Automating inactive user account cleanup: beyond “run a script every 90 days”

Definition: Automating inactive user account cleanup is the continuous, policy‑driven detection of stale identities and a staged lifecycle—detect → label → quarantine → disable → archive/delete—across on‑prem Active Directory and Microsoft Entra ID, with evidence, approvals, and rollback.

Inactive identities expand attack surface, inflate license costs, and muddy audits. Treat cleanup as a lifecycle with reversibility, not a blunt periodic delete job. This guide embeds internal how‑tos from Active Directory Recycle Bin, deny‑logon Group Policy, gMSA, and Hybrid Runbook Worker so you can implement this end‑to‑end.

Why the usual approach breaks down

The typical play—“find users with LastLogonDate older than 90 days, disable, delete at 180”—ignores realities:

• AD’s replicated timestamp is coarse. lastLogonTimestamp replicates based on ms-DS-Logon-Time-Sync-Interval, not every sign‑in; expect ~9–14 day granularity. Build grace windows.
• Two planes of truth. Hybrid identity means on‑prem and cloud may disagree on “activity” unless you reconcile signals.
• Service/automation identities behave differently. Prefer gMSA on‑prem and service principals/managed identities in cloud; exempt them from human inactivity logic.
• Cloud log retention is short by default. Export Entra sign‑in logs to storage/Log Analytics to extend visibility.

First principles for reliable cleanup

1. Signals are noisy; policy absorbs noise. Treat AD LastLogonDate as an approximation and Entra signInActivity as opt‑in. Add buffers.
2. Reversibility before finality. Quarantine and disable before deletion. Practice restores with AD Recycle Bin.
3. Account species differ. Humans, guests, service, automation identities have different signals and outcomes. See service account hardening.
4. Automation needs schedules and evidence. Use Task Scheduler on‑prem or Azure Automation + Hybrid Worker with CSV logs.

The production‑ready technical core (copy‑paste)

This section is your lift‑and‑shift baseline. Keep it under source control and run under change management.

A) Active Directory: staged cleanup with quarantine OU

What you’ll build: a weekly job that identifies candidates from LastLogonDate and “never‑logged‑in” heuristics, excludes service identities, writes CSV evidence, moves users to a Quarantined Users OU, metadata‑stamps the decision, and optionally disables on the second pass. It’s idempotent and reversible with the Recycle Bin. Review the PowerShell AD module basics first.

• Create OU=Quarantined Users,DC=contoso,DC=com and link a deny‑logon GPO.
• Ensure AD Recycle Bin is enabled and you’ve rehearsed Restore-ADObject.

Copy<# 
AD inactive-user quarantine
Requires: RSAT ActiveDirectory module
Run as a delegated service account with move/disable rights
#>

param(
  [int]$InactiveDays = 90,
  [int]$NeverLoggedInGraceDays = 30,
  [string]$QuarantineOU = "OU=Quarantined Users,DC=contoso,DC=com",
  [string]$AuditPath = "C:\Logs\ad-inactive-users.csv",
  [string[]]$SafelistSam = @("svc_sql_reader","hr_oncall")
)

Import-Module ActiveDirectory

$now = Get-Date
$inactiveCutoff = $now.AddDays(-$InactiveDays)
$neverLoginCutoff = $now.AddDays(-$NeverLoggedInGraceDays)

function Test-IsServiceAccount {
  param([Microsoft.ActiveDirectory.Management.ADUser]$u)
  if ($u.PasswordNeverExpires) { return $true }
  if ($u.ServicePrincipalName -and $u.ServicePrincipalName.Count -gt 0) { return $true }
  if ($u.ObjectClass -match 'ManagedServiceAccount') { return $true } # gMSA/MSA
  if ($u.SamAccountName -match '^(svc_|app_)' -or $u.SamAccountName -match '_svc$') { return $true }
  return $false
}

