DeleteUsers.ps1

#Connect-AzAccount using Azure Automation Managed Identity
Connect-AzAccount -identity 

#Sign in to MgGraph
function Get-AzToken
{
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [String]
        $ResourceUri,
        [Switch]$AsHeader
    ) 
$Context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext

$Token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $ResourceUri).AccessToken

    if ($AsHeader) {
        return @{Headers = @{Authorization = "Bearer $Token" } }
    }
    return $Token  
}
$Token = Get-AzToken -ResourceUri 'https://graph.microsoft.com/'
Connect-MgGraph -AccessToken $Token

#Insert values of your subscription id, storage account resource group and storage account name in order to automatically create the Blob container
$subscriptionId = " "
$storageAccountRG = " "
$storageAccountName = " "
$todaydate = Get-Date -Format dd-MM-yy
$dateday = Get-Date -DisplayHint Date
$storageContainerName = "deleteusers-$todaydate"

# Select Azure Subscription
Select-AzSubscription -SubscriptionId $SubscriptionId

# Get Storage Account Key
$storageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccountRG -AccountName $storageAccountName).Value[0]

# Set AzureStorageContext and create new container per running date
$context = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey
New-AzureStorageContainer -Name $storageContainerName -Context $context

#Get the date from 90 days ago
$SetDate = (Get-Date).AddDays(-90);
$SetDate = Get-Date($SetDate) -format yyyy-MM-dd

#Get all Azur AD users in 'Disable' status. (Without the '-All' it will represent only the first 100 users) 
$AllUsers= Get-MgUser -Filter "AccountEnabled eq false" -All
$AllDeletedUsers = @()
foreach($user in $AllUsers)
{
    $userspn = $user.UserPrincipalName
    $AllDisabledLogs = Get-MgAuditLogDirectoryAudit -Filter "ActivityDisplayName eq 'Disable account' and TargetResources/any(t:t/UserPrincipalName eq '$userspn')" -All | Sort-Object ActivityDateTime -Descending

    if($AllDisabledLogs.Count -gt 1)
    {
        $lastDisabled = $AllDisabledLogs[0].ActivityDateTime
        if($AllDisabledLogs[0].InitiatedBy.User.DisplayName -eq $null)
        {
            $disabledby = $AllDisabledLogs[0].InitiatedBy.App.DisplayName 
        }
        else
        {
            $disabledby = $AllDisabledLogs[0].InitiatedBy.User.DisplayName
        }

        if($lastDisabled -lt $SetDate)
        {
                Write-Output "user can be deleted, last disabled time : " $lastdisabled 
                $UserObj = [pscustomobject]@{
                ID                        = $user.Id
                Name                 = $user.DisplayName
                UPN                    = $user.UserPrincipalName
                LastDisabled     = $lastDisabled
                disabledby         = $disabledby
                deleted               = "yes"
            }
            $AllDeletedUsers +=  $UserObj           
        }
        else
        {
            Write-Output "user cannot be deleted, last disabled time : " $lastdisabled 
            $UserObj = [pscustomobject]@{
            ID                        = $user.Id
            Name                 = $user.DisplayName
            UPN                    = $user.UserPrincipalName
            LastDisabled     = $lastdisabled
            disabledby         = $disabledby
            deleted               = "no"
            }
            $AllDeletedUsers +=  $UserObj
        }
    }
    else
    {
        if($AllDisabledLogs.InitiatedBy.User.DisplayName -eq $null)
        {
            $disabledby = $AllDisabledLogs.InitiatedBy.App.DisplayName
        }
        else
        {
            $disabledby = $AllDisabledLogs.InitiatedBy.User.DisplayName
        }

        if($AllDisabledLogs.ActivityDateTime -lt $SetDate)
        {
            Write-Output "user can be deleted, last disabled time : "     
            $AllDisabledLogs.ActivityDateTime
            $UserObj = [pscustomobject]@{
            ID                         = $user.Id
            Name                  = $user.DisplayName
            UPN                     = $user.UserPrincipalName
            LastDisabled      = $AllDisabledLogs.ActivityDateTime
            disabledby          = $disabledby
            deleted                = "yes"
            }
            $AllDeletedUsers +=  $UserObj
        }
        else
        {
            Write-Output "user cannot be deleted, last disabled time : "   
            $AllDisabledLogs.ActivityDateTime
            $UserObj = [pscustomobject]@{
            ID                        = $user.Id
            Name                 = $user.DisplayName
            UPN                    = $user.UserPrincipalName
            LastDisabled     = $AllDisabledLogs.ActivityDateTime
            disabledby         = $disabledby
            deleted               = "no"
            }
            $AllDeletedUsers +=  $UserObj
        }   
    }
    $LogFull = "DeletedUsers.csv"
}

$AllDeletedUsers      
$AllDeletedUsers | Select-Object ID, @{N="Display Name"; E={$_.Name}}, UPN, @{N="Last Disabled"; E={$_.LastDisabled}}, @{N="Disabled by"; E={$_.disabledby}}, @{N="To be deleted"; E={$_.deleted}} | Export-Csv -Path $LogFull -Append -NoTypeInformation

Set-AzureStorageBlobContent -Context $context -Container $storageContainerName -File $LogFull

#Delete the user after 90 days that has been disabled
foreach ($du in $AllDeletedUsers)
{
    if($du.deleted -eq "yes")
    {
    Remove-MgUser -UserId $du.ID
    }
}