Can an Azure AD Access Reviews actually delete a user account?

%3CLINGO-SUB%20id%3D%22lingo-sub-1237299%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20an%20Azure%20AD%20Access%20Reviews%20actually%20delete%20a%20user%20account%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1237299%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20via%20Access%20reviews%2C%20but%20the%20recently%20released%20Entitlement%20management%20offers%20that%2C%20and%20more.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1236343%22%20slang%3D%22en-US%22%3ECan%20an%20Azure%20AD%20Access%20Reviews%20actually%20delete%20a%20user%20account%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1236343%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20use%20case%20for%20a%20client%20where%20Azure%20AD%20accounts%20are%20created%20for%203rd%20parties%20who%20need%20access%20to%20the%20tenant.%20These%20users%20need%20to%20be%20check%20on%20a%20regular%20basis%20to%20make%20sure%20they%20are%20still%20in%20use.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20recommended%20that%20they%20use%20%3CFONT%3EAzure%20AD%20Access%20Reviews%20on%20a%20reoccuring%20basis%20to%20manage%20this.%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20users%20are%20already%20in%20a%20specific%20security%20group%20that%20manages%20their%20Office%20365%20licence%20configuration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Access%20review%20is%20set%20up%20on%20this%20security%20group%20so%20if%20a%20user%20is%20declined%20as%20part%20of%20the%20review%20process%20they%20are%20removed%20from%20the%20security%20group%20so%20by%20default%20they%20lose%20their%20Office%20365%20licence.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20their%20account%20still%20remains%20as%20unlicenced.%26nbsp%3B%20So%20an%20admin%20would%20have%20to%20manually%20remove%20the%20account%20at%20the%20end.%20Or%20create%20a%20script%20to%20delete.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20of%20also%20deleting%20their%20account%20as%20part%20of%20the%20Access%20review%20so%20it%20is%20just%20one%20process%3F%26nbsp%3BIn%20the%20Microsoft%20docs%20it%20seems%20to%20infer%20that%20you%20can.%20See%20details%20below.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Fgovernance%2Fcomplete-access-review%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Fgovernance%2Fcomplete-access-review%3C%2FA%3E%3C%2FP%3E%3CP%3E'Remove%20users%20from%20an%20access%20review%3C%2FP%3E%3CP%3EBy%20default%2C%20a%20deleted%20user%20will%20remain%20deleted%20in%20Azure%20AD%20for%2030%20days%2C%20during%20which%20time%20they%20can%20be%20restored%20by%20an%20administrator%20if%20necessary.%20After%2030%20days%2C%20that%20user%20is%20permanently%20deleted.%20In%20addition%2C%20using%20the%20Azure%20Active%20Directory%20portal%2C%20a%20Global%20Administrator%20can%20explicitly%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Ffundamentals%2Factive-directory-users-restore%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epermanently%20delete%20a%20recently%20deleted%20user%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ebefore%20that%20time%20period%20is%20reached.%20One%20a%20user%20has%20been%20permanently%20deleted%2C%20subsequently%20data%20about%20that%20user%20will%20be%20removed%20from%20active%20access%20reviews.%20Audit%20information%20about%20deleted%20users%20remains%20in%20the%20audit%20log.'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1236343%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20and%20Access%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Contributor

I have a use case for a client where Azure AD accounts are created for 3rd parties who need access to the tenant. These users need to be check on a regular basis to make sure they are still in use.

 

I have recommended that they use Azure AD Access Reviews on a reoccuring basis to manage this. 

The users are already in a specific security group that manages their Office 365 licence configuration.

 

The Access review is set up on this security group so if a user is declined as part of the review process they are removed from the security group so by default they lose their Office 365 licence.

 

However their account still remains as unlicenced.  So an admin would have to manually remove the account at the end. Or create a script to delete.

 

Is there any way of also deleting their account as part of the Access review so it is just one process? In the Microsoft docs it seems to infer that you can. See details below.

https://docs.microsoft.com/en-gb/azure/active-directory/governance/complete-access-review

'Remove users from an access review

By default, a deleted user will remain deleted in Azure AD for 30 days, during which time they can be restored by an administrator if necessary. After 30 days, that user is permanently deleted. In addition, using the Azure Active Directory portal, a Global Administrator can explicitly permanently delete a recently deleted user before that time period is reached. One a user has been permanently deleted, subsequently data about that user will be removed from active access reviews. Audit information about deleted users remains in the audit log.'

 

Any help appreciated.

1 Reply
Highlighted

Not via Access reviews, but the recently released Entitlement management offers that, and more.