🌟 How to Manage Inactive Guest Accounts in Microsoft 365 🌟

-
Recently, someone asked if it's possible to identify guest accounts that haven’t signed into a tenant recently and add them to a group. The target group could be a distribution list or a Microsoft 365 group. With the widespread use of guest accounts in Microsoft 365 for external sharing (think of Loop as the latest example adopting Entra ID B2B Collaboration), it’s inevitable that some guest accounts are no longer in use. Identifying and managing these inactive accounts isn’t just good housekeeping—it’s smart IT management. Why keep accounts that no longer serve a purpose? Here’s how you can take action: 1️⃣ Create a Target Group: Start by creating a distribution list or Microsoft 365 group where you’ll store the inactive guest accounts. You can do this in the Exchange or Microsoft 365 admin centers, or by running PowerShell commands like New-DistributionGroup (for a distribution list) or New-UnifiedGroup (for a Microsoft 365 group). 2️⃣ Update Membership Automatically: Once your group is ready, PowerShell is your best friend to automate membership updates. All you need is the group’s name, alias, or identifier to get started. 💡 Managing inactive accounts keeps your environment secure and organized. It’s a small effort for big results! How are you managing guest accounts in your tenant? step by step using powershell 👇
PowerShell Script 

  

  
  


# Install the Exchange Online PowerShell module

Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber
# Connect to Exchange Online using your administrator account

Connect-ExchangeOnline -UserPrincipalName ”Username@contso.onmicrosoft.com"
# Create a distribution group named "Inactive external Guests”

New-DistributionGroup -Name "Inactive external Guests" -Alias "InactiveexternalGuests" -Type Distribution -PrimarySmtpAddress "inactiveguests@varmlandska.onmicrosoft.com"

####promission Graph API

# Connect to Microsoft Graph API with extended permissions
Connect-MgGraph -Scopes "RoleAssignmentSchedule.ReadWrite.Directory", 
                 "Domain.Read.All", 
                 "Domain.ReadWrite.All", 
                 "Directory.Read.All", 
                 "Policy.ReadWrite.ConditionalAccess", 
                 "DeviceManagementApps.ReadWrite.All", 
                 "DeviceManagementConfiguration.ReadWrite.All", 
                 "DeviceManagementManagedDevices.ReadWrite.All", 
                 "openid", 
                 "profile", 
                 "email", 
                 "offline_access", 
                 "Policy.ReadWrite.PermissionGrant", 
                 "RoleManagement.ReadWrite.Directory", 
                 "Policy.ReadWrite.DeviceConfiguration", 
                 "DeviceLocalCredential.Read.All", 
                 "DeviceManagementManagedDevices.PrivilegedOperations.All", 
                 "DeviceManagementServiceConfig.ReadWrite.All", 
                 "Policy.Read.All", 
                 "DeviceManagementRBAC.ReadWrite.All"

############################################
# Retrieve all guest users with additional properties (for reporting or further processing)
$Guests = Get-MgUser -Filter "userType eq 'Guest'" -Property "displayName, userPrincipalName, signInActivity" -All -PageSize 500
# Format guest data as a custom object for output or export
$Guests | ForEach-Object { 
    [PSCustomObject]@{
        DisplayName = $_.DisplayName
        UserPrincipalName = $_.UserPrincipalName
        LastSignIn = $_.signInActivity.lastSignInDateTime
    }
}
# Set a date to filter users who have not signed in for over a month, or year, it’s upp to you
$CheckDate = (Get-Date).AddMonths(-1).ToString("yyyy-MM-ddTHH:mm:ssZ")
# Retrieve all guest users from Azure AD
$Guests = Get-MgUser -Filter "userType eq 'Guest'" -Property "signInActivity" -All -PageSize 500
# Filter guests who have not signed in since the specified date or have no sign-in activity
$InactiveGuests = $Guests | Where-Object { $_.signInActivity.lastSignInDateTime -lt $CheckDate -or $_.signInActivity -eq $null }
# Add each inactive guest to the "Inactive external Guests" distribution group
ForEach ($Guest in $InactiveGuests) {
    Add-DistributionGroupMember -Identity "Inactive external Guests" -Member $Guest.Id -ErrorAction SilentlyContinue
}
# Disconnect from Exchange Online
Disconnect-ExchangeOnline

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 IntuneWin – Deploying Win32 Apps via Intune 🎯

-
Bild
🔹 Benefits of IntuneWin: ✅ Seamless app packaging 📦 ✅ Automated deployment ⚙️ ✅ Centralized cloud management ☁️ ✅ Support for installation & uninstallation 🔄 The IntuneWin format is a method for preprocessing Windows Classic (Win32) applications. The tool transforms application installation files into the .intunewin format. Once you apply this tool to the app packaging folder, you can create an app enrollment configuration that enables advanced deployment features, such as OS version dependencies and uninstallation methods for remote application removal. Win32 apps in Intune size limit of 30 GB per app. To start the configuration 1- First you need to download the Microsoft Win32 Content Prep Tool :  Microsoft Win32 Content Prep Tool 2-  Unzip the tool to a folder, E, C , F etc drive (you can choose any folder you like). 3- Save your application  in the same folder as the Content Prep tools.  4- Now we will create the .intunewin package using PowerS...
Read more »

Boost Your Graphics Power med GPU-acceleration i Azure Virtual Desktop!

-
Bild
  🎯 Purpose Optimize performance for Remote Desktop sessions by enabling GPU acceleration and video optimization via Microsoft Intune or Group Policy (GPO). 🧠 Prerequisites & Requirements Required skills: Basic knowledge of Windows device management Experience with Microsoft Intune or Group Policy Understanding of Remote Desktop (RDP/AVD) concepts Technical requirements: Windows 10/11 on session hosts GPU-enabled VMs (e.g., NVv3, NVadsA10 v5, NCasT4_v3) Microsoft HEVC codec installed on client devices Proper GPU drivers installed (NVIDIA GRID or AMD) 1. Sign in Go to: https://intune.microsoft.com 2. Create or edit a configuration profile Go to Devices > Configuration profiles Click Create profile Select: Platform: Windows 10 and later Profile type: Settings catalog 3. Add settings Click Add settings and browse to: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host ...
Read more »

Block Personal devices to acces to Desktop apps like teams, Onedrive etc and how to troubleshooting the issue.

-
Bild
  You can use Conditional Access to block users based on location, IP address, and more, but now we will talk about blocking access for users who are using personal devices 1. Navigate to Entra ID -> Protection -> Conditional Access and create a new policy. 2- Create new policy 3-   Name your policy Assign your policy to a user/group or to all users. If you assign the policy to all users, be sure to exclude the break-glass account. It's essential to always have a break-glass account in place. In case of an error, you could accidentally lock out all users, so make sure these accounts remain unaffected. 4- In the Target resources select All resources (formerly 'All cloud apps') 5- In the conditions: Device platforms: select which devices you want the policy to apply to. In my case i will select windows and MacOS  Client apps: check all boxes except Browser, which will block everything except the browser. Here’s the magic: In the Filter for devices, you can ...
Read more »