如何:管理 Azure AD 中的非活动用户帐户How To: Manage inactive user accounts in Azure AD

在大型环境中,当员工离开组织时,并非总会删除其用户帐户。In large environments, user accounts are not always deleted when employees leave an organization. 作为 IT 管理员,你希望检测并处理这些过时的用户帐户,因为它们会带来安全风险。As an IT administrator, you want to detect and handle these obsolete user accounts because they represent a security risk.

本文介绍了处理 Azure AD 中已过时用户帐户的方法。This article explains a method to handle obsolete user accounts in Azure AD.

什么是非活动用户帐户?What are inactive user accounts?

非活动帐户是指组织成员不再需要用来访问你的资源的用户帐户。Inactive accounts are user accounts that are not required anymore by members of your organization to gain access to your resources. 非活动帐户的一个重要特点是有一段时间未使用它来登录到你的环境。 One key identifier for inactive accounts is that they haven't been used for a while to sign-in to your environment. 由于非活动帐户与登录活动密切相关,因此可以使用上次成功登录的时间戳来检测这些帐户。Because inactive accounts are tied to the sign-in activity, you can use the timestamp of the last sign-in that was successful to detect them.

此方法的难点在于,如何定义“一段时间”对于你的环境的含义。 The challenge of this method is to define what for a while means in the case of your environment. 例如,用户可能由于休假而有一段时间未登录到环境。 For example, users might not sign-in to an environment for a while, because they are on vacation. 在定义非活动用户帐户的时间变量时,需要考虑用户未登录到环境的所有合理原因。When defining what your delta for inactive user accounts is, you need to factor in all legitimate reasons for not signing in to your environment. 在许多组织中,非活动用户帐户的时间变量为 90 到 180 天。In many organizations, the delta for inactive user accounts is between 90 and 180 days.

根据上次成功登录时间,也许能够确定用户是否需要继续访问资源。The last successful sign-in provides potential insights into a user's continued need for access to resources. 它可以帮助确定是仍需保留组成员身份或应用访问权限,还是可以将其删除。It can help with determining if group membership or app access is still needed or could be removed. 对于外部用户管理,你可以了解外部用户在租户中仍处于活动状态,还是应该清理该用户。For external user management, you can understand if an external user is still active within the tenant or should be cleaned up.

如何检测非活动用户帐户How to detect inactive user accounts

可以通过评估 Microsoft Graph API 的 signInActivity 资源类型公开的 lastSignInDateTime 属性,来检测非活动帐户。 You detect inactive accounts by evaluating the lastSignInDateTime property exposed by the signInActivity resource type of the Microsoft Graph API. 使用此属性可为以下方案实现解决方案:Using this property, you can implement a solution for the following scenarios:

  • 按姓名列出用户:此方案将按姓名搜索特定的用户,这样就可以评估 lastSignInDate:https://microsoftgraph.chinacloudapi.cn/beta/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivityUsers by name: In this scenario, you search for a specific user by name, which enables you to evaluate the lastSignInDate: https://microsoftgraph.chinacloudapi.cn/beta/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivity

  • 按日期列出用户:在此方案中,你使用指定日期之前的某个 lastSignInDateTime 请求用户列表:https://microsoftgraph.chinacloudapi.cn/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00ZUsers by date: In this scenario, you request a list of users with a lastSignInDateTime before a specified date: https://microsoftgraph.chinacloudapi.cn/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z

需要了解的事项What you need to know

本部分列出了对于 lastSignInDateTime 属性你需要了解的事项。This section lists what you need to know about the lastSignInDateTime property.

如何访问此属性?How can I access this property?

lastSignInDateTime 属性由 Microsoft Graph REST APIsignInActivity 资源类型公开。 The lastSignInDateTime property is exposed by the signInActivity resource type of the Microsoft Graph REST API.

是否可以通过 Get-AzureAdUser cmdlet 使用 lastSignInDateTime 属性?Is the lastSignInDateTime property available through the Get-AzureAdUser cmdlet?

否。No.

需要使用哪个 Azure AD 版本来访问此属性?What edition of Azure AD do I need to access the property?

可以在所有 Azure AD 版本中访问此属性。You can access this property in all editions of Azure AD.

读取此属性需要哪些权限?What permission do I need to read the property?

若要读取此属性,需要授予以下权限:To read this property, you need to grant the following rights:

  • AuditLogs.Read.AllAuditLogs.Read.All
  • Organisation.Read.AllOrganisation.Read.All

Azure AD 何时更新此属性?When does Azure AD update the property?

每次成功完成交互式登录都会更新底层数据存储。Each interactive sign-in that was successful results in an update of the underlying data store. 通常,成功的登录会在 10 分钟内显示在相关的登录报告中。Typically, successful sign-ins show up in the related sign-in report within 10 minutes.

空白属性值的含义是什么?What does a blank property value mean?

若要生成 lastSignInDateTime 时间戳,需要成功登录。To generate a lastSignInDateTime timestamp, you need a successful sign-in. 由于 lastSignInDateTime 属性是一项新功能,因此,在以下情况下,lastSignInDateTime 属性的值可能是空白的:Because the lastSignInDateTime property is a new feature, the value of the lastSignInDateTime property can be blank if:

  • 用户的上次成功登录发生在此功能发布日期(2019 年 12月 1 日)之前。The last successful sign-in of a user took place before this feature was released (December 1st, 2019).
  • 从未使用受影响的用户帐户成功登录。The affected user account was never used for a successful sign-in.

后续步骤Next steps