Office 365 Users Inactive by AD Group Membership
Rule description
Hybrid Microsoft 365 Users that are members of an AD group and considered inactive according to a set of criteria.
When to use this rule
Inactive user accounts are often unnecessary and can be safely deprovisionned with Cayosoft Suspend™.
Use this rule to take action on all those user accounts that have been idle in Microsoft 365 for quite a while.
Rule settings
Query section
| Setting name | Description |
|---|---|
AD Group (DN) |
Specify Active Directory group DistinguishedName. The hybrid Microsoft 365 Users that are members of an AD group will be displayed in the report. |
Last Microsoft 365 sign in (days ago) |
Set a minimum number of days past since a user signs in to Microsoft 365. Use 0 to disable this check. NOTE: Using this parameter requires an Azure AD Premium P1/P2 license in the tenant. Cayosoft Administrator queries the SignInActivity user property to get the last sign-in timestamp. Refer to the following Microsoft article for additional information: signInActivity resource type | Microsoft Learn. |
Last Microsoft 365 service access (days ago) |
Set a number of days since the last Microsoft 365 service access. Cayosoft Administrator references data collected in Microsoft 365 reports. Refer to the following Microsoft article for additional information: Microsoft 365 Reports in the admin center | Microsoft Learn. |
Minimum license assignment age (days) |
Set a minimum number of days past since the license assignment to avoid counting new users as inactive. Use 0 to ignore the license assignment date. Cayosoft Administrator queries the AssignedPlan user property to calculate the assignment age. Refer to the following Microsoft article for additional information: assignedPlan resource type | Microsoft Learn. |
Other Query Settings | |
Properties to display |
Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query. To display additional columns, add the required properties to the Properties to display list. To add extension attribute 1 that is synchronized from AD, you need to use a value like:
Copy
|
System properties |
List of properties required for this rule to be executed correctly. |
Post query-filter |
To hide unwanted data based on criteria, not supported by the Microsoft 365 query criteria above, set the filtering conditions here. TIP: For optimal performance, use the Query criteria above to filter objects whenever possible. |
Sort by |
Sort result object list. |
Limit result set |
This setting is used to optimize performance by limiting the number of objects returned by the Microsoft Graph API. Unlike query criteria, any post-filters on the returned objects are applied after they are returned, which means that the final set of returned objects could be less than the number configured here despite these objects existing in the source system. |
Initialization script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: Example: Update AD users, created in the last ten days.
|
Output section
This section defines the output format of this rule.
To get more information about this section, please see the Rule Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Rule Enforce/Schedule section article.
Comments
0 comments
Please sign in to leave a comment.