Entra / Microsoft 365 · Users & guests
Find old Entra ID guest accounts
Find Entra ID guest user accounts older than 365 days and report the groups they belong to.
Connect & set up
Run these once per session. All scopes are read-only unless the script makes changes.
Connect-MgGraph -Scopes AuditLog.Read.All, Directory.Read.All -NoWelcome
Run it
The main script. Copy it, or download the .ps1 and run it from your console.
Connect-MgGraph -Scopes AuditLog.Read.All, Directory.Read.All -NoWelcome# Set age threshold for reporting a guest account[int]$AgeThreshold = 365# Output report name$OutputReport = "c:\Temp\OldGuestAccounts.csv"# Get all guest accounts in the tenantWrite-Host "Finding Guest Accounts..."[Array]$GuestUsers = Get-MgUser -Filter "userType eq 'Guest'" -All -PageSize 999 -Property id, displayName, userPrincipalName, userType, SignInActivity, createdDateTime$i = 0; $Report = [System.Collections.Generic.List[Object]]::new()# Loop through the guest accounts looking for old accountsClear-HostForEach ($Guest in $GuestUsers) {# Check the age of the guest account, and if it's over the threshold for days, report it$i++Write-Host ("Processing Guest {0} ({1} of {2})" -f $Guest.DisplayName, $i, $GuestUsers.Count)$AADAccountAge = ($Guest.CreatedDateTime | New-TimeSpan).DaysIf ($AADAccountAge -gt $AgeThreshold) {$ProgressBar = "Processing Guest " + $Guest.DisplayName + " " + $AAdAccountAge + " days old " + " (" + $i + " of " + $GuestUsers.Count + ")"Write-Progress -Activity "Checking Guest Account Information" -Status $ProgressBar -PercentComplete ($i/$GuestUsers.Count*100)$GroupNames = $null; $RealGroups = $null# Find what Microsoft 365 Groups the guest belongs to... if any[array]$GuestGroups = Get-MgUserMemberOf -UserId $Guest.id#$Uri = ("https://graph.microsoft.com/V1.0/users/{0}/memberOf/microsoft.graph.group?`$filter=groupTypes/any(a:a eq 'unified')&`$top=200&$`orderby=displayName&`$count=true" -f $Guest.Id)#[array]$Data = Invoke-MgGraphRequest -Uri $Uri#[array]$GuestGroups = $Data.ValueIf ($GuestGroups) {# Exclude administrative units$RealGroups = $GuestGroups | Where-Object {$_.additionalproperties.'@odata.type' -eq '#microsoft.graph.group'}$GroupNames = $RealGroups.additionalProperties.displayName -join ", "}$DaysSinceSignIn = "N/A"; $Year = $Null# Some Entra ID accounts without sign in data return a sign in date of Monday 1 January 0001 00:00:00# which makes it difficult to assess how many days since the last sign inIf ($Guest.SignInActivity.LastSignInDateTime) {[datetime]$UserLastSignInDate = $Guest.SignInActivity.LastSignInDateTime$Year = (Get-Date($UserLastSignInDate) -format "yyyy")}Switch ($Year) {$Null {[string]$UserLastLogonDate = "No recent sign in records found"$DaysSinceSignIn = "N/A" }"0001" {[string]$UserLastLogonDate = "No recent sign in records found"$DaysSinceSignIn = "N/A" }Default {[string]$UserLastLogonDate = Get-Date ($UserLastSignInDate) -format g$DaysSinceSignIn = ($UserLastLogonDate | New-TimeSpan).Days }}$Staleness = "Acceptable"If (($AADAccountAge -ge 365) -and ($AADAccountAge -le 730) -and ($NumberOfGroups -eq 0)) {$Staleness = "Stale"} Elseif ($AADAccountAge -gt 730 -and $NumberOfGroups -eq 0) {$Staleness = "Very Stale"}$ReportLine = [PSCustomObject][Ordered]@{UPN = $Guest.UserPrincipalNameName = $Guest.DisplayNameAge = $AADAccountAge"Account created" = $Guest.CreatedDateTime"Last sign in" = $UserLastLogonDate"Days since sign in" = $DaysSinceSignIn"Number of groups" = $RealGroups.CountGroups = $GroupNames"Staleness" = $StalenessId = $Guest.Id }$Report.Add($ReportLine)} #End if guest age met threshold} #End Foreach guest$Report | Export-CSV -NoTypeInformation $OutputReport$PercentStale = ($Report.Count/$GuestUsers.Count).toString("P")Write-Host ("Script complete. {0} guest accounts found aged over {1} days ({2} of {3} accounts). Output CSV file is in {4}" -f $Report.Count, $AgeThreshold, $PercentStale, $GuestUsers.count, $OutputReport)
Attribution
Author
Office365itpros