M365Corner

🔧 New: User Management Graph PowerShell Toolkit

Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more — all from one place.

🚀 Launch Toolkit
M365 PowerShell

Identify Microsoft 365 Guest Users Who Haven’t Signed In

Monitoring guest access is essential for maintaining a secure and efficient Microsoft 365 environment. This Graph PowerShell script helps you identify all guest users who have never signed in, making it easier to clean up unused accounts and maintain tenant hygiene.


The Script

# Connect to Microsoft Graph with necessary scopes
Connect-MgGraph -Scopes "User.Read.All", "AuditLog.Read.All", "Directory.Read.All"
                                
# Get all guest users with SignInActivity
$guestUsers = Get-MgUser -All `
-Filter "userType eq 'Guest'" `
-Property Id, DisplayName, UserPrincipalName, SignInActivity `
-ConsistencyLevel eventual
                                
# Filter users who never signed in
$neverSignedInGuests = $guestUsers | Where-Object { !$_.SignInActivity.LastSignInDateTime }
                                
# Display output
if ($neverSignedInGuests.Count -eq 0) {
    Write-Host "All guest users have signed in at least once." -ForegroundColor Green
} else {
    $neverSignedInGuests | Select-Object `
    @{Name="Display Name"; Expression={ $_.DisplayName }},
    @{Name="User Principal Name"; Expression={ $_.UserPrincipalName }},
    @{Name="Sign-In Status"; Expression={ "Never Signed In" }} |
    Format-Table -AutoSize
}

How the Script Works

  1. Connects to Graph API using the necessary delegated permissions.
  2. Retrieves all guest users (userType eq 'Guest') using the Get-MgUser cmdlet.
  3. Expands the SignInActivity property to check for login data.
  4. Filters out guest accounts with a null LastSignInDateTime, meaning they’ve never logged in.
  5. Displays results in a clean, tabular format showing Display Name, UPN, and Sign-In Status.

Further Enhancements

Here are some ways to build upon this script:

  • Export the results to CSV for offline review or automation:
    • $neverSignedInGuests | Select DisplayName, UserPrincipalName | Export-Csv "NeverSignedInGuests.csv" -NoTypeInformation
  • Add sign-in date for those who have logged in, if needed for full activity audit.
  • Add filtering based on account creation date to avoid false positives from recently invited users.
  • Automatically disable or remove guests who have never logged in after a certain threshold.

Possible Errors & Solutions

Error Cause Solution
Get-MgUser : Insufficient privileges Missing API permissions Ensure Graph scopes include User.Read.All, Directory.Read.All, and AuditLog.Read.All. Use Connect-MgGraph -Scopes with the correct permissions.
SignInActivity property is null Incomplete property selection or outdated API version Make sure -Property SignInActivity is explicitly passed and that your Graph SDK is updated.
No users returned No guest users present or filter syntax error Double-check the filter syntax and ensure guests exist in your tenant.

Conclusion

Regularly identifying and reviewing guest users who haven’t signed in is critical for tenant security, auditing, and directory hygiene. Using this Graph PowerShell script, admins can quickly zero in on unused guest accounts and take corrective actions like revoking access or initiating follow-up.

Keeping your environment clean helps minimize risk, simplify user management, and optimize productivity.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex