Query Details
Dormant Accounts
Query
//Show accounts that haven't logged in for 50 days let IdleAccountTimeOut = 50d; // Number of days an account must not have logged in for to be considered dormant let timeHorizon = 90d; // How many days back to check in IdentityInfo IdentityInfo | where TimeGenerated >=ago(timeHorizon) | summarize dcount(AccountObjectId) by AccountObjectId, AccountUPN | join kind=anti (SigninLogs | where TimeGenerated >= ago(IdleAccountTimeOut) | where ResultType==0 //| summarize dcount(UserPrincipalName) by UserPrincipalName ) on $left.AccountObjectId == $right.UserId
Explanation
This query is looking for accounts that have not logged in for 50 days. It retrieves the IdentityInfo data for the past 90 days and counts the unique AccountObjectId and AccountUPN values. It then performs an anti-join with the SigninLogs data, filtering for accounts that have not logged in for the specified idle account timeout period and have a ResultType of 0. The final result is the list of accounts that haven't logged in for 50 days.
Details
Rod Trent
Released: August 13, 2021
Tables
IdentityInfoSigninLogs
Keywords
Accounts,Logged,IdleAccountTimeOut,timeHorizon,IdentityInfo,AccountObjectId,AccountUPN,SigninLogs,ResultType,UserPrincipalName,UserId
Operators
wheresummarizedcountjoinkind=antiagoon$left.$right.