How to Detect Inactive Microsoft 365 Guest Users Using Graph PowerShell

Guest users are essential for collaboration in Microsoft 365, but over time, many external accounts become inactive and forgotten.

These stale guest accounts can:

• Increase security risks
• Complicate access reviews
• Violate compliance policies
• Expand your attack surface unnecessarily

👉 In this guide, you’ll learn how to detect inactive Microsoft 365 guest users using Graph PowerShell, export reports, and improve your Entra ID hygiene.

What You’ll Learn

By the end of this article, you’ll be able to:

• Retrieve all Microsoft 365 guest users
• Detect inactive guest accounts
• Identify guests inactive for 30/60/90+ days
• Export guest inactivity reports to CSV
• Understand licensing limitations for sign-in data

Prerequisites

Install Microsoft Graph PowerShell

Install-Module Microsoft.Graph -Scope CurrentUser

Required Permissions

The following permissions are required:

• User.Read.All
• AuditLog.Read.All
• Directory.Read.All

Admin consent may be required.

Licensing Requirement

This script relies on the signInActivity property to determine inactivity.

Availability of signInActivity

The signInActivity property is available only in:

✅ Supported Licenses

• Microsoft Entra ID P1
• Microsoft Entra ID P2
• Microsoft 365 E5

❌ Limited or Unavailable In

• Microsoft 365 Business plans
• Microsoft 365 E3 without Entra ID P1/P2
• Free Entra ID tenants

⚠️ Important Notes

• Guest sign-in data may take time to populate
• Newly invited guests may show blank activity
• Some inactive accounts may never have signed in

Connect to Microsoft Graph

Connect-MgGraph -Scopes "User.Read.All","AuditLog.Read.All","Directory.Read.All"

Script 1: Retrieve All Guest Users

Get-MgUser -Filter "userType eq 'Guest'" -All |
Select-Object DisplayName, UserPrincipalName
                                        

Script 2: Detect Inactive Guest Users (90 Days)

This script identifies guest users who haven’t signed in for the last 90 days.

# Define inactivity threshold$
DaysInactive = 90
$ThresholdDate = (Get-Date).AddDays(-$DaysInactive)

# Retrieve guest users with sign-in activity
$Guests = Get-MgUser -Filter "userType eq 'Guest'" -Property `
DisplayName,
UserPrincipalName,
SignInActivity -All

# Find inactive guests
$InactiveGuests = $Guests | Where-Object {    
  $_.SignInActivity.LastSuccessfulSignInDateTime -lt $ThresholdDate
}

# Display results
$InactiveGuests | Select-Object `
DisplayName,
UserPrincipalName,
@{Name="LastSignIn";Expression={$_.SignInActivity.LastSuccessfulSignInDateTime}}

Sample Output

DisplayName	UserPrincipalName	LastSignIn
John Vendor	john_vendor@gmail.com	2025-11-10
HR Consultant	hrconsultant@external.com	2025-10-01

Script 3: Export Inactive Guest Users to CSV

Admins often need reports for:

• governance reviews
• audits
• security assessments

$InactiveGuests | Select-Object `
DisplayName,
UserPrincipalName,
@{Name="LastSignIn";Expression={$_.SignInActivity.LastSuccessfulSignInDateTime}} |
Export-Csv "Inactive_Guest_Users_Report.csv" -NoTypeInformation

Write-Host "✅ Report exported successfully!"

Script 4: Find Guests Who Never Signed In

This is extremely useful for identifying:

• abandoned invitations
• unused guest accounts

$NeverSignedIn = $Guests | Where-Object {    
   -not $_.SignInActivity.LastSuccessfulSignInDateTime
}

$NeverSignedIn | Select-Object `
DisplayName,
UserPrincipalName

Real-World Use Cases

1. Reduce Attack Surface

Old guest accounts are common targets for attackers.

👉 Removing inactive accounts improves security posture.

2. Governance & Compliance

Many organizations require:

• periodic guest reviews
• access recertification

This script helps identify stale accounts quickly.

3. Vendor Lifecycle Management

Consultants and vendors often retain access long after projects end.

👉 Detect and clean up outdated access.

4. License & Directory Hygiene

Too many inactive guest users:

• clutter Entra ID
• complicate audits
• increase administrative overhead

Enhancements

• Automate Weekly Reporting

powershell.exe -File "InactiveGuestUsers.ps1"

Use Task Scheduler to automate execution.

• Alert on Highly Inactive Guests

$CriticalGuests = $InactiveGuests | Where-Object {    
   $_.SignInActivity.LastSuccessfulSignInDateTime -lt (Get-Date).AddDays(-180)
}

if ($CriticalGuests) {    
    Write-Host "⚠️ Guests inactive for 180+ days detected!"
}

• Build Power BI Dashboard

Visualize:

• inactive guests
• last sign-in trends
• external collaboration activity

Cmdlet Tips

• Use -All carefully in large environments
• Always validate licensing before troubleshooting
• Guest accounts without sign-ins are common
• Export reports regularly for governance reviews

Common Errors & Solutions

Error	Cause	Solution
signInActivity property is empty	Missing Entra ID P1/P2 license User never signed in	Verify licensing Check if guest accepted invitation
Insufficient privileges	Insufficient privileges to complete the operation	Connect-MgGraph -Scopes "AuditLog.Read.All","User.Read.All" Admin consent may be required.
Property signInActivity not found	Missing property retrieval.	Ensure: -Property SignInActivity is included in Get-MgUser.
Slow performance in large tenants	Retrieving all guest users.	Filter properties and export results incrementally.

Use Cases Summary

Scenario	Benefit
Security cleanup	Reduce attack surface
Compliance audits	Identify stale access
Vendor governance	Remove unused external accounts
Directory hygiene	Clean Entra ID environment

Conclusion

Inactive guest accounts are one of the most overlooked security risks in Microsoft 365 environments.

Using Graph PowerShell, you can:

• detect stale guest users
• identify accounts that never signed in
• export actionable reports

👉 Regular guest user reviews should be part of every Microsoft 365 governance strategy.