I'm experiencing a serious slowdown when trying to retrieve users from an Entra group using Microsoft Graph. The group has around 19,000 members, and it's taking a ridiculous amount of time—like 2-3 minutes per user. I need to get all the users in this group and identify those who haven't signed into their account ever or in the current year. The script works, but it's so slow that it's not feasible. I've included the relevant parts of my PowerShell script below. Any tips or tricks to streamline this process would be greatly appreciated!
5 Answers
I handle a similar task using the Graph API directly. Instead of querying user groups individually, I fetch the group members in pages of 500 with the following URI:
`https://graph.microsoft.com/v1.0/groups/GROUPOBJECTID/members/microsoft.graph.user?$select=id,employeeId,userPrincipalName,signInActivity&$count=true&$top=500`
Just replace 'GROUPOBJECTID' with your actual group ID. But keep in mind, while you can fetch all users by sign-in activity, filtering within a specific group can be tricky in large environments.
Also, make sure you're aware there are alternative methods to accomplish your goals more efficiently. I’m working on automating a process to remove licenses from accounts without a company name that haven't signed in this year. This might involve dynamic groups and group-based licensing if that’s within your scope.
I've recently tackled a similar problem, and I found it much faster to use `Get-EntraUser` to fetch all users at once and reference their sign-in activities from there. It's just one query that takes a bit of time initially, but it’s definitely worth it. Here’s a simplified snippet from my workflow:
```powershell
# Connect to Entra using Microsoft Graph
Connect-Entra -Scopes 'User.Read.All','AuditLog.Read.All' -NoWelcome
$entraUsers = Get-EntraUser -All -Property 'UserPrincipalName', 'SignInActivity'
```
After that, you can easily filter based on your criteria. Also, I'm currently looking at how to incorporate last user action times from Exchange mailboxes, but that's been a bit of a challenge!
Thanks for the insight! I had assumed the Entra module was being phased out, so I wasn’t looking into it. I’ll definitely try this out!
I can confirm that including `SignInActivity` when using `Get-MGUser` can significantly slow things down, especially if done in a loop. You might want to first query without it, gather your list, and then check sign-in activity afterward, which should lessen your API calls.
Exactly, I'm thinking of running background queries for inactive users. Any suggestions on how to go about that?
It looks like you're hitting the Graph API multiple times unnecessarily. Instead of querying the group for different filters and then pulling user details again, try to get everything in one go. Just remember, querying `SignInActivity` is going to make things a bit slower. You might want to pull a list of users who've never signed in separately and then locally compare that to speed things up.
I initially did those extra queries to confirm I was pulling the right info, but I get your point! I'll try to grab sign-in data more efficiently this time. Thanks!
That sounds intriguing! I’d love to hear more about your approach with dynamic groups.