SilentWipeScript is a PowerShell script that automates the detection and handling of inactive employee accounts.
Its main purpose is to reduce the workload of IT and HR departments by monitoring user logins and flagging accounts accordingly.
Inactive accounts are automatically transferred to SharePoint and await HR decision, while SharePoint lists provide both departments with a clear overview of account status.
This streamlines offboarding processes, increases security, and reduces manual administrative work.
The script combines several technologies:
- Microsoft Graph – retrieves user details, sign-in information, and applies account updates
- SharePoint (PnP) – acts as the central storage for lists, logs, reporting, and workflow support
- Active Directory – used for disabling and renaming accounts in the local domain
- NAS & Mail Backup – integrates with organizational storage and mail archiving for data protection and retention
- PowerShell – provides the automation engine and logic that connects all systems together
- Azure – used for identity management, cloud integration, and running services in a secure environment
- Power Automate – can extend workflows with notifications, approvals, or further automation steps
In this way, SilentWipeScript integrates multiple systems into a single, automated tool that supports both IT administration and HR processes.
- Prevents system sleep during execution to ensure uninterrupted operation.
- Connects to Microsoft Graph and SharePoint.
- Retrieves existing user records and whitelist data from SharePoint.
- Identifies inactive accounts based on login history and inactivity period.
- Takes appropriate action:
- Blocks and renames accounts in AD or Graph after approvals are accepted by HR
- Adds new inactive users to SharePoint for verification
- Deletes outdated entries from SharePoint
- Saves logs both locally and in SharePoint for reporting and auditing.
Below you will find step-by-step instructions for creating a certificate, registering an application in Microsoft Entra ID, and assigning the required Microsoft Graph and SharePoint permissions. This is necessary for the script to perform tasks using Graph and change, delete, or create something on SharePoint.
Remember to copy from this guide the tenant ID, client ID, and certificate thumbprint for proper connection to PowerShell.
Below you will find step-by-step instructions for configuring backup on NAS. NAS is used for the security of mailboxes in case they are deleted, so that we are able to restore the mail of such a person.
Remember to make sure beforehand that the Azure group has been created so that it can be selected.
To enable SilentWipeScript to interact with Microsoft 365 accounts, you need to configure the Microsoft Graph PowerShell module. This allows the script to retrieve user login data and manage accounts securely.
PowerShell 7 is used as the core automation engine for this project. It integrates with Active Directory, Microsoft Graph, and SharePoint Online to manage inactive users, retrieve login data, and update SharePoint lists. It also enables scheduled cleanups via Task Scheduler, handling both on-prem and cloud operations in one script.
Go to Powershell configuration
SilentWipeScript integrates with on-premises Active Directory using the ActiveDirectory PowerShell module. This allows the script to disable, rename in the local domain.
Go to Active Directory configuration
In this project, SharePoint serves as a central platform for storing and managing lists of inactive accounts, logs, and workflow data. This allows both IT and HR departments to easily track account statuses and collaborate on processes. The database is a link between Flow and PowerShell.
Go to Sharepoint configuration
Power Automate is used here to extend automation beyond PowerShell by enabling approvals, and additional workflow steps. It connects connectors from SharePoint, Azure.
Go to Power Automate configuration
SilentWipeScript generates both local logs and SharePoint logs.
Each entry contains a timestamp, log level, and message.
This ensures full traceability of every operation performed by the script.
SilentWipeScript can be extended in many directions to increase automation, usability, and security.
Below are possible improvements with explanations.
SIEM integration (Microsoft Sentinel) → forward logs for correlation with security events.
Dynamic inactivity threshold → allow per-department rules (e.g., 30 days for IT, 60 days for HR).
Centralized logging → push logs to Azure Log Analytics instead of only SharePoint.
Error notifications → send an email/Teams alert if a step fails.
GUI wrapper → simple PowerShell WPF/WinUI interface for manual triggers.
Multi-language support → log messages available in English/Polish depending on config.