$props = @("lastLogonDate","whenCreated","enabled","manager",
           "passwordNeverExpires","servicePrincipalName","description",
           "distinguishedName","canonicalName","userPrincipalName")

$users = Get-ADUser -Filter 'enabled -eq $true -and objectClass -eq "user"' -Properties $props

$candidates = foreach ($u in $users) {
  if ($SafelistSam -contains $u.SamAccountName) { continue }
  if (Test-IsServiceAccount $u) { continue }

  $reason = $null
  if ($u.LastLogonDate) {
    if ($u.LastLogonDate -lt $inactiveCutoff) { $reason = "Inactive>$InactiveDays" }
  } else {
    if ($u.whenCreated -lt $neverLoginCutoff) { $reason = "NeverSignedIn>$NeverLoggedInGraceDays" }
  }

  if ($reason) {
    [PSCustomObject]@{
      SamAccountName = $u.SamAccountName
      UPN            = $u.UserPrincipalName
      DN             = $u.DistinguishedName
      CanonicalName  = $u.CanonicalName
      Manager        = $u.Manager
      LastLogonDate  = $u.LastLogonDate
      WhenCreated    = $u.WhenCreated
      Reason         = $reason
    }
  }
}

$candidates | Sort-Object CanonicalName | Export-Csv -NoTypeInformation -Path $AuditPath

foreach ($row in $candidates) {
  $user = Get-ADUser $row.SamAccountName -Properties description,distinguishedName
  if ($user.DistinguishedName -notlike "*$QuarantineOU*") {
    Move-ADObject -Identity $user.DistinguishedName -TargetPath $QuarantineOU
  }
  $stamp = "INACTIVE|Quarantined=$($now.ToString('yyyy-MM-dd'))|Reason=$($row.Reason)"
  if ($user.Description -notmatch 'INACTIVE\|Quarantined') {
    Set-ADUser $user -Description (($user.Description + " " + $stamp).Trim())
  }
  # Optional after one or two cycles:
  # Disable-ADAccount -Identity $user.SamAccountName
}

Schedule it weekly (Sunday 03:00):

Copy$action  = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-NoLogo -NoProfile -ExecutionPolicy Bypass -File C:\Scripts\ad-inactive-cleanup.ps1'
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Sunday -At 3am
Register-ScheduledTask -TaskName 'AD-Inactive-Cleanup' -Action $action -Trigger $trigger -RunLevel Highest -Description 'Quarantine inactive AD users weekly'

If you prefer centralization, run the same job from Azure Automation on a Hybrid Runbook Worker so it executes inside your network.

B) Microsoft Entra ID (Azure AD): sign‑in activity + access reviews

Two authoritative signals: the Graph signInActivity property (lastSuccessfulSignInDateTime) and Access Reviews for inactive guests. Remember to export sign‑in logs to extend retention.

Copy<# 
Entra inactive-user detection (Graph)
Run in Azure Automation (Managed Identity) or a secure workstation.
Permissions: User.Read.All, AuditLog.Read.All, and either User.EnableDisableAccount.All or User.ReadWrite.All
#>

param(
  [int]$InactiveDays = 90,
  [switch]$WhatIf
)

$cutoff = (Get-Date).AddDays(-$InactiveDays)

# Azure Automation: Connect-MgGraph -Identity (with app perms granted)
Connect-MgGraph -Scopes "User.Read.All","AuditLog.Read.All","User.ReadWrite.All"

# Explicitly request signInActivity
$users = Get-MgUser -All -Property "id,accountEnabled,displayName,userPrincipalName,signInActivity"

$candidates = $users | Where-Object {
  $_.UserPrincipalName -notlike "*#EXT#*" -and
  $_.SignInActivity -ne $null -and
  ([datetime]$_.SignInActivity.lastSuccessfulSignInDateTime) -lt $cutoff -and
  $_.AccountEnabled -eq $true
}

