M365Corner

🔧 New: User Management Graph PowerShell Toolkit

Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more — all from one place.

🚀 Launch Toolkit
M365 PowerShell

Fetch & Mail M365 Disabled Users Report Using PowerShell

Disabled accounts in Microsoft 365 can pose security and compliance risks if not monitored properly. Administrators often need a clear view of all disabled users—both members and guests—for audits or governance checks. With Microsoft Graph PowerShell, you can easily automate this process and have the report delivered directly to your inbox.

Below is a script that retrieves all disabled users, exports them to CSV, and emails the report to the administrator.


i) Script



    # Connect to Microsoft Graph
    Connect-MgGraph -Scopes "User.Read.All","Mail.Send"

    # ---------------------------------------------
    # 1) Fetch all disabled users (Members + Guests)
    # ---------------------------------------------
    $DisabledUsers = Get-MgUser -All `
    -Filter "accountEnabled eq false" `
    -Property Id, DisplayName, UserPrincipalName, Mail, AccountEnabled, UserType

    # ---------------------------------------------
    # 2) Shape the data for export
    # ---------------------------------------------
    $ReportRows = $DisabledUsers | Select-Object `
    DisplayName,
    UserPrincipalName,
    Mail,
    UserType,
    AccountEnabled

    # ---------------------------------------------
    # 3) Export to CSV
    # ---------------------------------------------
    $ReportPath = "$env:TEMP\DisabledUsers.csv"
    $ReportRows | Export-Csv -Path $ReportPath -NoTypeInformation -Encoding UTF8

    # ---------------------------------------------
    # 4) Email the report to the administrator
    # ---------------------------------------------
    $AdminUPN = "admin@yourtenant.onmicrosoft.com"   # <-- Replace with your admin mailbox
    $Subject="Disabled Users Report - $(Get-Date -Format 'yyyy-MM-dd')"
      $Body=@"
            Hello Admin,


Please find attached the latest list of disabled users in the tenant (Members and Guests).


Regards,

Graph PowerShell Script
"@

# Read and attach the CSV as a fileAttachment
$AttachmentContent = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes($ReportPath))
$Attachments = @(
    @{
        "@odata.type" = "#microsoft.graph.fileAttachment"
        Name          = "DisabledUsers.csv"
        ContentBytes  = $AttachmentContent
    }
)

# Build the message payload (BodyParameter)
$Message = @{
    Message = @{
        Subject = $Subject
        Body = @{
            ContentType = "HTML"
            Content     = $Body
        }
        ToRecipients = @(
            @{
                EmailAddress = @{ Address = $AdminUPN }
            }
        )
        Attachments = $Attachments
    }
    SaveToSentItems = "true"
}

# Send the email
Send-MgUserMail -UserId $AdminUPN -BodyParameter $Message

Write-Host "Disabled users report emailed successfully to $AdminUPN"

ii) How the Script Works

  1. Connect to Graph – The script begins by connecting to Microsoft Graph with User.Read.All (to fetch user details) and Mail.Send (to send emails).
  2. Query Disabled Users – It applies a filter accountEnabled eq false on Get-MgUser to pull both Members and Guests that are disabled.
  3. Prepare Report Data – Key fields like DisplayName, UserPrincipalName, Mail, UserType, and AccountEnabled are shaped into a report object.
  4. Export to CSV – The report is written to a CSV file in the system’s temp directory.
  5. Send Email – The CSV file is attached to an HTML-based email and sent to the specified administrator mailbox with Send-MgUserMail.

This way, administrators get a quick and complete view of disabled accounts in their tenant.


iii) Further Enhancements

  • Filter by User Type – Limit results to only Members (userType eq 'Member') or only Guests.
  • Add More Properties – Include details like department, job title, or last sign-in date for richer reporting.
  • Automated Scheduling – Run the script on a schedule (Task Scheduler, Azure Automation, or Intune) for periodic reporting.
  • Centralized Storage – Store the CSV in OneDrive, SharePoint, or a shared mailbox instead of emailing it.
  • HTML Reports – Format the data as an HTML table in the email body instead of using an attachment.

iv) Possible Errors & Solutions

Error Cause Solution
Insufficient privileges to complete the operation The account lacks proper Graph API scopes. Run Connect-MgGraph with User.Read.All and Mail.Send and ensure consent is granted.
Send-MgUserMail : Resource not found $AdminUPN is not a valid mailbox-enabled user. Replace $AdminUPN with a valid administrator’s email.
CSV File Empty No disabled users exist in the tenant. This is expected behavior; the script will still send a CSV, but with no rows
File Attachment Missing File was not generated or could not be read. Verify $ReportPath exists and that the script has permission to read/write to $env:TEMP.

v) Conclusion

This script is a practical and efficient way for administrators to track disabled accounts across their Microsoft 365 tenant. By automating the export and delivery via email, it eliminates manual checks and ensures consistent visibility into user account status.

With a few enhancements like filtering, scheduling, or richer reporting, this script can become a powerful part of your security and compliance workflow.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex