A graphical interface script to help stay in control of guest access in Entra ID. The tool helps identify disabled, inactive and never-used guest users.
A graphical interface displays the results.
The results can be inspected by clicking the "list"-icons in GUI. Select all or multiple users. When clicking ok, the users UPN is copied to clipboard for bulke delete/disable operations. The script is read-only and will not disable or delete any users.
Errors and some info is outputed to console when running.
- A registered app with the
User Read AllGraph permission See this step-by-step guide
Running the script
.\InactiveWipe.ps1 -tenantId <your-tenant-id> -appId <your-app-id> -appSecret <your-app-secret>| Parameter | Description |
|---|---|
| tenantId (mandatory) | Your Entra ID tenant ID 'string' |
| appId (mandatory) | The application ID for your registered application in Azure AD 'string' |
| appSecret (mandatory) | The client secret for your registered application |
| thresholdDaysAgo | Number of days without activity for guests to be consideres inactive. Default is 180 days 'int' |
- Before removing disabled users, check their last sign-in activity first
- Before removing users that have never signed in, make sure they where not recently invited/added (createdDateTime)
- Don't store ClientSecret/Application Secret in script. Ideally, load it from a password manager, SecretStore or alike. If not, at least close process and clear command history
If you are not familiar with PowerShell to perform batch operations like remove and disable/block of users in Entra ID, you can use bulk operations in the Entra AD portal.
- Use the tool to identify and select users for removal (UPN copied to clipboard when clicking ok from gridview)
- Go to User blade in Entra AD portal
- Select "Bulk operations" and "Bulk delete"
- Download example CSV
- Open the example CSV, paste guest-users UPN, save the file
- Upload the file to "bulk delete users" and type "Yes" to contine.
- Click "Submit"