Comments on: Why It’s a Good Idea to Review and Remove Inactive Guest Accounts Annually

By: Tony Redmond

Tony Redmond — Fri, 02 Jun 2023 16:41:42 +0000

In reply to Zied.

Your token error might be due to token expiry. Check out: https://office365itpros.com/2023/05/29/azure-ad-access-token-lifetime/

By: Zied

Zied — Thu, 01 Jun 2023 22:12:53 +0000

Hello
Thank you sir for your script

Im facing a problem of latency when i excecute the script and also there are some limitations of azure ad : sign in and audit logs are available for 30 days only : getting blank cells in the csv reports

The main problem is when i execute the script to audit 3000 guest user , it take a lot of time without results and errors like : error reading jtoken ..

By: Tony Redmond

Tony Redmond — Tue, 14 Feb 2023 22:02:59 +0000

In reply to Tech13568.

No idea. I can’t see your data. There might not be sign in information available if the guest haven’t signed in recently.

Select a guest account that you don’t see data for and try running the code to see what comes back.

By: Tech13568

Tech13568 — Tue, 14 Feb 2023 21:30:35 +0000

What would cause all of the guest accounts to have the Inactve flag show up as False, yet they have 0 email count, no -sign-ins, no audit record, no last audit action and no group membership, while some accounts do reflect correct information?

By: Alan Birch

Alan Birch — Thu, 19 May 2022 20:49:17 +0000

Maybe you could add a – If not exist C:\temp then create it – line in the code. I ran the script and it took 2 hours but there was no output. I created the C:\temp folder manually then re-ran just the 2 output lines to get my csv files, but I was a little disheartened for a while. Great result in the end though. Thanks.

By: Tony Redmond

Tony Redmond — Fri, 06 May 2022 14:11:10 +0000

In reply to Benni.

The script depends on a query against the Azure AD sign-in logs to return the last sign in date. I don’t know why the Azure AD admin center would show a different value. But anyway, the intention of the script is to give admins more information about guest accounts. It’s then up to the admin to decide how to use the data.

As to Email count, it’s the count of messages received by a guest account in the last 7 days.

By: Benni

Benni — Fri, 06 May 2022 13:38:29 +0000

Hi Tony,
thank you very much for that script! Just tried it out, I got three of 74 guests where last sign-in’s output is “no recent sign in records found” but in Azure AD GUI it indeed says logged in a few days ago.
Main reason why I am writing: What is this EMailCount about? Which mails are counted here? I did not get that I must confess.
Best regards

By: Victor

Victor — Fri, 29 Apr 2022 06:38:51 +0000

In reply to Tony Redmond.

Hi,
Thanks alot for your reply, I will take this under consideration.

Have a wonderful day

By: Tony Redmond

Tony Redmond — Thu, 28 Apr 2022 17:07:31 +0000

In reply to Victor.

One way you could speed things up is to:

Scan Azure AD for guest accounts.
Write out different sections of the guest accounts to CSV files. For example, guests A-C in one file, D-F in another, and so on.
Process each file in a separate PowerShell session (or maybe submitted as runbooks to Azure Automation)
Combine the results of each run in an overall report

It would be very crude parallel processing…

The reason why the script is slow is that it does a lot of work to validate if a guest account is active. Think of how long it would take for a human to check, and then be happy that automation is available…

By: Victor

Victor — Thu, 28 Apr 2022 14:33:29 +0000

Hi Tony,
Great article. I just got this assignment for a tenant I work with. The script seems to work just fine, but it’s a big tenant and a cleanup has never been done as far as I can tell, so the guest accounts are almost up to 9000.. Is there a way to speed up this process of checking? Takes about 1-2 minutes per user right now.

Thanks!