Clarification for the parameter ForceRemval

JBines / Remove-StaleGuests

This script removes stale Azure AD Guest accounts.

MIT License

17 stars 13 forks source link

Clarification for the parameter ForceRemval #12

Open Rykimaruh opened 2 years ago

Rykimaruh commented 2 years ago

In the documentation part:

.PARAMETER ForceRemoval
The ForceRemoval parameter allows the removable of guests with default logon information 
older than Apr-2020 or for accounts that have not yet had a signin. The DateTime value 
might be displayed as 01-01-0001. As exact logon details cannot be provided these accounts 
are excluded from remove by default.

Does it refer to these type of users that come out in the exported report?

We want to make sure we are deleting the right guest users.

JBines commented 2 years ago

yes that's right, you will note that some newly created users will also have this value. The script should check the dayssincecreated value and should only remove guest where both the last logon date and createddate exceed the inactive timeframe. You should also have an isinactive colum to confirm which guests will be removed.

Try using the DifferentialScope switch first to run on a couple guests to confirm the results before running it in bulk.

B J

Rykimaruh commented 2 years ago

yes that's right, you will note that some newly created users will also have this value. The script should check the dayssincecreated value and should only remove guest where both the last logon date and createddate exceed the inactive timeframe. You should also have an isinactive colum to confirm which guests will be removed.

Try using the DifferentialScope switch first to run on a couple guests to confirm the results before running it in bulk.

B J

Yes, there is a column as you said:

There are trues and false.

I guess users that are removed will be the ones that have TRUE as value under this column?

JBines commented 2 years ago

yes fair call... I think we should update the inactive field to reflect the -forceremoval switch.

Line 446 - Looks like we are only checking the lastlogon date which means the new accounts would also be removed.

you could remove those users manually and run it without the forceremoval switch

Rykimaruh commented 2 years ago

From what I understood, then ForceRemoval parameter is not really necessary to use then?

I have over 25 users with this particular condition, so I believe your suggestion is sound. To manually delete those.

JBines commented 2 years ago

no it's not required. If not used it will just skip those users but I think they will count toward your DifferentialScope limit.