Generate an Email Activity and Inactive Mailbox Report with Microsoft Graph

Email activity reporting is a cornerstone of license right-sizing, offboarding hygiene, and security monitoring in Microsoft 365. Over time, mailboxes fall dormant — employees leave, roles shift, service accounts get forgotten — yet their Exchange Online licenses continue to bill month after month.

When to run this recipe

• Quarterly license reviews — identify Exchange/E3/E5 seats that can be reclaimed or downgraded.
• Offboarding audits — confirm departed users' mailboxes are actually inactive before removal.
• Security investigations — a sudden drop in send/receive volume for a normally active user can indicate account compromise, forwarding rules, or delegation abuse.
• Adoption tracking — surface licensed users who never adopted Outlook, suggesting training gaps.

The Microsoft Graph reports/getEmailActivityUserDetail endpoint returns send, receive, and read counts per user over a rolling period (7, 30, 90, or 180 days). Joining this with the user/license directory in Entra ID produces a single spreadsheet that answers: who has a mailbox license but isn't using it?

After running this recipe, you will have:

• A CSV report listing every user with columns for display name, UPN, last activity date, 30-day send count, 30-day receive count, license status, and account-enabled state.
• A Status column classifying each user as Active, Low Activity / Potential Drop, Licensed - No Activity, or Inactive / No Data.
• A count of licensed users with zero email activity — the primary candidates for license reclamation.
• A reusable artifact suitable for sharing with finance, HR, or security for follow-up decisions.

Privacy & compliance

• Concealed names setting: If your tenant has "Display concealed user, group, and site names" enabled in the M365 Admin Center, the report will return hashed UPNs (e.g. A1B2C3...) instead of real email addresses, making the join with Entra ID impossible. Disable it temporarily (admin only) or accept anonymized output.
• Reports.Read.All is powerful — it grants visibility into usage across all Microsoft 365 services. Scope app registrations carefully and rotate client secrets.

Data interpretation gotchas

• The report has a ~48 hour lag. A user active this morning may still appear inactive.
• Users with only receive activity (e.g. distribution-list members) may look dormant but are still receiving business mail — don't blindly remove their license.
• Shared mailboxes, resource mailboxes, and room mailboxes show up with inflated or unusual patterns. Filter userType or recipient type separately.
• New users in their first week typically have low counts — exclude users created within the last 30 days before flagging.

Do not

• Do not auto-remove licenses based on this report alone — always get manager or user confirmation.
• Do not share the CSV externally without redacting UPNs; it is personally identifiable data under GDPR/CCPA.