Home

Guest Users governance - stale guest users

%3CLINGO-SUB%20id%3D%22lingo-sub-217179%22%20slang%3D%22en-US%22%3EGuest%20Users%20governance%20-%20stale%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217179%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%3C%2FP%3E%3CP%3EI%20want%20to%20reach%20out%20to%20community%20and%20ask%20how%20admins%20are%20managing%20and%20creating%20governance%20around%20Guest%20users%20(external%20users).%3C%2FP%3E%3CP%3EIn%20O%20365%20tenant%20users%20can%20invite%20non-tenant%20users%20to%20participate%20in%20Teams%20or%20in%20SharePoint%20sites.%20But%20after%20the%20project%20is%20complete%2C%20they%20forget%20to%20remove%20them%20from%20the%20Team%20or%20Site.%20Also%20we%20see%20a%20lot%20of%20Guest%20users%20in%20Azure%20AD%20tenant%20that%20have%20not%20logged%20in%20last%2030%20days%20(I%20am%20using%20Azure%20AD%20Sign%20in%20logs%20to%20see%20this%20info).%20For%20obvious%20security%20reasons%2C%20we%20don't%20want%20to%20leave%20these%20Guest%20users%20active%20in%20our%20tenants.%26nbsp%3B%20I%20know%20we%20can%20get%20list%20of%20external%20users%20and%20their%20sign%20in%20data%20using%20Graph%20API.%20But%20my%20question%20is%20more%20around%20best%20practices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BAre%20there%20any%20best%20practices%20on%20how%20to%20handle%20stale%20guest%20users%3F%20I%20did%20not%20see%20any%20MS%20official%20documentation%20around%20this%20topic.%20Please%20share%20your%20governance%26nbsp%3Bpolicies%20that%20you%20have%20setup%20for%20guest%20users.%3C%2FP%3E%3CP%3E%26nbsp%3BTIA.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-217179%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265730%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20Users%20governance%20-%20stale%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265730%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20have%20a%20Power%20Shell%20script%20that%20would%20provide%20a%20list%20of%20stale%20guest%20accounts%20with%20the%20last%20log%20in%20date%20for%20users%20who%20don't%20have%20a%20mailbox%3F%26nbsp%3B%20External%20users%20who%20have%20been%20granted%20access%20to%20sites%20or%20documents%20in%20classic%20SharePoint%20sites%20and%20modern%20Team%20and%20Communication%20sites%20don't%20have%20mailboxes.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217627%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20Users%20governance%20-%20stale%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217627%22%20slang%3D%22en-US%22%3E%3CP%3ERunning%20the%20script%2Ftool%20on%20a%20monthly%20basis%20seems%20like%20a%20sensible%20approach.%20But%20again%2C%20depends%20on%20the%20organization%20policies%2C%20some%20organizations%20will%20be%20perfectly%20fine%20doing%20the%20cleanup%20once%20per%20quarter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217574%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20Users%20governance%20-%20stale%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217574%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20your%20response.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20with%20you%20that%20Azure%20AD%20Premium%20P2%20is%20expensive%20hence%20I%20am%20building%20my%20scripts%20and%20tools%20for%20External%20user%20management.%20Just%20wanted%20to%20ask%20community%20how%20long%20are%20you%20leaving%20an%20external%20user%20in%20Azure%20AD.%20We%20cannot%20leave%20inactive%20external%20users%26nbsp%3Bforever%20in%20the%20tenant.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217549%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20Users%20governance%20-%20stale%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217549%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20%22best%20practice%22%20will%20vary%20greatly%20from%20one%20organization%20to%20the%20other%2C%20as%20some%20are%20very%20%22open%22%20in%20regards%20to%20guest%20users%2C%20other%20must%20allow%20their%20partners%20and%20customers%2C%20while%20organizations%20in%20certain%20industries%20will%20never%20even%20enable%20such%20a%20feature.%20Microsoft's%26nbsp%3Bown%20tool%20to%20manage%20guest%20user%20lifecycle%20is%20called%20Access%20Reviews%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azure-ad-controls-manage-guest-access-with-access-reviews%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azure-ad-controls-manage-guest-access-with-access-reviews%3C%2FA%3E)%2C%20but%20unfortunately%20the%20license%20requirements%20are%20very%20prohibitive%20for%20any%20organization%20not%20already%20invested%20in%20AAD%20Premium%20P2.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPowerShell%20and%20the%20Graph%20API%20give%20you%20all%20the%20tools%20you%20need%20in%20order%20to%20manage%20Guest%20users%2C%20so%20you%20can%20build%20your%20custom%20solution%20around%20it%2C%20if%20the%20above%20is%20too%20costly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-581621%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20Users%20governance%20-%20stale%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-581621%22%20slang%3D%22en-US%22%3E%3CP%3Ethe%20only%20way%20I've%20seen%20to%20check%20user%20activity%20is%20to%20go%20to%20the%20sign%20in%20logs.%3CBR%20%2F%3E%3CBR%20%2F%3EAside%20from%20that%20nothing%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096430%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20Users%20governance%20-%20stale%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096430%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20old%20thread%2C%20Ive%20just%20posted%20a%20similar%20question%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fidentity-authentication%2Fadd-remove-external-guest-user-from-sp-site-behavour-in-azure%2Fm-p%2F1096405%2Fthread-id%2F1020%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fidentity-authentication%2Fadd-remove-external-guest-user-from-sp-site-behavour-in-azure%2Fm-p%2F1096405%2Fthread-id%2F1020%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20found%20interesting%20is%20that%20SP%20has%20the%20power%20to%20create%20a%20guest%20tenant%20but%20not%20the%20reverse.%20Seems%20odd%20that%20when%20deleting%20a%20User%20from%20an%20SP%20site%20the%20option%20isn't%20presented%20to%20remove%20the%20AD%20tenant.%20In%20addition%20any%20SP%20sites%20that%20are%20deleted%20should%20present%20the%20Guest%20User%20Tenants%20to%20be%20remove%20also.....%20if%20the%20Guest%20User%20Tenant%20is%20in%20use%20on%20another%20Site%20then%20a%20simple%20warning%2Fpop%20up%20to%20say%20%22not%20removed%20as%20in%20use%20on%20other%20Sites%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20issue%20Ive%20thought%20of%20is%20the%201%3A5%20ratio%20of%20LicenseUser%3AGuestUser%E2%80%A6%E2%80%A6%20how%20did%20you%20overcome%20this%3F%20Or%20did%20you%20keep%20paying%20for%20additional%20Tenant%20Licenses%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
kiran bellala
Contributor

