Dex

๐Ÿ‘ฅ Recipe ยท User & Group Management

Report Inactive Members and Guest Accounts (90+ Days) via Microsoft Graph

Identify stale member and guest accounts in Entra ID using signInActivity and export a consolidated CSV for review and cleanup

Complexity

Intermediate

Impact

security + compliance + cost-optimization + identity-hygiene

Context

Why This Matters

Stale user accounts โ€” both internal members who have stopped signing in and guest (B2B) accounts that were invited but never used โ€” are one of the most common sources of identity risk in Microsoft 365. Each dormant account is a potential attack surface: inherited licenses waste money, forgotten guests retain access to SharePoint sites and Teams, and inactive privileged accounts can be compromised without anyone noticing.

This recipe pulls every user from Entra ID, inspects the signInActivity property (interactive and non-interactive), and produces a CSV listing every member inactive for 90+ days and every guest account, regardless of last activity. The output is suitable for license reclamation reviews, quarterly access recertification, and compliance reporting (SOC 2 CC6.2, ISO 27001 A.9.2.5).

Run it on a recurring schedule (monthly or quarterly) as part of a broader joiner-mover-leaver hygiene program.

Expected Outcomes

  • A CSV export (Inactive_and_Guest_Accounts_Report.csv) listing every inactive member and every guest account in the tenant
  • Each row includes DisplayName, UserPrincipalName, UserType, AccountEnabled, LastSignIn, LastNonInteractiveSignIn, IsInactive90Days, and IsGuest
  • A summary count of inactive members vs. inactive guests
  • A reusable artifact for license reclamation, guest cleanup, and access recertification workflows

Risks & Considerations

Before you act on the report

  • signInActivity requires Entra ID P1 or P2. Without a premium license the property is null for all users and the report will flag everyone as inactive.
  • Service and break-glass accounts. Emergency-access accounts are intentionally rarely used โ€” exclude them before disabling anything.
  • Non-interactive sign-ins matter. An account may show no interactive sign-in but still be used by a mail client, mobile device, or service principal. Always check lastNonInteractiveSignInDateTime before deprovisioning.
  • Guests with recent SharePoint/Teams activity. A guest may appear inactive in sign-in logs but still hold access to shared resources. Cross-check before bulk removal.
  • Data residency. The CSV contains PII (UPNs, display names). Store it in an approved location and delete when no longer needed.
  • Do not bulk-disable from this report. Treat it as input to a review workflow โ€” notify account owners and allow a grace period before disabling or deleting.

Required Permissions

PermissionWhy It's Needed
User.Read.AllRead user profile properties including userType and accountEnabled
AuditLog.Read.AllRequired to read the signInActivity property on user objects
Directory.Read.AllBroader directory read access used when enumerating all users across the tenant

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Generate a report of all member accounts in our Entra ID tenant that have been inactive for {days:90}+ days and all guest accounts regardless of last sign-in. Include DisplayName, UPN, UserType, AccountEnabled, LastSignIn, and LastNonInteractiveSignIn. Deliver as a downloadable CSV.
Try in Dex CoAdmin