Skip to main content

Overview

This recipe creates a scheduled agent that checks for inactive M365 user accounts across your connected tenants. Accounts with no sign-in activity for 90+ days are flagged and, after technician approval, disabled.
This is a scheduled agent — it runs on a cadence without processing a specific ticket. See Scheduled Agents for how this works.

How it works

  • Agent runs weekly and queries sign-in activity across connected M365 tenants
  • Accounts inactive for 90+ days are identified (excluding service and break-glass accounts)
  • Agent requests Technician-in-the-Loop approval before disabling each account
  • After processing, a summary is sent via Teams

Setup

1

Create the agent

  • Name: “M365 Inactive Account Cleanup”
  • Type: Agent
  • Trigger: Scheduled
  • Cadence: Weekly (e.g., Monday at 6:00 AM)
2

Configure M365 integration permissions

Set these permission groups:
  • User ManagementRead/Write with TIL enabled (to block sign-in)
  • Audit & ReportsRead Only (to check sign-in logs)
Use the IT Admin or Helpdesk access profile to ensure Technician-in-the-Loop is required for write operations. Never run account-disabling agents without TIL.
3

Enable communication and approval tools

  • Send Teams Message — for the summary report
  • Request Technician Approval is automatically available when TIL is configured on the M365 permission group
4

Write custom instructions

For each connected M365 tenant:

1. Search for all user accounts and check their last sign-in date
2. Identify accounts where the last sign-in was more than 90 days ago
3. Exclude the following from processing:
   - Accounts with "svc-", "service", "breakglass", or "emergency" in
     the display name
   - Accounts that are already blocked from sign-in
   - Shared mailboxes and room/resource accounts
4. For each inactive account found, request technician approval before
   taking action. Include the user's display name, email, last sign-in
   date, and assigned licenses in the approval request.
5. Once approved, block sign-in for the account
6. After processing all tenants, send a summary to the IT-operations
   Teams channel listing:
   - Accounts disabled (with last sign-in dates)
   - Accounts skipped (with reason)
   - Accounts pending approval
5

Test and enable

  • Enable test mode for the first 2-3 runs to verify the exclusion filters work correctly
  • Review execution logs in Event History — pay close attention to which accounts would be disabled
  • Once confident, disable test mode and enable the workflow

Variations

60-day warning + 90-day disable

Create two scheduled agents:
  1. 60-day warning agent (runs weekly) — sends a report of accounts inactive for 60+ days without taking action
  2. 90-day disable agent (runs weekly) — disables accounts inactive for 90+ days with TIL approval
This gives your team a 30-day heads-up before accounts are disabled.

License reclamation

Add instructions to also remove licenses from disabled accounts. This helps reclaim unused license spend. Include the license removal in the TIL approval request so technicians can review both actions together.

Best practices

  • Always maintain an exclusion list for service accounts and break-glass accounts in your custom instructions
  • Start with a longer inactivity threshold (120 days) and tighten once you trust the process
  • Review the summary report each week to catch any false positives early
  • Consider creating a PSA ticket for each batch of disabled accounts to maintain an audit trail