$logPath = "C:\home\logs\entra-inactive-users.csv"
$candidates | Select-Object displayName,userPrincipalName,accountEnabled,
  @{n='lastSignInUTC';e={$_.SignInActivity.lastSuccessfulSignInDateTime}} |
  Export-Csv -NoTypeInformation -Path $logPath

foreach ($u in $candidates) {
  if ($WhatIf) {
    Write-Output "Would disable $($u.UserPrincipalName)"
  } else {
    Update-MgUser -UserId $u.Id -BodyParameter @{accountEnabled = $false}
    Write-Output "Disabled $($u.UserPrincipalName)"
  }
}

For guests, configure an inactive guests Access Review with auto‑apply to remove inactive users on schedule—clean and auditable.

Implications and trade‑offs you must design around

• AD timestamps are fuzzy by design. Because lastLogonTimestamp replication is coarse, never delete on first detection. Add buffers and stage actions.
• Cloud visibility collapses without export. Default Entra retention can be shorter than policy windows. Export to Azure Monitor/storage/Log Analytics.
• Source of authority matters. For synced users, act on‑prem and let sync flow to cloud. Don’t fight the system of record.
• Service identities need a separate lane. Migrate to gMSA (on‑prem) and managed identities/service principals (cloud), then exclude them from human inactivity logic.

Mental models that make everything click

• Two‑phase commit for identities. Phase 1: quarantine + disable (reversible). Phase 2: archive/delete (irreversible). Practice restores with Restore‑ADObject.
• Signals over certainty. Blend several weak signals—AD timestamp, Entra signInActivity, license/mailbox activity, HR feed—into a strong decision.
• Controls, not scripts. The real deliverables: schedule, decision rules, approvals, evidence, rollback, audit trail.
• Different species, different care. Humans, guests, service, automation identities each get a distinct lane.

Subtle misunderstandings—and precise fixes

• “LastLogonDate is exact.” It’s derived from a replicated attribute; add grace and quarantine first.
• “Access Reviews disable all accounts.” They excel for guests; members usually need Graph automation tied to policy outcomes.
• “I’ll just disable synced users in cloud.” Source‑of‑authority will block you. Act in AD and let sync propagate.
• “Service accounts are just users.” Move services to gMSA or service principals; deny interactive logon; exclude from human inactivity policy.

Expert essentials (clipboard‑ready)

• Quarantine OU + deny‑logon GPO
• AD Recycle Bin enabled; restore rehearsed < 5 minutes
• Safelists and species tagging (humans/guests/service/automation) — see gMSA overview
• Weekly detection via Task Scheduler or Azure Automation
• Entra sign‑in logs exported to Log Analytics (≥ 1 year where needed)
• Access Reviews for inactive guests (auto‑apply)
• CSV evidence and on‑object annotations for every action

Architecture patterns that actually scale

Centralized automation account. One Azure Automation account runs a cloud runbook (Graph for members/guests) and a hybrid runbook (on‑prem AD changes). Schedules, identities, logs centralized. See hybrid worker considerations.

Event + schedule mesh. Keep weekly schedules, but also trigger on HR terminations via webhook to cut dwell time.

Governance overlay. Pair automation with Access Reviews so resource owners manage exceptions and you get durable audits.

Advanced variations you’ll meet in the wild

• Never‑logged‑in but critical. Replace user accounts with gMSA (Windows services) and cloud managed identities/service principals; remove non‑human users.
• Academic/seasonal cycles. Export Entra sign‑ins to Log Analytics with ≥ 1‑year retention to match cycles.
• Privileged accounts. Stricter perms and approvals; never auto‑disable without multi‑party sign‑off.
• Synced identity conflicts. For directory‑synced users, do lifecycle in AD so the state flows up cleanly.

Key takeaways & a practical next step

• Treat cleanup as a reversible lifecycle, not a brittle script.
• Design around AD’s coarse timestamps and Entra’s short default retention.
• Give humans, guests, and service identities different policy lanes.
• Centralize automation and evidence (Azure Automation + Hybrid Worker).

SEO elements (Yoast‑friendly)