Post

Get Office 365 inactive users using the audit log with PowerShell
Most blogs regarding the retrieval of inactive users are using the mailbox statistics to get the last logon time. Retrieving the mailbox statistics is a fast solution but it will not retrieve users that don’t have a mailbox like admin accounts or external accounts. This script will retrieve the audit data for each user and […]

Most blogs regarding the retrieval of inactive users are using the mailbox statistics to get the last logon time. Retrieving the mailbox statistics is a fast solution but it will not retrieve users that don’t have a mailbox like admin accounts or external accounts. This script will retrieve the audit data for each user and it tries to find successful and failed logons. There is a limit for 50k results querying the audit log but most of the times a user doesn’t reach 50k of logons and it means the user is still very active if it does. It will take around 6-8 seconds per user so it can take some time for large organizations. As always with my scripts I’ll generate a HTML file with the results. The HTML file includes two lists:

  • List of all Inactive users
  • List of all active users

image

Note 1: that you will need the Office 365 and the latest Exchange Online modules which the script will verify. Also verify that auditing is enabled for you Office 365 tenant at https://protection.office.com/unifiedauditlog!

image
It’s in dutch but it says active
You cannot use this script directly after activating because you need to give the log some time to gather the data.

Note 2: The latest Exchange Online module created a timeout after 60 minutes which means that after around 650 users the script will time out. I’ve used sections of the script from https://techcommunity.microsoft.com/t5/Exchange/60-minutes-timeout-on-MFA-Session/m-p/559224 to counter this issue as it will renew the connection every 500 users using the cached credentials.

Creating the inactive users overview

PowerShell Gallery

The PowerShell Gallery is a perfect solution to store your own scripts which you use on a regular basis where other people can also use them. The script can be found at  https://www.powershellgallery.com/packages/get-O365InactiveUsers. I always recommend reading the code first as this is a script from the internet which can be found after clicking on “Show” at “FileList”. You can also copy the script and edit it to suit your needs.

image

Installing the script

You can install the script using the below command

Install-Script -Name get-O365InactiveUsers

image
Press Y if you want to install the script from the PSGallery.

Running the script

An example has been provided in the script info section where we will be using this same example.

Run the following command in PowerShell

Get-O365InactiveUsers.ps1 -LogPath “C:\Install” -days 90 -AdminUPN “admin@<tenant>.onmicrosoft.com”

First you need to authenticate to Office 365 and then you will need to authenticate to Exchange Online

image

It will show you how many users are present and then an entry for each user so you can keep track on how long it will take

image

It will show you when finished and it will open the .HTML file automatically

image

It will also list the active users and their last timestamp and action

Requests

Please let me know if you want to see more information that should be valid for an inactive users overview report in the comment section and I’ll add this to the PowerShell Gallery script. Please also let me know if you edited the script yourself and what you added or removed as I can learn from you in making this overview better.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Archive