software and PowerShell

Once again, I’m not saying that Microsoft 365 tenants should not invest in Entra ID Governance. The solution offers more functionality than simply detecting and removing inactive user accounts. I do want to remind people that PowerShell is often an alternative, especially when you want to create a custom workflow for your organization. It’s nice to have a choice.

Need help to write and manage PowerShell scripts for Microsoft 365, including Azure Automation runbooks? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.