I am trying to create a query that gives me a list of all users who have NOT logged into Azure or any services connected with azure in the last 30 days. This query would start at 30 days and go back. Also, the account would have to be active, not 1 that is deleted already.
Any thoughts on how to complete this would be appreciated!
I guess, you may get this requirement done with Graph API to get the list of all users who have not had any login activity in last 30 days:
https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-5-list-the-last-sign-in-time-of-users-in-a-specific-time-range
If Graph API is not feasible then the Diagnostic Settings from Azure under Monitoring can be leveraged to build the logic for getting the list of users per requirement and then the query copied:
https://2bcloud.io/inactive-users-in-azure-active-directory/
https://social.msdn.microsoft.com/Forums/en-US/0e1869fb-2861-4a43-9ff3-5b988da7edd0/inactive-users-report-for-azure-active-directory-applications?forum=WindowsAzureAD
Related
My requirements are to find all the users not logged in via Azure AD since last 45 days and last 90days and take action. That is,
A daily nightly job to run on Azure AD and if it finds users not login since last 45days; it should automatically disable the users.
A daily nightly job to run on Azure AD and if it finds users not login since last 90days or previous inactive users; it should delete the users.
This link looks similar where it’s going via a review process. However, my requirements are bit simple.
Thanks.
There are several options for identifying and removing stale/inactive users:
The access review feature you linked for identifying and removing inactive users is the most seamless, built-in way to achieve this at the moment. You can specify the "days inactive" and then remove the accounts either after the review period passes or after no reviewer has responded. To create access reviews and identify inactive users, you do need to have a Premium P2 license.
Alternatively though, you could use an Azure Automation account or Azure Logic app to achieve the same thing. For instance, you could create an Azure Automation Powershell runbook with a daily schedule that checks the Azure AD sign-in logs and deletes the accounts based on the condition of whether they have recently signed in (i.e. where max_TimeGenerated <= ago(45d)). There is an example blog post here that implements this logic. Note that to update the accountEnabled property of admin users, you need to use delegate permissions which need to run in the context of a user.
Another option is to query based on the lastSignInDateTime property.
The documentation for How To Manage Inactive Users has an example of how to query users who haven't signed in after a certain date using Microsoft Graph API.
Example:
https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z
To test the call, you can Sign in to Graph Explorer using the Global Administrator account of your tenant and execute the GET call.
Permissions Required:
Directory.AccessAsUser.All
Directory.Read.All
The SignInActivity property/endpoint is documented in detail here: https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-3--list-users-including-their-last-sign-in-time
If you don't want the full list of users, you can also search for a specific user by name and evaluate the lastSignInDateTime:
https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'marileet')&$select=displayName,signInActivity
If I have a large list of users, how can I return a list of the ones that exist in Azure AD via the Graph without a huge performance hit?
Let's say the Azure Tenant has 30,000 users
And we want to check a list of 1,000 users to see if they exist
I see two ways to do this:
Iterate over each user and check if that user exists, passing in a filter to the graph on the UPN
Query Azure for all users and intersect on that set. This results in 30,000 users being returned which requires paging (~30 pages) on the Azure side. This significantly reduces performance.
Is there a POST request where you can pass in users to match on? Is there a limit to the amount of data you can put in the filter on the GET request?
I have tried to Repro to GET only the List of user from the bulk users in AD.
Use endsWith or startsWith below query
https://graph.microsoft.com/v1.0/users?$count=true&$search="displayName:room"&$filter=endsWith(mail, '#XXXXXXX.onmicrosoft.com')&$orderBy=displayName&$select=id,displayName,mail&$top=2
Make Sure ConsistencyLevel:eventual is added gives me the below result, which has search only top 2 as per the required data.
I am using the Azure Active Directory Group API for my tenant to list all the groups. I am using GET DELTA
https://learn.microsoft.com/en-us/graph/api/group-delta?view=graph-rest-1.0&tabs=http
GET https://graph.microsoft.com/v1.0/groups/delta?$select=resourceBehaviorOptions,groupTypes,membershipRuleProcessingState,mail,visibility,displayName,mailEnabled,createdDateTime,creationOptions,proxyAddresses,securityIdentifier,resourceProvisioningOptions,id,securityEnabled,mailNickname,members
According to the documentation, this call when I make for the first time should give me all the meta-data related to groups and in the end it should give me a "delta-link". This delta link when called later would just give the changes that have been made in the meta-data of group since then.
However during the first call only when I should be getting all the meta-data, I am getting resources with annotations #removed. According to my understanding I should get the changes only when I call the delta link and not for the first time when I am getting all the data
I wanted to know if this is a feature (Microsoft returns #removed for groups which were removed let's day 10 days ago). Or this is a bug?
I have tested this in my Lab and its same for me as well while making a call GET /groups/delta it provides me with a nextlink and it also provides the users I had removed few days back from a group as well.
So, the remove made earlier are shown first response and in nextlink which is expected as per the Microsoft documentation : The #removed object can be returned in the initial delta query response and in tracked (deltaLink) responses and the new changes that were made after the delta call can be tracked in the delta link response.
Reference: Use delta query to track changes in Microsoft Graph data - Microsoft Graph | Microsoft Docs
group: delta - Microsoft Graph v1.0 | Microsoft Docs
Sample testing using Graph explorer:
Setting up the delta call, In response I get all the details of my
Groups and a nextlink for more details, until finally I get the
deltalink.
I have created a user into the group after initial response.
In deltalink response , I get the detail of the user added.
I want to create Azure logic app, which runs after every minute. That should look for all the users in a subscription which user id(user name) doesn't ends with "myorg.com", if it find any the user with userid doesn't end with "myorg.com" then delete that user.
I tried looking in the web but i could not found any action which is similar to above. What will be the connector i should use to accomplish above requirement? or let me know if there is any other approach to do this? Could any one please help me on this.
Edit: I want to delete the user from from Subscription.
Thanks in advance.
If you are running this every minute, I believe you want to validate for users that are added to the subscription. If that's the case, I would suggest you to use Event Grid and the Azure Subscription publisher, which can publish an event every time a user is added to the Azure Subscription, then push that event to the Logic App, and let the Logic App check whether the user id has the expected domain and send the corresponding alerts.
Event Grid will allow you to react to events instead of having to poll every minute.
You can find a demo of a very similar scenario here:
https://channel9.msdn.com/Shows/Azure-Friday/Azure-Event-Grid
HTH
While using the Azure Portal website(portal.azure.com) to view Azure AD group members, the site only returns a list of the first 100 group members without any sort of prompt/button for a second page.
In my case the group contains 145 users, but as its only showing the first 100 it looks like there are people missing.
Is there a way to have it display the full list of members?
If not and this is a bug, is there a known bug tracking for this so that I can keep tabs on it?
It seems a disadvantage in Azure AD new portal(portal.azure.com) , but you could use Azure AD classic portal(https://manage.windowsazure.com) to manage the full list of members, it works well :
If you have any feedback about Azure , you could post to https://feedback.azure.com/forums/34192--general-feedback
Update
Now the new portal has the "Load more" button which could continuously load users.
I want to say that this is not a Bug but a designed behavior. Please review link and you'll see:
The following restrictions apply to paged requests:
The default page size is 100. The maximum page size is 999
The only way you can do this is via an actual REST API Call and use $top = 999 in your query. Also Azure Classical Portal is an option here, just like Nan answered as it's using pages.