List inactive users via Graph API

Sometimes it can be useful to get an overview of the inactive users. Microsoft has several features for that. Today I will show you how to retrieve this type of information via the Graph API in Power Automate.

Inspiration

This question from Ashok2:

I have SharePoint list where we have people picker column ( Team Member) around 190 rows now few of users are left organization and not valid can we run a flow which identify those users and mark a flag or delete them.

Power Users Community thread: Flow to Flag users who are not active.

signInActivity resource type

In this scenario I am looking at inactive users. My definition of an inactive user is that the user has not signed in for x period of time, in this scenario at least 90 days ago. Luckily Microsoft has the signInActivity resource type in the Graph API which we can use. This can be used as a property in a filter with the List Users method.

To retrieve this information from the Graph API you do require AuditLog.Read.All & Directory.Read.All permissions.

Active Directory OAuth

To use Graph API in Power Automate you shouldn’t forget to register an App in Azure Active Directory, you will need that for the Authentication section of the HTTP action in the flow setup. Like mentioned in a couple of my other blogposts, Elaiza Benitez has written a nice blogpost about this, How to authenticate as an application with Microsoft Graph API with flow.

M365 CLI

Alternatively, you could use code to create this App in Azure Active Directory. Waldek Mastykarz has a nice blog about creating this with only one line of code with M365 CLI, Create Azure AD apps with one line of code.

You can run this from Windows, macOS or Linux, using Bash, Cmder or PowerShell. Whatever you prefer!

Don’t forget to grant consent after you create it btw 😉

mygraphapi_m365cli

Flow setup

Before you start: be aware the HTTP action is part of a premium connector.

listinactiveusers_graphapi

1. Add a Manually trigger a flow trigger action.

2. Add a Send an HTTP action. Use a GET method and make sure it uses the following URI.

The URI is using the AddDays and UtcNow functions to calculate a date which is 90 days ago. The query will only retrieve users which have a lastSignInDateTime which is less or equal (le) to that date of 90 days ago.

http_inactiveusers

3. Use the Authentication setup of the table below.

FieldValue
AuthenticationAzure Active Directory OAuth
Authorityhttps://login.microsoftonline.com
TenantGUID of your tenant
Audiencehttps://graph.microsoft.com
Client IDGUID of the app you created earlier
Credential TypeSecret
SecretSecret you just generated

http_graph_auth

4. Add a Select action. Use the value dynamic content field in the From. In the mapping use whatever properties you want to see from the inactive users. In my example I used the userPrincipalName and the lastSignInDateTime properties.

select_inactiveusers

That should be it for the setup.

When you run it you should see a result like below.

lastsign_test

Happy testing!

You may also like...

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.