Identify DISABLED / IN-ACTIVE users in Azure AD

We have tightly integrated dependencies writhing Azure AD identities. This dependencies spread across all the tenant wide scope integrated services and Apps.

There are so many scenarios when the communication fails due to missing information on users Active or In-Active state in AAD.

I will elaborate more scenarios down below, that impacts CCoE ways of working and productive communication for Platform Management.

Scenarios

AAD objects such as App Registration, Enterprise App, Security Group, Subscription Tags with ownership and many more resources you can imagine that needs ownership information or Tags for better monitoring and data aggregation or Chargeback/Recharge model.

Every organization adopts different practices to identify the disabled and deleted user accounts, but it will always be a pain for CCoE and Operations to maintain track of it as most of the communication and automation depends on it.

For example, I have automation that tracks Certificate/Secret expiry for App Registrations, SP (Service principals). It identifies about to expire objects and initiate the communication to the owners to better take care before damages.

But, your owner information is stale, because you don't have appropriate life cycle management for user state identification on such objects. And know real challenge starts to search for the right ownership to communicate.(un wanted efforts)

To handle such challenges I have created a PowerShell module that can be used to extract such DISABLED / IN-ACTIVE users across the AAD objects (Security Group, App registration, Subscription scoped Tags or Individual UPN that you feed to the command)

Usage examples

Details on usage example. Module

# Authentication and Authorization
    try {
        'Logging in to Azure...'
        Connect-AzAccount -Identity
        'Logged in to Azure...'
    }
    catch {
        Write-Error -Message $_.Exception
        throw $_.Exception
    }

    $token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
    $authHeader = @{
        'Content-Type' = 'application/json'
        'Authorization' = 'Bearer ' + $token
    }
    Connect-MgGraph -AccessToken $token
# Calling module startes here
InActive-Owners -AppReg -Verbose

# To know what module is capable of use below help command
Install-Module -Name InActiveOwners
Get-Help InActive-Owners -full

Challenges

Identifying disabled users in Azure AD can also present challenges, as various factors can affect how accurately you can determine whether a user is disabled. Here are some challenges you might encounter:

1. Account Status Changes: User accounts can be disabled for various reasons, such as security issues, employee departures, or account maintenance. Keeping track of these changes can be complex, especially in large organizations.

2. Distributed Administration: In larger organizations, user administration might be distributed across various teams or departments, leading to potential inconsistencies in disabling accounts.

3. Disabled vs. Suspended: Azure AD accounts can be either disabled or suspended. Suspended accounts are temporarily blocked due to detected suspicious activities. Distinguishing between these two states is important for accurate reporting.

4. Delayed Disabling: There might be a delay between when a user’s status changes (e.g., termination) and when their account is actually disabled. During this gap, the account could still have access.

5. Conditional Access and Policies: Conditional Access policies can enforce additional security measures or restrictions on user accounts. A user might not be disabled but might be prevented from accessing resources due to these policies.

6. Service and Application Accounts: Some accounts might be service accounts used by applications or systems. These accounts might not have recent sign-ins but are still active in their designated roles.

7. External Users: Identifying disabled external users (B2B collaborators) can be challenging, as their management might be more decentralized compared to internal users.

8. Guest Users: Disabled guest users might still have access to shared resources if their invitations have not been revoked.

9. Hybrid Environments: In hybrid environments, where both on-premises Active Directory and Azure AD are used, syncing disabled accounts might require careful configuration.

10. Lack of Centralized Reporting: Azure AD might not provide a comprehensive, out-of-the-box report for disabled users, requiring custom queries or third-party solutions.

11. API and Automation Limitations: While you can use APIs to query user status, there might be limitations in terms of the granularity and frequency of data available.

12. Data Privacy and Compliance: Tracking and reporting on user account status changes should consider data privacy and compliance requirements.

To address these challenges, it’s recommended to have well-defined user lifecycle management processes, proper documentation of user status changes, and potentially implementing automated processes that trigger account disabling based on predefined criteria. Utilizing audit logs, creating custom scripts, or using specialized monitoring tools can also help in accurately identifying and managing disabled users in Azure AD.

If you like my article, buy me a C̶o̶f̶f̶e̶e̶ Tesla :)