Find obsolete guest accounts by activity

# Review required modules and connection steps before running.
# Connect to Microsoft Graph or Exchange Online as needed for this script.

param(
    [int] $LookbackDays = 90,
    [string] $StartDate = (Get-Date).AddDays(-$LookbackDays) #For audit log,
    [string] $EndDate = (Get-Date); $Active = 0; $EmailActive = 0; $Inactive = 0; $AuditRec = 0
)
 
$Guests = (Get-AzureADUser -Filter "UserType eq 'Guest'" -All $True| Select Displayname, UserPrincipalName, Mail, RefreshTokensValidFromDateTime)
Write-Host $Guests.Count "guest accounts found. Checking their recent activity..."
$StartDate2 = (Get-Date).AddDays(-$LookbackDays) #For message trace
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
ForEach ($G in $Guests) {
    Write-Host "Checking" $G.DisplayName
    $LastAuditAction = $Null; $LastAuditRecord = $Null
    # Search for audit records for this user
    $Recs = (Search-UnifiedAuditLog -UserIds $G.Mail, $G.UserPrincipalName -Operations UserLoggedIn, SecureLinkUsed, TeamsSessionStarted -StartDate $StartDate -EndDate $EndDate -ResultSize 1)
    If ($Recs.CreationDate -ne $Null) { # We found some audit logs
       $LastAuditRecord = $Recs[0].CreationDate; $LastAuditAction = $Recs[0].Operations; $AuditRec++
       Write-Host "Last audit record for" $G.DisplayName "on" $LastAuditRecord "for" $LastAuditAction -Foregroundcolor Green }
    Else { Write-Host "No audit records found in the last 90 days for" $G.DisplayName "; account created on" $G.RefreshTokensValidFromDateTime -Foregroundcolor Red }
    # Check message trace data because guests might receive email through membership of Outlook Groups. Email address must be valid for the check to work
    If ($G.Mail -ne $Null) {
       $EmailRecs = (Get-MessageTrace –StartDate $StartDate2 –EndDate $EndDate -Recipient $G.Mail)
       If ($EmailRecs.Count -gt 0) {
           Write-Host "Email traffic found for" $G.DisplayName "at" $EmailRecs[0].Received -foregroundcolor Yellow
           $EmailActive++ }}
     # Write out report line
     $ReportLine = [PSCustomObject][Ordered]@{
          Guest            = $G.Mail
          Name             = $G.DisplayName
          Created          = $G.RefreshTokensValidFromDateTime
          EmailCount       = $EmailRecs.Count
          LastConnectOn    = $LastAuditRecord
          LastConnect      = $LastAuditAction}
       $Report.Add($ReportLine)  }
 
$Active = $AuditRec + $EmailActive
$Report | Export-CSV -NoTypeInformation c:\temp\GuestActivity.csv
Write-Host ""
Write-Host "Statistics"
Write-Host "----------"
Write-Host "Guest Accounts          " $Guests.Count
Write-Host "Active Guests           " $Active
Write-Host "Audit Record foun       " $AuditRec
Write-Host "Active on Email         " $EmailActive
Write-Host "InActive Guests         " ($Guests.Count - $Active)