Keeping track of guest user activity in your Microsoft 365 tenant is essential for security and access management. Knowing the last time a guest user logged in helps identify inactive accounts and potential security risks. While Microsoft 365 doesn’t offer a direct way to export guest users’ last login times, we have developed a user-friendly PowerShell script.
But before diving into the script, firstly let’s explore the existing native methods available that can be employed to identify the last logon time of guest users.
How to Identify Microsoft 365 Guest Users’ Last Logon Time?
Here are some ways to check guest users’ last logon time in Microsoft 365.
Microsoft Entra Admin Center – Sign in to the Microsoft Entra admin center and navigate to Identity –> Monitoring & Health –> Sign-in logs. Now, click on ‘Add filters’ and choose User type filter. Then, you select Guest to retrieve guest users’ login history. But you won’t be able to find the direct last login times of guest users. Also beware, Entra ID sign-in logs only retain data for the last 30 days.
Unified Audit Logs – The Unified Audit Log, accessible through ‘Search-UnifiedAuditLog,’ offers Microsoft 365 users’ login history for the past 90 days. Yet, sorting through all those audit records to identify guest users’ last logon time can be a bit of a chore.
Graph PowerShell – To check Office 365 guest users’ last login time using MS Graph PowerShell, execute the following cmdlet. Before that, make sure to connect to the Microsoft Graph PowerShell.
1 |
Get-MgUser -All -Filter "UserType eq 'Guest'" -Property SignInActivity | Select-Object userprincipalname -ExpandProperty SignInActivity | Format-List |
With the help of the Get-MgUser cmdlet, you can retrieve the last logon time of Microsoft 365 guest users. And, if you want to explore quick approaches to administering guest users within Microsoft 365, check out the blog on managing Microsoft 365 guest users’ using PowerShell.
While PowerShell simplifies retrieving guest users’ last logon time, calculating inactive days demands additional processing, which can be quite time-consuming.
To lighten the workload of Microsoft 365 admins, we have crafted a PowerShell script that exports Microsoft 365 guest users’ last logon time in seconds!
Download Script: M365GuestsLastLoginTimeReport
Script Highlights:
- The script uses MS Graph PowerShell and installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.
- The script can be executed with MFA enabled account too.
- Helps to generate reports based on inactive days.
- Provide details about interactive/non-interactive sign-ins.
- Results can be filtered to lists never logged in guests alone.
- Generates report for sign-in enabled users alone.
- Exports report results as a CSV file.
- Supports filtering licensed users alone.
- The script is scheduler friendly.
- It can be executed with certificate-based authentication (CBA) too.
Microsoft 365 Guest Users’ Last Logon Time Report – Sample Output
The script exports Microsoft 365 guest users’ last logon time to CSV with the following attributes:
- User Principal Name
- Creation Date
- Last Interactive SignIn Date
- Last Non-Interactive SignIn Date
- Inactive days based on Interactive SignIn
- Inactive days based on Non-Interactive SignIn
- Refresh Token Valid From
- Last Successful Sign-in Time
- License Details
- Account Status
- Department
- Job Title
The exported Microsoft 365 guest users’ last login time report looks like the screenshot below.
Microsoft 365 Guest Users’ Last Logon Report – Script Execution Steps:
- Download the script.
- Start the Windows PowerShell.
- Select any of the methods provided to execute the script.
Method 1: You can run the script with MFA and non-MFA accounts.
1 |
./M365GuestsLastLoginTimeReport.ps1 |
The example provided enables you to export guest users’ last logon time into CSV file.
Method 2: You also have the option to run the script using certificate-based authentication, which is scheduler-friendly. When you want to run the script unattended, you can choose this method.
To use certificates, you must register the app in Microsoft Entra and connect to MS Graph using certificate.
1 |
./M365GuestsLastLoginTimeReport.ps1 -TenantId <TenantId> -ClientId <ClientId> -CertificateThumbprint <Certthumbprint> |
Note – Depending on your requirements, you can create a self-signed certificate. Before employing certificate-based authentication, it is crucial to register an application in Azure AD.
Get the Most Out of the Microsoft 365 Guest Users’ Last Logon Script
The script provides some built-in filtering parameters according to your needs, and its use cases are listed below.
- Get all M365 guest users’ last logon time
- Find M365 inactive guest users’ last logon time
- Export M365 guest users’ last logon time based on non-interactive sign-ins
- Track licensed guest users and their last login time
- View last logon time for sign-in enabled/disabled guest users
- Export never-logged-in guest users using PowerShell
- Schedule M365 guest users’ last logon time report
Get All M365 Guest Users’ Last Logon Time
To view all the Microsoft 365 guest users’ last logon time, run the script as follows.
1 |
./M365GuestsLastLoginTimeReport.ps1 |
The above code will export all the guest users’ last logon time in the organization. Likewise, it is crucial to retrieve overall users’ last logon time, thereby identifying Microsoft 365 inactive users in the organization.
For a comprehensive view of guest user sign-ins, including detailed information on their sign-in dates, locations, devices, browsers, and authentication details, you can utilize the M365 guest user sign-in report.
Find M365 Inactive Guest Users’ Last Logon Time
By identifying guest users who haven’t logged in for a long time, admins can mitigate security risks by promptly deactivating these accounts against unauthorized access. To identify guest users’ last logon time based on their period of inactivity, run the script and specify the number of inactive days using the –InactiveDays parameter.
