11-11-2022 10:38 AM
Hey all,
This question came up this week and I wanted to share with everyone in case someone else finds it useful. Outside of using the Directory Insights UI one can use the PowerShell module to get a report of users who've been suspended and export a CSV of the results.
The user object itself does not record the date in which a user was suspended, this being the case the directory insights table must be accessed to get the recorded timestamp in which a user was suspended.
In the following script, I have a simple filter to get all users who are currently suspended in my org. Then a loop iterates through each user getting the directory insights logs for just that user and the events that match the term "user_suspended".
This script will query the last 90 days of events, if no event was found in that time period, the user was suspended on a date older than 90 days from the day the script was run. In that case the found suspended user's timestamp will result in a "NA" on the report.
If I wanted to query all users (not just my suspended users I could change line 1 in the script to get all users without further specifying only suspended users) ex.
$users = Get-JCUser -returnProperties suspended, username
This script will produce a "SuspendedUserReport.csv" file in the current working directory where the script is run.
Sample Script:
$users = Get-JCUser -returnProperties suspended, username | Where-Object { $_.suspended -eq $true }
$list = @()
foreach ($user in $users) {
"searching for events on user: $($user._id)"
try {
$eventdata = Get-JcSdkEvent -service directory -StartTime (Get-Date).AddDays(-90) -SearchTermAnd @{"resource.id" = "$($user._id)"; event_type = "user_suspended" }
foreach ($foundevent in $eventdata) {
<# $event is the current item #>
$list += [pscustomobject]@{
DateSuspended = $foundevent.timestamp
userID = $user._id
username = $foundevent.resource.username
client_ip = $foundevent.client_ip
geoip = $foundevent.geoip
auth_method = $foundevent.auth_method
}
}
} catch {
$list += [pscustomobject]@{
DateSuspended = "NA"
userID = $user._id
username = $user.username
client_ip = "NA"
geoip = "NA"
auth_method = "NA"
}
}
}
$list | ConvertTo-Csv | Out-File ./SuspendedUserReport.csv
Feel free to modify or change the script to fit your needs!
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.