Skip to content
This repository has been archived by the owner on Jan 21, 2021. It is now read-only.

pulling a lot of active accounts #75

Open
dkuzmicki opened this issue Apr 16, 2020 · 4 comments
Open

pulling a lot of active accounts #75

dkuzmicki opened this issue Apr 16, 2020 · 4 comments

Comments

@dkuzmicki
Copy link

We just ran the 90 day inactive script and it pulled quite a bit of false positives.
ie confirmed AAD users who are actively using office365 with MFa enabled are appearing on this inactive list.
@PsychoData
Copy link

Looks like you mean this script
https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/InactiveUsersLast90Days.ps1

A couple of things come to mind -

The results in this are 5000 - if you have more than that for the last 90 days, you might not be checking the whole 90 days.

Perhaps you don't have all of the logging needed for the events to show up on the active accounts you are pulling?

Maybe your "allow remembering" is set long-enough that these people haven't had "log on" prompts in that time, and the login just didn't expire/renew in that time frame?

@dkuzmicki
Copy link
Author

The "remember" prompts are 14 days.
I do get this warning:
WARNING: The names of some imported commands from the module 'tmp_vdysgudt.jlg' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.

@PsychoData
Copy link

the unapproved verbs warning is not a worry.
That is just non-standard verbs used in one of the commands somewhere
(To see about standard powershell verbs check this link)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PsychoData @dkuzmicki and others