pulling a lot of active accounts

[dkuzmicki]

We just ran the 90 day inactive script and it pulled quite a bit of false positives. ie confirmed AAD users who are actively using office365 with MFa enabled are appearing on this inactive list.

[PsychoData]

Looks like you mean this script https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/InactiveUsersLast90Days.ps1

A couple of things come to mind -

The results in this are 5000 - if you have more than that for the last 90 days, you might not be checking the whole 90 days.

Perhaps you don't have all of the logging needed for the events to show up on the active accounts you are pulling?

Maybe your "allow remembering" is set long-enough that these people haven't had "log on" prompts in that time, and the login just didn't expire/renew in that time frame?

[dkuzmicki]

The "remember" prompts are 14 days. I do get this warning: WARNING: The names of some imported commands from the module 'tmp_vdysgudt.jlg' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.

[PsychoData]

the unapproved verbs warning is not a worry. That is just non-standard verbs used in one of the commands somewhere (To see about standard powershell verbs check this link)