Uncovering Stale Users in Azure Active Directory: A Comprehensive Guide

In the ever-evolving landscape of Azure Active Directory (Azure AD), maintaining user accounts is a critical aspect of security and cost-efficiency. Stale or inactive user accounts not only pose a security risk but can also lead to unnecessary licensing costs. In this blog post, we'll explore how to identify and manage stale users in Azure AD using various methods, such as the Azure portal, PowerShell, and scripts. We'll also discuss why this is important and how Professional Labs leveraged these practices to reduce Microsoft 365 licensing costs through better utilization.

Why Is Identifying Stale Users Important?

Stale users, also known as inactive or obsolete users, are accounts that are no longer in use but remain active in your Azure AD. There are several reasons why identifying and addressing these accounts is crucial:

1. Security: Stale user accounts can become an entry point for unauthorized access or security breaches if left unattended. Hackers often target inactive accounts since they may have weaker security controls.
2. Cost Efficiency: Active user licenses come at a cost. Keeping unused accounts active unnecessarily leads to higher licensing expenses. Identifying and deactivating or removing stale users can result in significant cost savings.
3. Resource Management: Inactive users consume valuable resources, such as storage and network bandwidth. Cleaning up these accounts helps optimize resource allocation.
4. Compliance: Many compliance standards require organizations to regularly review and disable or delete inactive accounts to maintain data privacy and security.

How to Find Stale Users in Azure AD

Using the Azure Portal:

1. Azure AD Sign-ins: Monitor user sign-ins using the Azure AD Sign-ins report. Users with no sign-ins over an extended period may be considered stale.
2. Azure AD Identity Protection: Utilize Identity Protection to identify risky sign-in behavior, such as suspicious activity from stale users.

Using PowerShell:

PowerShell provides more granular control for identifying and managing stale users:

1. Connect to Azure AD: Use Connect-AzureAD to establish a connection to your Azure AD.
2. Retrieve User Activity: Run PowerShell scripts to fetch user activity and identify users with no recent activity. For example, Get-AzureADAuditSignInLogs can be used to gather sign-in logs.
3. Determine Inactivity Threshold: Define your threshold for inactivity (e.g., 90 days). Users exceeding this threshold can be considered stale.
4. Deactivate or Delete Stale Users: Use PowerShell commands like Set-AzureADUser to deactivate or delete stale user accounts as needed.

Using Scripts:

Custom scripts can be tailored to your organization's specific needs. These scripts can automate the process of identifying and managing stale users based on your criteria.

PowerShell script that you can use to identify stale users in Azure Active Directory based on their last sign-in date. This script will list users who haven't signed in for a specified number of days:

# Connect to Azure AD

Connect-AzureAD

# Set the number of days for inactivity threshold (e.g., 90 days)

$inactivityThreshold = 90

# Get the current date

$currentDate = Get-Date

# Calculate the threshold date

$thresholdDate = $currentDate.AddDays(-$inactivityThreshold)

# Get a list of users who haven't signed in since the threshold date

$staleUsers = Get-AzureADUser | Where-Object { $_.LastSignInDate -lt $thresholdDate }

# Output the list of stale users

$staleUsers | Select-Object DisplayName, UserPrincipalName, LastSignInDate | Format-Table -AutoSize

# Disconnect from Azure AD (optional)

Disconnect-AzureAD

Here's a breakdown of what the script does:

1. It connects to Azure AD using Connect-AzureAD.
2. You specify the number of days for the inactivity threshold by setting the $inactivityThreshold variable (e.g., 90 days).
3. The script gets the current date using Get-Date.
4. It calculates the threshold date by subtracting the inactivity threshold from the current date.
5. Using Get-AzureADUser, it retrieves a list of all users in Azure AD.
6. The script filters the users using Where-Object, selecting only those whose LastSignInDate is earlier than the threshold date, indicating they haven't signed in for the specified period.
7. It then outputs the list of stale users, including their display name, user principal name, and last sign-in date.
8. Optionally, it disconnects from Azure AD using Disconnect-AzureAD.

You can customize the $inactivityThreshold variable to set the desired number of days for considering a user as stale. Additionally, you can modify the output format or add actions to deactivate or remove these stale users based on your organization's requirements.

Professional Labs: A Success Story

At Professional Labs, we understand the significance of efficient Azure AD management. By implementing a rigorous process to identify and manage stale users, we achieved several benefits, including:

1. Cost Savings: By deactivating or removing unused user accounts, we reduced our Microsoft 365 licensing costs significantly.
2. Enhanced Security: Removing stale users reduced the potential attack surface and improved our overall security posture.
3. Optimized Resources: Resource utilization improved as we eliminated unnecessary storage and other resources tied to inactive accounts.

Conclusion

Identifying and managing stale users in Azure AD is essential for maintaining security, cost efficiency, and compliance. Whether you choose to use the Azure portal, PowerShell, or custom scripts, regular hygiene practices are a cornerstone of a well-managed Azure AD environment.

Professional Labs' success story demonstrates how proactive stale user management can yield substantial benefits, from cost savings to improved security and resource optimization. If you're looking to optimize your Azure AD environment and reduce licensing costs, consider implementing these practices to ensure a secure and efficient directory.