M365Corner

🔧 New: User Management Graph PowerShell Toolkit

Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more — all from one place.

🚀 Launch Toolkit
M365 PowerShell

Fetch and Email Sign-In Disabled Users with Graph PowerShell

Monitoring sign-in disabled accounts is a critical part of Microsoft 365 administration. Users with disabled sign-ins often indicate offboarded employees, suspended accounts, or security-related actions. In this article, we’ll walk through a Graph PowerShell script that retrieves all sign-in disabled users from your tenant and emails the report to the administrator.


i) Script

Here’s the complete working script:

# ===== Simple Graph PowerShell Script =====
# Fetch all SIGN-IN DISABLED users and email the list to admin
# Requires: Microsoft.Graph module
# Scopes: User.Read.All, Mail.Send
                                
# --- Variables ---
$FromUser  = "admin@contoso.com"     # Sender (must have mailbox)
$To        = "it-ops@contoso.com"    # Recipient
$Subject   = "Sign-in Disabled users report"
$CsvOutDir = "$env:TEMP"
                                
# --- Connect to Microsoft Graph ---
Import-Module Microsoft.Graph -ErrorAction Stop
Connect-MgGraph -Scopes "User.Read.All","Mail.Send"
                                
# --- Build Filter: disabled member accounts only ---
$filter = "accountEnabled eq false and userType eq 'Member'"
                                
# --- Fetch Users ---
$selectProps = "id","displayName","userPrincipalName","jobTitle","department","accountEnabled","createdDateTime"
$users = Get-MgUser -All -Filter $filter -ConsistencyLevel eventual -Property $selectProps |
Select-Object $selectProps
                                
# --- Export to CSV ---
if (-not (Test-Path -Path $CsvOutDir)) { New-Item -ItemType Directory -Path $CsvOutDir | Out-Null }
$ts = Get-Date -Format "yyyyMMdd_HHmmss"
$csvPath = Join-Path $CsvOutDir ("SignInDisabledUsers_{0}.csv" -f $ts)
$users | Export-Csv -Path $csvPath -NoTypeInformation -Encoding UTF8
                                
# --- Prepare HTML Body ---
$summaryHtml = @"
<html>
  <body style='font-family:Segoe UI,Arial,sans-serif'>
    <h3>Sign-in Disabled Users Report</h3>
    <p>Total disabled users: <b>$($users.Count)</b></p>
    <p>The full list is attached as a CSV.</p>
  </body>
</html>
"@
                                
# --- Prepare Attachment ---
$fileBytes     = [System.IO.File]::ReadAllBytes($csvPath)
$base64Content = [System.Convert]::ToBase64String($fileBytes)
$csvFileName   = [System.IO.Path]::GetFileName($csvPath)
$attachment = @{
    "@odata.type" = "#microsoft.graph.fileAttachment"
    name          = $csvFileName
    contentBytes  = $base64Content
    contentType   = "text/csv"
}

# --- Prepare Mail Object ---
$mail = @{
    message = @{
    subject = "${Subject}"
    body    = @{
        contentType = "HTML"
        content     = $summaryHtml
    }
    toRecipients = @(@{ emailAddress = @{ address = $To } })
    attachments  = @($attachment)
    }
    saveToSentItems = $true
}

# --- Send Email ---
Send-MgUserMail -UserId $FromUser -BodyParameter $mail

Write-Host "Done. CSV saved at: $csvPath" -ForegroundColor Green

ii) How the Script Works

  1. Connect to Microsoft Graph – Connects with delegated permissions User.Read.All (to fetch user details) and Mail.Send (to send the report).
  2. Filter Sign-In Disabled Users – Uses accountEnabled eq false and userType eq 'Member'.
  3. Retrieve User Properties – Selects key details like DisplayName, UPN, Department.
  4. Export to CSV – Exports results into a timestamped CSV file.
  5. Prepare Email – Creates a summary HTML body and attaches the CSV.
  6. Send Email – Uses Send-MgUserMail to deliver the report.

iii) Further Enhancements

  • Automate with Task Scheduler.
  • Add SignInActivity property for richer insights.
  • Send to multiple recipients/distribution lists.
  • Embed a table of results directly in the email body.

iv) Use Cases

  • Security monitoring of disabled accounts.
  • HR offboarding reports.
  • Audit compliance.
  • License optimization (reclaim licenses).

v) Possible Errors & Solutions

Error Cause Solution
“Insufficient privileges to complete the operation.” Missing Graph API permissions. Ensure User.Read.All and Mail.Send scopes are granted during Connect-MgGraph.
“Send-MgUserMail : The specified user does not have a mailbox.” $FromUser does not have an Exchange Online mailbox. Use a licensed mailbox-enabled account for $FromUser.
CSV file not created. Invalid $CsvOutDir path. Verify $CsvOutDir exists or specify a valid folder path.

Conclusion

This Graph PowerShell script provides administrators with a fast, automated way to fetch all sign-in disabled users and deliver the report via email. It enhances visibility into suspended or offboarded accounts, improves audit readiness, and helps optimize license usage. With small tweaks like scheduling or embedding sign-in activity, this script can become an essential part of your Microsoft 365 administration toolkit.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex