Guest Users - Clean Up

Does anyone have any experience with policies and planning for cleaning up guest users? We want to make sure that when guest users leave their company we can make sure they no longer have access to ...

Access Management

Azure Active Directory (AAD)

Microsoft 365

John_R007

Copper Contributor

I realize this is an older thread, but replying for the benefit of those who may come later. I had a similar requirement, except that we needed to allow a 6 month window before declaring a guest account as stale/dormant. After some searching I was able to put together pieces from other posts I found to create a PowerShell script that uses the MS Graph api which will generate a report of the guest accounts, their creation date, and last login date. You can then use Excel to query the results according to what ever criteria you might need to use.

Note: it assumes the Graph PowerShell module has already been installed.

***********************************************************************************************

Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All","AuditLog.Read.All"
Select-MgProfile beta

$usertype = "Guest" #Enter Guest or Member

$Result=@()
$usersUPN = Get-MgUser -All -Filter "UserType eq '$usertype'" | Select UserPrincipalName, ID, DisplayName, CreatedDateTime
foreach($user in $usersUPN)
{
$usersignindate = Get-MgUser -UserId $user.ID -Select SignInActivity | Select -ExpandProperty SignInActivity
$userprops = [ordered]@{
UserPrincipalName = $user.UserPrincipalName
DisplayName = $user.DisplayName
LastSignInDateTime = $usersignindate.LastSignInDateTime
CreatedDateTime = $user.CreatedDateTime
}
$userObj = new-object -Type PSObject -Property $userprops
$Result += $userObj
}
$Result |select *|export-csv c:\scripts\userlastlogin.csv

Joshua Bines

Iron Contributor

Aug 30, 2022

If you want the full end to end solution try this 😉 https://github.com/JBines/Remove-StaleGuests

John_R007
Copper Contributor
Aug 30, 2022
Joshua Bines Thanks, I think I had looked at that, or one like it, but I generally have to vet the list before going ahead with disabling of accounts. We have some contactors, vendors that we make allowances for, so just generating the report of dormant accounts is what worked best for us.
- Joshua Bines
  Iron Contributor
  Aug 30, 2022
  no worries, I'm a bit brutal when it comes to guest accounts these days... I guess we could add an exclude group/value to the removal process but I don't think I like that idea either unless you still had an automated process to clean them up. hmmm thinking out loud... lastlogin -gt 6 month DEL except 'someGuest' then have another process to clean up the excluded guests say lastlogin -gt 18 months. but manual works of course.

Forum Discussion

Guest Users - Clean Up

Share

Resources