Script repository

Check if account is inactive in Microsoft Entra ID longer than a period of time

Updated on: Jan 18, 2026, Views: 2235

Property validation, User accounts

The script returns true if the account is inactive in Microsoft Entra ID longer than a period of time. To execute the script, use the If PowerShell script returns true condition a business rule, custom command or scheduled task configured for the User object type.

In the script, the $inactivityDurationThreshold variable specifies the inactivity duration (in days) that should be exceeded for the condition to be met.

$inactivityDurationThreshold = 4 # TODO: modify me

# Get access token for Microsoft Graph API.
$token = $Context.CloudServices.GetAzureAuthAccessToken()

# Get the last logon date.
try
{
    $userId = [Guid]$Context.TargetObject.Get("adm-AzureId")
}
catch
{
    $Context.ConditionIsMet = $False
    return
}

$url = 'https://graph.microsoft.com/beta/users/' + $userId.ToString() + '?$select=signInActivity'
$response = Invoke-RestMethod -Method GET `
    -uri $url `
    -Headers @{Authorization="Bearer $token"}

if ([System.String]::IsNullOrEmpty($response.signInActivity.lastSignInDateTime))
{
    $Context.ConditionIsMet = $False
    return
}

$lastLogonDate = [System.DateTime]$response.signInActivity.lastSignInDateTime

# Get current date.
$currentDate = [System.DateTime]::Now

# Substract the number of days and compare dates.
$Context.ConditionIsMet = $lastLogonDate -lt $currentDate.AddDays(- $inactivityDurationThreshold)

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.