Active Directory and Microsoft 365 user reporting

Inactive users, privilege creep, MFA gaps, and licence recovery across every client tenant from one multi-tenant console.

Most MSPs run a year-end identity hygiene exercise by exporting a CSV from each client's Active Directory or Microsoft 365 admin centre, sorting by last sign-in, and walking the list by hand. The exercise gets skipped six months in three because the export is per-tenant, the formats are different, and nobody owns it. By the time it gets done again, a client has been paying for fourteen Microsoft 365 E3 licences attached to departed employees and an attacker has a stale "contractor" service account with Global Administrator that has not signed in for 410 days.

Lavawall®'s AD and Microsoft 365 user reporting module does the exercise continuously across every tenant. One technician sees an inactive-user list, a privilege-creep summary, an MFA-coverage report, and a stale-licence reclaim list spanning every client in the MSP's book of business — filterable by client, by source, and by report type. The inactive-user data feeds the notifications module so the right contact gets a digest when the threshold is crossed.

What it reports

  • Inactive users. Per identity source (AD, M365, Google Workspace), per configurable threshold (default 90 days). Excludes shared mailboxes, external guests, and tagged service accounts.
  • Disabled-but-licensed users. Microsoft 365 accounts in the "disabled" state still holding a paid licence. Each row shows the licence SKU and current cost.
  • Privilege creep. Users added to security-significant groups (Domain Admins, Enterprise Admins, Schema Admins on AD; Global Administrator, Privileged Role Administrator, Application Administrator on Entra) with the date of the most recent addition and the actor who added them.
  • MFA gaps. M365 users without registered MFA methods, broken out by privilege tier — Global Administrator accounts without MFA are a top-band Critical finding.
  • Sign-in anomalies. Impossible-travel sign-ins, sign-ins from unexpected countries, brute-force patterns. Cross-referenced with the Lavawall® breach-detection findings for full context.
  • Licence-cost recovery. The dollar value of recoverable seats per tenant. Useful for handing a client a one-page reclaim list at quarterly review.
  • Group membership change feed. Adds and removes on every security group, with actor and timestamp.
  • Password-policy violations. Users whose effective password policy is weaker than the configured baseline (length, age, complexity).

How it works

Active Directory: the Lavawall® agent runs on a domain-joined Windows host and queries AD over LDAP using a low-privilege read-only service account. lastLogonTimestamp is replicated across domain controllers so a single host sees the most-recent activity in the forest. Group membership snapshots run on a configurable cycle (typically every few hours); attribute-level diffs feed the privilege-creep report.

Microsoft 365 / Entra ID: the same Microsoft Graph application registration that powers the breach-detection and configuration-backup modules. Read-only scopes — no privileged write access. Sign-in logs, user lists, licence assignments, and role assignments come through the same connection.

Google Workspace: the Admin SDK with a read-only delegated service account. Inactive-user detection uses the per-user lastLoginTime; group membership uses the Directory API.

Reporting cadence: data is refreshed on the connector cycle (typically every 15–60 minutes for cloud sources, every few hours for AD). Reports are queryable at any time; scheduled exports run on a daily, weekly, or monthly cadence configurable per recipient.

Why MSPs care

Licence-cost recovery pays for the tool. The average mid-market MSP we see has 2–7% of M365 licences attached to departed employees. Recovering those seats is usually enough to cover Lavawall®'s cost across the entire MSP — not just the user-reporting module.

Inactive privileged accounts are the most common audit finding in every audit ThreeShield has performed against NIST SP 800-171, CMMC, SOC 2, HIPAA, and ISO 27001. A continuous inactive-user report makes the finding go away before the auditor walks in.

Multi-tenant by design. Per-client reports, multi-client roll-ups, MSP-wide views — same data model as the rest of Lavawall®. No per-tenant deployment, no per-tenant report rebuild.

Bundled with the rest of the platform. AD + M365 user reporting is part of the same Lavawall® agent and console that handle patching, GRC compliance, breach detection, configuration backup, file-change monitoring, helpdesk, and remote support. Inactive-user notifications flow through the same per-recipient notifications framework.

Frequently asked

Does this replace ManageEngine ADAudit Plus or Netwrix Auditor?
For most MSPs and lean IT teams, yes — for the user-reporting use case. Lavawall® covers inactive users, disabled-but-licensed users, privilege creep on group memberships, password-policy violations, MFA gaps, sign-in anomalies, and licence-cost recovery across Active Directory and Microsoft 365 from one report set. Where Netwrix and ADAudit Plus go deeper is in regulator-style change-event archiving (every attribute write with a 7-year audit trail) and enterprise RBAC. If you need either of those, run Lavawall® alongside; for the day-to-day reporting MSPs actually use, Lavawall® is enough.
What identity sources are covered?
On-premises Active Directory (via the Lavawall® agent on a domain-joined Windows host), Microsoft 365 / Entra ID (via Microsoft Graph), and Google Workspace (via the Admin SDK). The same report framework spans all three so an MSP managing a hybrid client sees one consistent inactive-user list rather than three separate ones.
How does the inactive-user detection work?
Each identity source has its own threshold (default 90 days). For AD, Lavawall® uses the lastLogonTimestamp attribute replicated across domain controllers. For M365, the Entra ID sign-in logs. For Google Workspace, the lastLoginTime field on each user. Shared mailboxes, external guests, and service accounts can be excluded; the per-recipient notification framework re-notifies on a configurable interval so a long-dormant account does not silently flood the inbox.
Can MSPs run this across all client tenants from one console?
Yes — that is the design point. The same multi-tenant model that powers the breach-detection and config-backup modules covers AD + M365 user reporting. One MSP technician sees an inactive-user list and a privilege-creep summary across every client tenant, filterable by client, by source, and by report type.
What about licence cost recovery?
Inactive M365 users with paid licences are flagged automatically; the report shows the cost of each licence so an MSP can hand the client a one-page list of seats to reclaim. The same logic applies to Google Workspace seats.