List inactive users via Graph API
Sometimes it can be useful to get an overview of the inactive users. Microsoft has several features for that. Today I will show you how to retrieve this type of information via the Graph API in Power Automate.
List inactive users (no sign-in activity in the past 90 days) via the Graph API in #PowerAutomate pic.twitter.com/Wo06IMiFZB
— Dennis (@expiscornovus) March 4, 2022
Inspiration
This question from Ashok2:
I have SharePoint list where we have people picker column ( Team Member) around 190 rows now few of users are left organization and not valid can we run a flow which identify those users and mark a flag or delete them.
Power Users Community thread: Flow to Flag users who are not active.
signInActivity resource type
In this scenario I am looking at inactive users. My definition of an inactive user is that the user has not signed in for x period of time, in this scenario at least 90 days ago. Luckily Microsoft has the signInActivity resource type in the Graph API which we can use. This can be used as a property in a filter with the List Users method.
To retrieve this information from the Graph API you do require AuditLog.Read.All & Directory.Read.All permissions.
Active Directory OAuth
To use Graph API in Power Automate you shouldn’t forget to register an App in Azure Active Directory, you will need that for the Authentication section of the HTTP action in the flow setup. Like mentioned in a couple of my other blogposts, Elaiza Benitez has written a nice blogpost about this, How to authenticate as an application with Microsoft Graph API with flow.
M365 CLI
Alternatively, you could use code to create this App in Azure Active Directory. Waldek Mastykarz has a nice blog about creating this with only one line of code with M365 CLI, Create Azure AD apps with one line of code.
You can run this from Windows, macOS or Linux, using Bash, Cmder or PowerShell. Whatever you prefer!
Don’t forget to grant consent after you create it btw 😉
Flow setup
Before you start: be aware the HTTP action is part of a premium connector.
1. Add a Manually trigger a flow trigger action.
2. Add a Send an HTTP action. Use a GET method and make sure it uses the following URI.
The URI is using the AddDays and UtcNow functions to calculate a date which is 90 days ago. The query will only retrieve users which have a lastSignInDateTime which is less or equal (le) to that date of 90 days ago.
3. Use the Authentication setup of the table below.
Field | Value |
---|---|
Authentication | Azure Active Directory OAuth |
Authority | https://login.microsoftonline.com |
Tenant | GUID of your tenant |
Audience | https://graph.microsoft.com |
Client ID | GUID of the app you created earlier |
Credential Type | Secret |
Secret | Secret you just generated |
4. Add a Select action. Use the value dynamic content field in the From. In the mapping use whatever properties you want to see from the inactive users. In my example I used the userPrincipalName and the lastSignInDateTime properties.
That should be it for the setup.
When you run it you should see a result like below.
Happy testing!