Forum Discussion
Guest Users - Clean Up
Use the Access Reviews feature: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview
If you don't like the fact that it requires AAD P2 license, you can write your own workflow that uses the same principle :)
- CameronGoDec 15, 2021Brass Contributor
VasilMichev old thread, but the User Access Reviews for Guest access appear to be able to remove them from a Group / Team, but the Guest accounts still remain in Azure AD and are not disabled as far as I can tell. I don't see anything about the User Access Reviews that actually disables the stale accounts. Am I missing it?
- Nikita SkitskoOct 23, 2019Copper Contributor
VasilMichev I've come across an Ignite https://youtu.be/KvcYz3ERZSY?t=3174 (~2 min) explaining how external guests expiration works in Sharepoint, but I am not able to find any documentation about that feature. Do you know if its a part of Access Review package?
- Nikita SkitskoOct 24, 2019Copper Contributor
The functionality described in this video is not generally available yet. Here is a blog post describing that there will be a public preview in 3Q2019. I think we will hear more in the next few weeks during Ignite.
- DeletedMay 01, 2018that's really not the same thing, the post author is asking a way to remove guest users when they get removed from other tenants which there really isn't a way to do that. Your tenant has no way to know what is going on with that tenant, so that link will never be updated and or removed since all the b2b happens on the guest side and not the originating tenant it has no knowledge of that guest account in your tenant.
Only way you can maybe really tell is by using that Password reset field for updates, if it goes inactive because it hasn't been used / reset for so long (which is automated based on token or something) then you can remove those users from your tenant.
I could be way off base here, but from dabbling into guest access, and writing a report of who's accepted guest invites etc. seeing those fields and how this works, seems to me there is a disconnect there that could be problematic over time, but basically your going to have to govern access to your Teams etc. yourself.- DeletedMay 01, 2018Well, didn't see this entry on the Azure Access thing: You can recertify guest user access by using access reviews of their access to applications and memberships of groups. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
But this is just basically providing a system to go out and say hey, do you still need access, or hey, here are guests to audit. Still basically doing your own governance on the guest accounts.- VasilMichevMay 02, 2018MVP
Well how exactly do you imagine managing it otherwise, being able to go directly to the partner Azure AD instance and remove the user from there? :) You have two options - rely on the partner organization to disable access to those accounts or take matter in your own hands.
The Access Reviews are basically a user-friendly way for Guest attestation, you can of course do your own workflow around it (the P2 requirement is just enough motivation to do so). Querying the Audit logs for the last action performed by a Guest is a good starting point for example.