Get AzureAD Guest Users LastLogin for stale accounts PowerShell

Which property comes closest to the LastLogin property?

LastLogin is an attribute known from Active Directory, but this property is not present in AzureAD.

Property RefreshTokensValidFromDateTime is closest to the LastLogin property. This property determines how long the token is valid for the last Login and when the local token must renew.

Unfortunately this is not a good property, as an alternative I can give you the lastlogin with Microsoft Graph.


What about audit logs and Microsoft Graph API?

You can get the last login from the audit log. You can easily get this with the Microsoft Graph API.

For the whole story, I’d like to refer you to a page of mine. Here I explain How to start with Microsoft Graph in PowerShell.


Let’s just get the stale Guest Users accounts in AzureAD.

Before we can start…

We need the following:

I made the Microsoft.Graph.API myself.
If you have feedback for me, you can leave a comment on this post, or on Github.


The script contains two functions.

You can download the script from Github.
The script contains 2 functions:

  • Get-AzureADUsers
  • Remove-AzureADUsers

Both functions contain -Verbose you can use for troubleshooting.

Import the module and connect with Microsoft Graph with the below cmdlets.
Change the XXX’s to the correct values.

Import-Module Microsoft.Graph.API

Connect-MSGraphAPI `
    -ApplicationID 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' `
    -Tenant 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' `
    -ApplicationSecret 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Get-AzureADUsers

Now that you are logged in, we can start with the first function in the script.
This is Get-AzureADUsers.

This function contains one parameter, UserType. This is a ValidateSet with the choice of Guest or Member. Those speak for themselves and we will use Guest in this blog.
By adding this parameter we retrieve all Guest accounts from AzureAD.

$Users = Get-AzureADUsers -UserType Guest -Verbose

When the SignInActivity is empty the user either didn’t log in, or didn’t log in for the past 90 days.

The output already contains the LastLogin. So you can stick with this.

Or… since these are stale accounts, I want to help you with a nicer report or even remove the stale accounts from AzureAD.


Remove-AzureADUsers

This command expects data back from Get-AzureADUsers. So always use that function before Remove-AzureADUsers.

This function contains 4 parameters:

  • Users
    • This parameter expects data back from Get-AzureADUsers. This is a list of (Guest) users.
  • DaysOld
    • This one is more specific. I ran this script in our working environment and 1-2 days later I got messages that Guest accounts had been deleted that had just been added to the tenant.
      Okay, a new guest user who is not yet logged in does of course not have any Sign-In Activity.
      The Sign-In Activity Audit does not go back further than 90 days. So I assumed that users who have not logged in for 90 days could be removed. So, this caused me to delete the new accounts.
      Hence this parameter… With this parameter you can specify how long an account may not be deleted since the created datetime.
  • DeleteAfterDays
    • With this parameter you can indicate after how many days of inactivity you want to delete an account.
      90+ days will only delete accounts that do not have a sign in.
  • ReportOnly
    • The ReportOnly parameter does not delete accounts. This is a switch that you can add if you only want to generate a Report that you can edit with the above parameters.
$List = Remove-AzureADUsers -Users $Users -daysOld 30 -DeleteAfterDays 60 -Verbose

You can also export the output to .csv format with this command.

$List | Export-CSV filename.csv -NoTypeInformation

Feedback needed!

I need feedback on these types of blogs regarding PowerShell and scripting.
What could be improved, what are you missing, and what else do you need help with?

You can also leave feedback on Github when it’s script specific.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work as a PowerShell Automation Engineer @ Wortell.

Leave a Reply

Your email address will not be published. Required fields are marked *