Azure Introduction
Azure Pricing
Azure Threats
Inactive Users
More Info:
There should not be any inactive users
Risk Level
High
Address
Security
Compliance Standards
CISGCP
Triage and Remediation
Remediation
To remediate inactive users in Azure Active Directory (Azure AD) using the Azure console, follow these steps:
-
Sign in to the Azure portal (portal.azure.com) using your Azure AD administrator account.
-
In the left-hand menu, click on “Azure Active Directory” to open the Azure AD dashboard.
-
In the Azure AD dashboard, click on “Users” to view the list of users in your directory.
-
Sort the users by the “Last sign-in” column to identify the inactive users. Users with no sign-in activity will have a blank or old date in this column.
-
Select the inactive users you want to remediate by clicking on their names or using the checkboxes beside their names.
-
Once the users are selected, click on the “Delete” button at the top of the user list.
-
In the confirmation dialog, review the selected users and click on “Delete” to remove them from Azure AD.
-
After the users are deleted, you may want to review any associated resources or permissions they had and update or remove them accordingly.
-
Additionally, consider enabling Azure AD Premium’s “Azure AD Identity Protection” feature to proactively detect and remediate risky sign-in activities.
By following these steps, you can remediate inactive users in Azure AD using the Azure console.
To remediate inactive users in Azure Active Directory (Azure AD) using Azure CLI, follow these steps:
-
Install Azure CLI: If you haven’t already, install the Azure CLI on your local machine by following the instructions provided by Microsoft.
-
Sign in to Azure: Open a terminal or command prompt and sign in to your Azure account by running the following command:
az login -
Select the Azure subscription: If you have multiple Azure subscriptions, use the following command to select the appropriate subscription:
az account set --subscription <subscription_id> -
List inactive users: Use the following command to list all inactive users in Azure AD:
az ad user list --query "[?lastSignInDateTime=='null' && userType=='Member'].{displayName:displayName, objectId:objectId}" -
Review the list: Examine the output of the previous command to identify the inactive users that need to be remediated. Note down the
objectIdof each inactive user. -
Disable inactive users: For each inactive user identified in the previous step, run the following command to disable the user:
az ad user update --id <objectId> --accountEnabled falseReplace
<objectId>with the actualobjectIdof the inactive user. -
Verify the changes: To ensure that the users have been disabled, you can use the
az ad user showcommand to check the accountEnabled status of each user:az ad user show --id <objectId> --query accountEnabledReplace
<objectId>with the actualobjectIdof the user. -
Repeat step 6 and 7 for each inactive user identified in step 5.
By following these steps, you can remediate inactive users in Azure AD using Azure CLI.
To remediate inactive users in Azure Active Directory (Azure AD) using Python, follow these steps:
-
Install the required libraries:
- Install the Azure Identity library:
pip install azure-identity - Install the Azure Management IAM library:
pip install azure-mgmt-authorization
- Install the Azure Identity library:
-
Import the necessary modules in your Python script:
from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
from datetime import datetime, timedelta
- Authenticate with Azure using the DefaultAzureCredential:
credential = DefaultAzureCredential()
subscription_id = "<your-subscription-id>"
client = AuthorizationManagementClient(credential, subscription_id)
- Define a function to get the list of inactive users:
def get_inactive_users(days):
end_date = datetime.now()
start_date = end_date - timedelta(days=days)
filter_str = f"signInActivity/lastSignInDateTime le {end_date.isoformat()} and signInActivity/lastSignInDateTime ge {start_date.isoformat()}"
users = client.users.list(filter=filter_str)
return users
- Define a function to disable the inactive users:
def disable_inactive_users(days):
users = get_inactive_users(days)
for user in users:
user.is_account_enabled = False
client.users.update(user.object_id, user)
- Specify the number of days of inactivity after which a user should be considered inactive:
inactive_days_threshold = 90
- Call the
disable_inactive_usersfunction with the specified number of inactive days:
disable_inactive_users(inactive_days_threshold)
Make sure you have the necessary permissions to manage users in Azure AD. Adjust the code as necessary to suit your specific requirements and environment.