In on premises active directory, how a stale user is defined depends on last logon and last password reset activity. I want to know how to define a user as a stale user after some period of time in azure active directory.
1
votes
1 Answers
-1
votes
Azure AD does not provide direct feature for identifying stale user.
Below article can help
https://www.undocumented-features.com/2018/06/22/how-to-find-staleish-azure-b2b-guest-accounts/
Below text borrowed from the above blog:
This script uses the RefreshTokensValidFromDateTime property from the user in conjunction with one of the following:
- default token refresh lifetime in Azure AD (90 days)
- the actual token refresh lifetime if a policy has been configured and is able to be read
- a user-specified value
This will help you identify when users last logged on (using the RefreshTokensValidFromDateTimeProperty), and then, based on the tenant’s refresh token setting and a “stale” value (how long you want to specify without a refresh token being updated), lets you calculate a stale user.
Script available at
https://gallery.technet.microsoft.com/scriptcenter/Report-on-Azure-AD-Stale-8e64c1c5