0 votes

We manage employee user accounts in our on-premise Active Directory and synchronize them to Azure Active Directory using Azure AD Connect. We'd like to be able to generate an accurate report of inactive users, but we sometimes have users who may be inactive locally but not in Azure AD and vice versa.

We are using version 2023 and have added our Azure AD domain as a managed domain, but I haven't found a way to run a single report to show users who are inactive across both domains. Wondering if this is possible so we can easily identify user accounts that are truly inactive.

by (320 points)
0

Hello everyone,

I am also interested in an answer.

Hybrid users have an object in both the on-prem domain and in the cloud. Sometimes a hybrid user uses only on-prem services and sometimes only cloud services. Therefore, we need a report that cumulates these two values and shows us when both the on-prem and the cloud object have a long past last login date.

1 Answer

0 votes
by (294k points)

Hello Rick,

You can use a built-in report, Inactive users. It will work for both on-premises and Azure AD users. By default, the report is located in container Reports\All Reports\Users. Make sure to restore the report to initial state before using: image.png

0

Thank you. Can you confirm that this report when run will display users who are inactive in any managed domain?

What I'm looking for is a way to find users who are inactive in all managed domains. In other words, if they are active in Microsoft 365/Azure AD but not active locally in our on-premise domain, I don't want them included in the results of the report.

An example of this would be someone who never logs in to anything locally, but is accessing email on their phone. My understanding is that in our case, they will show up in this report because they are considered inactive locally even though they are accessing email in M365/Exchange Online.

I'm hoping to find an easy way to locate user accounts who are truly inactive in both our on-premise domain and Microsoft 365/Azure AD.

0

Hello Rick,

That is correct depending on the scope you select for report generation. If you select Everywhere, the report will contain all inactive users no matter if they are Azure AD or on-premises AD ones.

0

Thank you for your assistance. So for our purposes, it sounds like to accomplish what we're looking for, we will need to run the report separately against our on-premise domain and our Azure AD domain, then manually compare the results looking for user accounts that show up in both. A potential item for a future report enhancement.

0

Hello Rick,

Sorry for the confusion, but we are not sure what exactly you mean. As we mentioned in the above post, you can use Everywhere as the report scope and obtain all inactive users, Azure AD and on-premises AD ones. In the report itself, you can group the users (e.g. by the directory type) for your convenience.

0

I guess a different way of putting it is I'm interested in the users who are considered inactive in both domains. For my purposes, an Azure AD synchronized user who is inactive in our on-prem domain but not inactive in Azure AD isn't really inactive. If I were to disable their account in our on-prem domain, because of the synchronization, it will disable their account in Azure AD as well.

I see now that if I use Everywhere as the report scope and have also turned on "Display objects synchronized with on-prem domains managed by Adaxes" in the Properties of the Azure AD domain, the synchronized users who are truly inactive (meaning they are inactive on-prem and Azure AD) will appear twice in the report - once for the on-prem user object and once for Azure AD user object. Those are the ones I'm trying to identify. It just means I will need to manually review and find all of the user accounts listed twice in the report.

It would be great if there was a way to just get a single list of user accounts where the last logon time for both on-prem AD user object and Azure AD synchronized user object is greater than X days.

0

Hello Rick,

Thank you for clarifying. In case the Entra (former Azure AD) domain is registered in Adaxes, such a report can be generated using a script. For details on writing scripts for report generation, see https://adaxes.com/sdk/GeneratingReports. If you face issues writing the script yourself, please, specify whether accounts that have last logon unspecified should also be considered inactive.

Related questions

0 votes
1 answer

Hi we are trying to add users to a group based on the values of their "Office" and "Description" attributes within Active Directory. We have populated the below ... $Context.LogMessage("No matching criteria found for User $($Context.TargetObject.Name).") }

asked Sep 18, 2023 by Loopy8822 (20 points)
0 votes
1 answer

Is there a comparison between the OnPrem user object and Entra user object in the built-in condition? Which determines the most recent inactivity from both environments. Or should a choice be made between the OnPrem domain or Entra based on the Activity scope?

asked Dec 13 by IwistIT (40 points)
0 votes
1 answer

Is there a report, or a way to make a custom report, to show when a custom command was run and who it was run against? The Operation in the log is "Execute Deprovision User Account"

asked Apr 11, 2023 by stlouischiefs (20 points)
0 votes
1 answer

If I have 2 Active Directory Security groups in my domain - Group A Group B Is it possible to create a report that shows only users who have membership in both groups? For ... Jane Doe is in Group A AND Group B she would be included in the resulting report.

asked May 11, 2020 by sirslimjim (480 points)
0 votes
1 answer

Is there a way to run a custom powershell command on the users who are added or removed from a group?

asked Oct 12, 2012 by queenbee (20 points)
3,588 questions
3,277 answers
8,303 comments
548,084 users