I'm working on identifying stale Azure AD accounts, using Microsoft Graph. While I'm waiting for the signInActivity resource type to graduate from beta, I've been looking at using the refreshTokensValidFromDateTime property (of user resource) but I've found many users whose refreshTokensVaildFromDateTime is way older than the most recent signIn. In this case, there are no CA policies with custom signIn frequencies and there are no token lifetime policies defined, so the 90 day default is in effect.
Just wondering if this is to be expected? I was thinking most interactive sign-ins would end up involving a refresh token, so then assumed that for anyone with actual signIns found during the last 90 days, their refreshTokensValidFromDateTime should be some date within the last 90 days too.
This was addressed way back when they moved signInActivity from beta to v1.0. All good now.