Forum Discussion

michaelkubala's avatar
michaelkubala
Brass Contributor
Jun 29, 2020
Solved

How do you handle external users who have left the company?

When you enable guest access in Teams, those users get brought into your Azure AD environment, but unlike your regular internal users, you have no way of knowing if those external users are still act...
Administrator
best practices
Guest Access
microsoft teams
  • VasilMichev's avatar
    VasilMichev
    Jun 29, 2020

    Azure AD Access Reviews, Entitlement management if you have the licensing, or just periodically checking their activity via the Unified audit log.

AlexWaterton's avatar
AlexWaterton
Copper Contributor
Jun 30, 2020

michaelkubala For us it is a joint responsibility.  The HR department are responsible for notifying the IT department of any staff who are leaving in advance, providing IT with a leaving/last date, and if available the named person who will be taking over that persons role or position (Account).  We then schedule to a) change the password and b) forward incoming emails or allow shared access to that account either to check, or manage the account for an agreed period of time.  Once this time is up, the account is set to auto-reply for a further month before being archived.  Additionally any New starters, IT are again notified by the HR department in order to setup and prepare any accounts in good time.

michaelkubala's avatar
michaelkubala
Brass Contributor
Jun 30, 2020
Thanks AlexWaterton, but I referring to guest users. For example, I work for company A and there are external users from company B in our Active Directory. Typically for internal employees, we have a system as you described for handling user accounts, but for our external users in company B, we wouldn't know that those employees are no longer with the company so those accounts would stick around forever in our system.
  • AlexWaterton's avatar
    AlexWaterton
    Copper Contributor
    Jun 30, 2020
    For those users I would setup and automatic email to go out maybe every 3 months to confirm user is still active and in post. If they do not reply then the account gets suspended within 30 days and archived after 60 days. Could well be just a Group Contacts setting that goes out quarterly in BCC,. Still may not be a full proof system, but may well result in a reduction of redundant accounts. Best of luck with whichever way you plan to attack the problem. 🙂