Skip to content
/ InactiveWipe Public

A script to help stay in control of guest access in Entra ID

19 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

erlwes/InactiveWipe

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
AppRegistration.md
AppRegistration.md
 
 
BenefitsOfGuestCleanup.md
BenefitsOfGuestCleanup.md
 
 
Ideas.md
Ideas.md
 
 
InactiveWipe.ps1
InactiveWipe.ps1
 
 
README.md
README.md
 
 

Repository files navigation

InactiveWipe

A graphical interface script to help stay in control of guest access in Entra ID. The tool helps identify disabled, inactive and never-used guest users.

🟡 The GUI

A graphical interface displays the results.

image

🟡 View results or save to CSV

The "save"-icon lets you save results to CSV (for bulk-operations in Entra ID?) To inspect the results, click the "list"-icons in GUI. If you have a selection when clicking "OK", the users UPN is copied to clipboard for bulk delete/disable operations.

The script is read-only and will not disable or delete any users.

image

🟡 Console

Errors and some info is outputed to console when running.

image

🟡 Prerequisites

  • A registered app with the User Read All and AuditLog.Read.All Graph permissions See this step-by-step guide

🟡 Install

Install-Script -Name InactiveWipe

🟡 Usage

Running the script

.\InactiveWipe.ps1 -TenantId <your-tenant-id> -AppId <your-app-id> -AppSecret <your-app-secret>
Parameter Description
TenantId (mandatory) Your Entra ID tenant ID 'string'
AppId (mandatory) The application ID for your registered application in Azure AD 'string'
AppSecret (mandatory) The client secret for your registered application
ThresholdDaysAgo Number of days without activity for guests to be consideres inactive. Default is 180 days 'int'

🟡 Considerations

  • Before removing disabled users, check their last sign-in activity first
  • Before removing users that have never signed in, make sure they where not recently invited/added (createdDateTime)
  • Don't store ClientSecret/Application Secret in script. Ideally, load it from a password manager, SecretStore or alike. If not, at least close process and clear command history

🟡 I found guest that can be wiped, now what?

If you are not familiar with PowerShell to perform batch operations like remove and disable/block of users in Entra ID, you can use bulk operations in the Entra AD portal.

  1. Use the tool to identify and select users for removal (UPN copied to clipboard when clicking ok from gridview)
  2. Go to User blade in Entra AD portal
  3. Select "Bulk operations" and "Bulk delete"
  4. Download example CSV
  5. Open the example CSV, paste guest-users UPN, save the file
  6. Upload the file to "bulk delete users" and type "Yes" to contine.
  7. Click "Submit"

About

A script to help stay in control of guest access in Entra ID

Resources

Readme
Activity

Stars

19 stars

Watchers

5 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages