M365: Disable Inactive User Accounts Crate
What does the M365: Disable Inactive User Accounts Crate do?
Our M365: Disable Inactive User Accounts Crate automates the identification and disabling of inactive Microsoft 365 user accounts. It retrieves user activity data from Microsoft Graph, applies role-based exclusions, and disables eligible accounts while logging the changes into a PSA ticket.
This Crate disables inactive accounts, but doesn't remove them from the directory. Manual intervention is still required to restore access. The Crate doesn't automatically remove Microsoft M365 licenses from disabled users.
How the Crate works
Regularly checks for inactive accounts and takes action based on predefined thresholds
Uses Microsoft Graph API and PSA tools to streamline account management
Reduces manual oversight by automating the process of disabling inactive accounts and logging changes
Enhances organizational security by minimizing exposure from unused accounts while preventing accidental deactivation of critical users
The Crate workflow is triggered by a cron job based on the configured schedule.
Workflow breakdown
The workflow begins with the START task using the noop action, which processes any excluded user principal names by converting them to lowercase and storing them in the context for later filtering.
The list_inactive_users task executes the [REWST - TASK] M365: List Inactive Users action to identify user accounts that have been inactive for the specified number of days, excluding system accounts and any specified roles.
If the list_inactive_users task fails, the workflow transitions to the FAILED task using the noop action, which then proceeds directly to the END task.
Upon successful completion of the list_inactive_users task, the workflow moves to the filter_inactive_users task using the Set Variable action, which filters the inactive users list to include only enabled accounts that are not in the excluded user principal names list.
The filter_inactive_users task has three possible transition paths based on conditions:
If no users remain after filtering, it transitions directly to the END task.
If the enable_remediation flag is set to True, it proceeds to the disable_user_account task.
Otherwise, it skips remediation and goes directly to the create_psa_ticket task for reporting only.
When remediation is enabled, the disable_user_account task executes the [REWST - TASK] 365/On-Prem: Disable User Account action with a "with items" loop that processes each inactive user that is not synchronized with on-premises Active Directory, running up to 5 concurrent operations.
If the disable_user_account task fails, the workflow transitions to the FAILED task, otherwise it continues to the create_psa_ticket task.
The create_psa_ticket task executes the [REWST - PROCESS] PSA: Create Ticket action to generate a ticket documenting the inactive users found and any remediation actions taken, with different descriptions based on whether remediation was enabled or disabled.
If the create_psa_ticket task fails, the workflow transitions to the FAILED task, otherwise it proceeds to the END task.
The workflow concludes with the END task using the noop action, which publishes the final automation log and outputs the list of inactive users that were processed.
Crate prerequisites
The Microsoft Cloud Integration Bundle must be set up before unpacking this Crate.
Your PSA must be successfully integrated with Rewst.
Unpack the M365: Disable Inactive User Accounts Crate
Navigate to Crates > Crate Marketplace in the left side menu Rewst platform.
Search for
M365: Disable Inactive User Accounts.
Click on the Crate tile to begin unpacking.
Click Unpack Crate.
Click Continue.
Enter Time Saved under Crate Configuration.
Expand the Cron Job accordion menu under Configure Triggers. By default, the Enabled toggle button is disabled. Ensure Enabled is toggled on. Note that you also have the option to activate the Crate for all future organizations in addition to the current one. You may also set activation to certain tags, and set the trigger criteria or integration overrides.
Click Unpack.
Use the Crate
To test this Crate, you'll need to adjust the cron trigger's schedule to a few minutes in the future, then adjust it back to your regular schedule after the test. Alternatively, you could wait until the regularly scheduled run occurs and check your result, which would not require you to update the cron trigger schedule. To edit a cron trigger in the workflow to either test it once or change the timing it will routinely run:
Navigate to Automations > Workflows in the left side menu of your Rewst platform.
Search for
[ROC] Check for Disabled Users With Licenses.
Click on the workflow to view it in the Workflow Builder.
Use the trigger drop-down selector to choose the Weekly Check trigger.
Click
to open the Edit Trigger menu.The default Cron Schedule under Trigger Parameters is currently set to Monday at 3:00 AM UTC. This may be kept as is or if desired, be modified. To modify, update the timing of the cron trigger in the fields under Trigger Parameters. Note that when entering the time into the Cron Schedule field, the correct format is minutes followed by hour. For example, 18 3, not 3 18.
It is recommended that you manually execute the workflow with the Weekly Check trigger selected using the Test button for your main organization. This will complete the first step, where the organization variable for the webhook trigger ID is created. If this is not performed, on the first run, the customer organizations will exit the workflow, and the main organization will create the variable and run normally. The subsequent runs will function normally for the customer organization.
Click Submit.
Click Save.
You'll see a green message at the top of your screen indicating the trigger is saved.
Verify that the inactive user accounts have been disabled in the in the Microsoft 365 Admin Center.
Check your PSA to ensure that the changes have been logged in a ticket.
Last updated
Was this helpful?