Script repository

Check if account is inactive in Microsoft Entra ID longer than a period of time

Updated on: Jan 18, 2026, Views: 2458

Property validation, User accounts

The script returns true if the account is inactive in Microsoft Entra ID longer than a period of time. To execute the script, use the If PowerShell script returns true condition a business rule, custom command or scheduled task configured for the User object type.

In the script, the $inactivityDurationThreshold variable specifies the inactivity duration (in days) that should be exceeded for the condition to be met.

$inactivityDurationThreshold = 4 # TODO: modify me

# Get access token for Microsoft Graph API.
$token = $Context.CloudServices.GetAzureAuthAccessToken()

# Get the last logon date.
try
{
    $userId = [Guid]$Context.TargetObject.Get("adm-AzureId")
}
catch
{
    $Context.ConditionIsMet = $False
    return
}

$url = 'https://graph.microsoft.com/beta/users/' + $userId.ToString() + '?$select=signInActivity'
$response = Invoke-RestMethod -Method GET `
    -uri $url `
    -Headers @{Authorization="Bearer $token"}

if ([System.String]::IsNullOrEmpty($response.signInActivity.lastSignInDateTime))
{
    $Context.ConditionIsMet = $False
    return
}

$lastLogonDate = [System.DateTime]$response.signInActivity.lastSignInDateTime

# Get current date.
$currentDate = [System.DateTime]::Now

# Substract the number of days and compare dates.
$Context.ConditionIsMet = $lastLogonDate -lt $currentDate.AddDays(- $inactivityDurationThreshold)

Comments 3

You must be signed in to comment.

  • Grant

    Grant

    Hello,

    I am trying to run this script but I am getting the below errors:

    Response status code does not indicate success: 429 (). Stack trace: at , : line 18 Custom commands: Command Processor 'Custom commands' threw an exception while processing the command. ↲ Failed to get a list of efficient custom command actions. ↲ Failed to check the following condition of the 'Active Directory/M365 - Disable Inactive Accounts (User) (Dev)' custom command: If script 'Check Entra Account For Inactivity Longer Than 90 Days' returns true. ↲ Response status code does not indicate success: 429 ().

    After looking at google for the 429 error message it indicates it'a a throttling error. Do you have any recommendations on how to adjust the script to slow it down when running against users in batches? I am planning on running this script against our ~1000 users on a monthly basis. In testing I'm running it against about 100 users but not taking any actions against the accounts.

    Thank you!

    • Support

      Support

      Hello Grant,

      Do you have any recommendations on how to adjust the script to slow it down when running against users in batches?

      Unfortunately, there is no such possibility.

      I am planning on running this script against our ~1000 users on a monthly basis

      If you have both the on-premises AD and the Microsoft Entra domain registered in Adaxes, you may consider using a built-in condition. The following article will be helpful: https://www.adaxes.com/questions/16835/how-does-adaxes-determine-account-inactivity.

      • Grant

        Grant

        Okay thank you! We are hybrid so I've removed this step from the custom command and will just use the "If is inactive" condition mentioned in the article you provided.

        Best,

        Grant

Got questions?

Support Questions & Answers

We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.