1
votes

In on premises active directory, how a stale user is defined depends on last logon and last password reset activity. I want to know how to define a user as a stale user after some period of time in azure active directory.

1

1 Answers

-1
votes

Azure AD does not provide direct feature for identifying stale user.

Below article can help

https://www.undocumented-features.com/2018/06/22/how-to-find-staleish-azure-b2b-guest-accounts/

Below text borrowed from the above blog:

This script uses the RefreshTokensValidFromDateTime property from the user in conjunction with one of the following:

  • default token refresh lifetime in Azure AD (90 days)
  • the actual token refresh lifetime if a policy has been configured and is able to be read
  • a user-specified value

This will help you identify when users last logged on (using the RefreshTokensValidFromDateTimeProperty), and then, based on the tenant’s refresh token setting and a “stale” value (how long you want to specify without a refresh token being updated), lets you calculate a stale user.

Script available at

https://gallery.technet.microsoft.com/scriptcenter/Report-on-Azure-AD-Stale-8e64c1c5