如何:管理 Azure AD 中的非活动用户帐户How To: Manage inactive user accounts in Azure AD

在大型环境中,当员工离开组织时,并不总是会删除用户帐户。In large environments, user accounts are not always deleted when employees leave an organization. 作为 IT 管理员,你希望检测和处理这些过时的用户帐户,因为它们会带来安全风险。As an IT administrator, you want to detect and handle these obsolete user accounts because they represent a security risk.

本文介绍了在 Azure AD 中处理过时用户帐户的方法。This article explains a method to handle obsolete user accounts in Azure AD.

什么是非活动用户帐户?What are inactive user accounts?

非活动帐户是组织成员获取对资源的访问权限时不再需要的用户帐户。Inactive accounts are user accounts that are not required anymore by members of your organization to gain access to your resources. 非活动帐户的一个重要标志是,在一段时间内未使用这些帐户登录到你的环境。One key identifier for inactive accounts is that they haven't been used for a while to sign-in to your environment. 由于非活动帐户与登录活动相关联,因此可以使用上次成功登录的时间戳来检测它们。Because inactive accounts are tied to the sign-in activity, you can use the timestamp of the last sign-in that was successful to detect them.

此方法的难点是定义“一段时间”在你的环境中的含义。The challenge of this method is to define what for a while means in the case of your environment. 例如,用户可能由于度假而在一段时间内未登录到环境。For example, users might not sign-in to an environment for a while, because they are on vacation. 在定义非活动用户帐户的增量时,需要考虑未登录到环境的所有合理原因。When defining what your delta for inactive user accounts is, you need to factor in all legitimate reasons for not signing in to your environment. 在许多组织中,非活动用户帐户的增量为 90 到 180 天。In many organizations, the delta for inactive user accounts is between 90 and 180 days.

通过上次成功登录可窥见用户对持续访问资源的需要。The last successful sign-in provides potential insights into a user's continued need for access to resources. 它有助于确定是否仍需要组成员身份或应用访问权限,或者是否可以将其删除。It can help with determining if group membership or app access is still needed or could be removed. 对于外部用户管理,你可以了解外部用户在租户内是否仍处于活动状态,或者是否应将其清除。For external user management, you can understand if an external user is still active within the tenant or should be cleaned up.

如何检测非活动用户帐户How to detect inactive user accounts

通过评估由 Microsoft Graph API 的 signInActivity 资源类型公开的 lastSignInDateTime 属性来检测非活动帐户 。You detect inactive accounts by evaluating the lastSignInDateTime property exposed by the signInActivity resource type of the Microsoft Graph API. 使用此属性,可以为以下场景实现解决方案:Using this property, you can implement a solution for the following scenarios:

  • 用户(按名称):在此场景中,按名称搜索特定用户,这样可以评估 lastSignInDateTime:https://microsoftgraph.chinacloudapi.cn/beta/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivityUsers by name: In this scenario, you search for a specific user by name, which enables you to evaluate the lastSignInDateTime: https://microsoftgraph.chinacloudapi.cn/beta/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivity

  • 用户(按日期):在此场景中,使用指定日期之前的 lastSignInDateTime 请求用户列表:https://microsoftgraph.chinacloudapi.cn/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00ZUsers by date: In this scenario, you request a list of users with a lastSignInDateTime before a specified date: https://microsoftgraph.chinacloudapi.cn/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z

需要了解的事项What you need to know

本部分列出了需要了解的有关 lastSignInDateTime 属性的内容。This section lists what you need to know about the lastSignInDateTime property.

如何访问此属性?How can I access this property?

lastSignInDateTime 属性由 Microsoft Graph REST APIsignInActivity 资源类型公开。The lastSignInDateTime property is exposed by the signInActivity resource type of the Microsoft Graph REST API.

lastSignInDateTime 属性是否可通过 Get-AzureAdUser cmdlet 获取?Is the lastSignInDateTime property available through the Get-AzureAdUser cmdlet?

不是。No.

访问属性需要哪些版本的 Azure AD?What edition of Azure AD do I need to access the property?

可以在 Azure AD 的所有版本中访问此属性。You can access this property in all editions of Azure AD.

读取属性需要哪些权限?What permission do I need to read the property?

若要读取此属性,需要授予以下权限:To read this property, you need to grant the following rights:

  • AuditLogs.Read.AllAuditLogs.Read.All
  • Organisation.Read.AllOrganisation.Read.All

Azure AD 何时更新此属性?When does Azure AD update the property?

每个成功的交互式登录都会使基础数据存储更新。Each interactive sign-in that was successful results in an update of the underlying data store. 通常,成功的登录会在 10 分钟内显示在相关登录报表中。Typically, successful sign-ins show up in the related sign-in report within 10 minutes.

空属性值的含义是什么?What does a blank property value mean?

若要生成 lastSignInDateTime 时间戳,你需要成功登录。To generate a lastSignInDateTime timestamp, you need a successful sign-in. 由于 lastSignInDateTime 属性是一项新功能,因此,在以下情况下,lastSignInDateTime 属性的值可能为空:Because the lastSignInDateTime property is a new feature, the value of the lastSignInDateTime property can be blank if:

  • 用户的上次成功登录在此功能发布(2019 年 12 月 1 日)之前发生。The last successful sign-in of a user took place before this feature was released (December 1st, 2019).
  • 受影响的用户帐户从未进行成功登录。The affected user account was never used for a successful sign-in.

后续步骤Next steps