1 |
./M365GuestsLastLoginTimeReport.ps1 -InactiveDays 90 |
The exported report contains a list of guest users’ last logon time who have been inactive for 90 days. Additionally, you have the flexibility to customize the number of days to generate an inactive guest user report, whether it’s for 30 days, 180 days, or any other specified period. Thus, admins can easily identify and remove inactive accounts in M365.
Export M365 Guest Users’ Last Login Time Based on Non-Interactive Sign-ins
Non-interactive sign-ins bypass direct user interaction by using tokens or codes for access. They’re handy for automated tasks and backend processes. When identifying guest users’ last logon time, it’s important to include their non-interactive sign-ins. To do this, run the script with the -InactiveDays_NonInteractive parameter followed by the desired number of inactive days.
1 |
./M365GuestsLastLoginTimeReport.ps1 -InactiveDays_NonInteractive 90 |
The exported report contains a list of guest users who have not performed non-interactive sign-ins for 90 days.
Track Licensed Guest Users and Their Last Logon Time
Discover licensed guest users who are currently inactive to effectively manage licenses with the organization. To retrieve guest users’ last logon time with licenses, execute the script along with the –LicensedUsersOnly switch parameter.
1 |
./M365GuestsLastLoginTimeReport.ps1 -LicensedUsersOnly |
The resulting report contains all the licensed guest users and their last logon times.
View Last Logon Time for Sign-in Enabled/Disabled Guest Users
In many organizations, disabling user accounts is a standard practice during Microsoft 365 employee offboarding to maintain security. So, tracking the last logon times for sign-in disabled guest accounts becomes unnecessary. To analyze only the last logon time for sign-in enabled guest users, run the script with the –EnabledUsersOnly switch parameter.
1 |
./M365GuestsLastLoginTimeReport.ps1 -EnabledUsersOnly |
This code will retrieve only the last logon activity of enabled guest accounts, so you don’t have to go through the disabled guest accounts.
In case you want to get the last logon activity of sign-in disabled guest users, run the script along with the –DisabledUsersOnly switch parameter. The disabled user cannot sign in or use the licensed services associated with their account.
1 |
./M365GuestsLastLoginTimeReport.ps1 -DisabledUsersOnly |
This exported report will contain the last logon activity of disabled guest accounts.
Export Never-Logged-In Guest Users Using PowerShell
To export the never-logged-in guest user report, run the script with –ReturnNeverLoggedInUser switch. Using this report, you can identify inactive guest user accounts within the organization.
1 |
./M365GuestsLastLoginTimeReport.ps1 -ReturnNeverLoggedInUser |
Note – By accessing the audit log, you can track the creators of user accounts that have never been logged in to identify and remove unused accounts.
Schedule M365 Guest Users’ Last Login Time Report
Our script is scheduler-friendly. It can be done through certificate-based authentication aka, app-only access. To run the script as scheduled task, you can use Windows Task Scheduler.
1 |
./M365GuestsLastLoginTimeReport.ps1 -TenantId <TenantId> -ClientId <ClientId> -CertificateThumbprint <Certthumbprint> |
Admins can also schedule PowerShell scripts using Azure Automation to streamline repetitive tasks effectively.
Track Microsoft 365 Guest User Activities with AdminDroid Effortlessly
Dealing with guest users in Microsoft 365 can be a hassle, especially when you’re limited to PowerShell and the Azure Portal. But fear not! AdminDroid is here to make your life easier. With its user-friendly interface and robust features, AdminDroid simplifies the management of guest users, allowing you to streamline the entire process effortlessly.
Discover a comprehensive range of guest user reports offered by AdminDroid, empowering effective management and facilitating seamless collaboration:
Guest User Info Reports
- External Guest User
- Internal Guest User
- Recently Created/Deleted Guest Users
- SharePoint Guest Users
- Groups by External Users Count
Guest User Membership Reports
- Guest User Group Membership
- Channels/Private Channels with Guest Members
- Guest Members Added/Removed to SharePoint Groups
- Site Invitations Shared to Guest Users
Guest User Audit
- All External and Internal Guest User Logins
- Guest Users’ Last Logon Time
- Audit Guest Creation, Deletion, and Updation
- External Members Added/Removed from Groups
- Teams External Users Login Activities
- Users Signing into External Organizations
File/Folder/Page Activities by Guest Users
- Files Shared with Guest Users
- Files/Pages Access by Guest Users
- File/Folder Sharing by Guest Users in Teams
Guests Mailbox Permission Reports
- Guest Users with Access to Other Mailboxes
- Mailboxes Accessed by Guest Users
Apart from this, AdminDroid offers report boards, a big hub for all your reports, neatly organized into different categories like inactive users, admins, M365 usage, and external users. It’s super handy because admins can quickly grab a bunch of reports all at once. And if you’re specifically interested in Microsoft 365 guest users, there are over 30 reports just for them under the External Users category in the security section of the report board.
AdminDroid offers 120+ reports and dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. The Free Azure AD Reporter edition doesn’t have any restrictions in reporting functionalities such as customization, scheduling, and exporting.
Additionally, AdminDroid provides 1800+ pre-built reports and 30+ smart dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, and alerts on critical M365 activities. Download AdminDroid Microsoft 365 reporting software and see how it helps you.
I hope this blog will help you manage and reporting guest users’ last logon time in your organization. If you have any queries, reach us through the comment section.