Split into two versions as mentioned

pkbullock · pkbullock · commit eac89711ff56 · 2025-12-29T11:03:46.000Z
diff --git a/scripts/get-disabled-or-inactive-user-accounts/README.md b/scripts/get-disabled-or-inactive-user-accounts/README.md
@@ -21,7 +21,7 @@ The purpose of this script is to support Microsoft 365 governance by identifying
 - Supporting periodic access reviews and governance audits
 - Preparing for offboarding or tenant cleanup initiatives
 
-# [PnP PowerShell](#tab/pnpps)
+# [PnP PowerShell V2](#tab/pnppsv2)
 
 ```powershell
 
@@ -150,6 +150,99 @@ $results |
 
 ```
 [!INCLUDE [More about PnP PowerShell](../../docfx/includes/MORE-PNPPS.md)]
+
+# [PnP PowerShell](#tab/pnpps)
+
+In order to keep your tenant clean (Governance), you might want to ensure that disabled or inactive user accounts will be replaced where oppropriate (Think Owners of sites/groups, assignedto user on tasks/planner and so on). This script will help you find those accounts.
+
+```powershell
+
+function Get-UserFromGraph 
+{
+    $disabledusersfromgraph = @()
+    $result = Invoke-PnPGraphMethod -Url "users?`$select=displayName,mail, AccountEnabled" -Connection $conn
+
+    $result.value.Count
+    foreach($account in $result.value)
+    {
+        if($account.accountEnabled -eq $false)
+        {
+            $disabledusersfromgraph += $account.mail
+        }
+    }
+    $disabledusersfromgraph
+}
+function Get-UserFromSharePointSearch 
+{
+    $usersfromsearch = @()
+    #How you tag an account as disabled varies from org to org, so you might need to change the below
+    #in one tenant the account name was prefixed with ZZ_[Year of leaving]
+    #in another tenant they had a custom property called EmployeeStatus, and sometimes a DateLeft property
+    #SourceId "b09a7990-05ea-4af9-81ef-edfab16c4e31"  is the People source in SharePoint
+    $results = Invoke-PnPSearchQuery -Query "*" -SourceId "b09a7990-05ea-4af9-81ef-edfab16c4e31" -All -Connection $conn    
+    
+    foreach($result in $results.ResultRows)
+    {
+        #you can replace this with whatever you use to tag an account as disabled
+        if($result["SPS-HideFromAddressLists"] -eq $true)
+        {
+            $usersfromsearch += $result["WorkEmail"]
+        }
+    }
+    $usersfromsearch
+}
+function Get-UserFromGraphThatHasntLoggedInResently($duration = 90) 
+{
+    $inactiveusersfromgraph = @()
+    $authToken = Get-PnPGraphAccessToken -Connection $conn
+    $uri = "https://graph.microsoft.com/v1.0/users"
+    $Headers = @{
+        "Authorization" = "Bearer $($authToken)"
+        "Content-type"  = "application/json"
+    }
+    $response = Invoke-RestMethod -Headers $Headers -Uri $uri -Method GET
+    foreach($user in $response.value)
+    {
+        # requires the AuditLog.Read.All permission
+        $signinsUri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=1&$filter=userPrincipalName eq '$($user.userPrincipalName)')"
+        $response = Invoke-RestMethod -Headers $Headers -Uri $signinsUri -Method GET
+        
+        if($response.value.Count -eq 0)
+        {
+            #no signin found
+            $inactiveusersfromgraph += $user.userPrincipalName
+        }
+        else {
+            if($response.value[0].createdDateTime -lt (Get-Date).AddDays(-$duration))
+            {
+                #user has not signed in for 90 days
+                $inactiveusersfromgraph += $user.userPrincipalName
+                
+            }
+        }
+    }
+    $inactiveusersfromgraph
+}
+
+
+$ClientId = "clientid"
+$TenantName = "[domain].onmicrosoft.com"
+$SharePointAdminSiteURL = "https://[domain]-admin.sharepoint.com/"
+#connect to SharePoint using a certificate or similar
+$conn = Connect-PnPOnline -Url $SharePointAdminSiteURL -ClientId $ClientId -Tenant $TenantName -CertificatePath "C:\Users\[you]\[CertName].pfx" -CertificatePassword (ConvertTo-SecureString -AsPlainText -Force "ThePassWord") -ReturnConnection
+
+#get user data from graph and log those which are disabled
+$userd1 = Get-UserFromGraph
+$userd2 = Get-UserFromSharePointSearch
+$users3 = Get-UserFromGraphThatHasntLoggedInResently
+
+#output to csv file or use the data in some other way, like checking if the disabled users is a Owner of some site or group
+$userd1 | Export-Csv -Path "C:\temp\disabledusers.csv" -NoTypeInformation 
+
+```
+[!INCLUDE [More about PnP PowerShell](../../docfx/includes/MORE-PNPPS.md)]
+
+
 ***
 
 
