Skip to main content
Los artículos de Splunk Lantern ya están disponibles en español.
Splunk Lantern

Azure Active Directory users with no access for extended periods


Controlling access to cloud infrastructure includes reviewing who has access and how frequently or infrequently they access the system. This search also shows accounts created for employees who are no longer with the company or are no longer in the organization where cloud access is needed.

Data required 

Microsoft: Azure Active Directory data


  1. Configure the Microsoft Azure Add-on for Splunk.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:aad:signin" OR sourcetype="azure:aad:user" earliest=-30d@h latest=now
| eval user_id=coalesce(userId,id), display_name=coalesce(displayName,userDisplayName)
| dedup user_id sourcetype sortby - _time 
| eventstats dc(sourcetype) as useractivity by user_id 
| where useractivity<2
| table display_name user_id userPrincipalName

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype="azure:aad:signin" OR sourcetype="azure:aad:user" earliest=-30d@h latest=now Search Azure Active Directory sign-in or user data and filter the results to the last 30 days.
| eval user_id=coalesce(userId,id), display_name=coalesce(displayName,userDisplayName) Create user_id and display_name fields to coalesce multiple fields and their values.
| dedup user_id sourcetype sortby - _time  Deduplicate events and sort by most recent events.
| eventstats dc(sourcetype) as useractivity by user_id  Count the number of sourcetypes present by user.
| where useractivity<2 Look for accounts that do not have sign-in activity.
| table display_name user_id userPrincipalName Show display name, user ID, and the user principal name of the accounts that haven't logged in within the last 30 days.

Next steps

To prevent accidental misconfigurations, you should revoke access for users returned via this search who access cloud infrastructure on an infrequent basis.

You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.