Forum Discussion
Access review would "deny" a fresh created user
Hi everyone,
i was glad to see that we can now set a higher date then 30 days for "Access reviews".
I want to automate the whole thing. No one should be asked to review.
Guest was not logged in for 60 days. Deny then delete.
I created a dynamic group with all guests inside.
And this is the final action:
Sounds great - if there wasn't a problem with the query.
It also takes "fresh guests" into account. So if somebody got created just before the review and did not log in yet - the recommendation is deny.
I took the data from the last review (ended 6/24/2022) and also from all my guest users in a csv and used XLOOKUP.
Top User would be created 6/16 and denyed by the automatism on 6/24.
I would expect if i set "inactive users (on tenant level) only" to 60 days. They should not show up because i do not know yet if they are inactive or just on vacation.
Anyone got around this? I may can use the dynamic groups feature to filter them out.
BR
Stephan
- Hi StephanGee, Thanks for your feedback. We have we made a fix to exclude newly created users from the "Inactive Users" review - For Ex: if you set the inactivity time to 60 days and a user was created or invited less than 60 days then the guest user will not be in scope of Access Review. This ensures that a user can sign in at least once before moving removed. Please make sure to check "Inactive Users" checkbox while creating the review. We look forward for your feedback! Thanks!
Hi StephanGee & Jyothi_Gangadhar ,
Does the new Access Review feature now publicly available (GA) to automatically identify and then delete the inactive Azure AD guest user account?Yes it works -- but another issue came up.
The query also takes "non interactive" logins into account. That means that if a guest opens up Teams at their client - a try to login takes place = active.
Is there a way to only make "interactive logins" count? Jyothi_Gangadhar
- No one is trying to automate it like this? I opened up a case. Maybe i get some more information
Jyothi_GangadharMicrosoft
Hi StephanGee, Thanks for your feedback. We have we made a fix to exclude newly created users from the "Inactive Users" review - For Ex: if you set the inactivity time to 60 days and a user was created or invited less than 60 days then the guest user will not be in scope of Access Review. This ensures that a user can sign in at least once before moving removed. Please make sure to check "Inactive Users" checkbox while creating the review. We look forward for your feedback! Thanks!Thank you very much. Not it is working as expected.
I cannot find any user that would be denied (9.9.2022 Report) but was fresh created.
I will roll this out in October.