Hello All

I want to reach out to community and ask how admins are managing and creating governance around Guest users (external users).

In O 365 tenant users can invite non-tenant users to participate in Teams or in SharePoint sites. But after the project is complete, they forget to remove them from the Team or Site. Also we see a lot of Guest users in Azure AD tenant that have not logged in last 30 days (I am using Azure AD Sign in logs to see this info). For obvious security reasons, we don't want to leave these Guest users active in our tenants.  I know we can get list of external users and their sign in data using Graph API. But my question is more around best practices.

 

 Are there any best practices on how to handle stale guest users? I did not see any MS official documentation around this topic. Please share your governance policies that you have setup for guest users.

 TIA. 

6 Replies

The "best practice" will vary greatly from one organization to the other, as some are very "open" in regards to guest users, other must allow their partners and customers, while organizations in certain industries will never even enable such a feature. Microsoft's own tool to manage guest user lifecycle is called Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-manage-gu...), but unfortunately the license requirements are very prohibitive for any organization not already invested in AAD Premium P2.

 

PowerShell and the Graph API give you all the tools you need in order to manage Guest users, so you can build your custom solution around it, if the above is too costly.

@Vasil Michev thank you for your response. 

I agree with you that Azure AD Premium P2 is expensive hence I am building my scripts and tools for External user management. Just wanted to ask community how long are you leaving an external user in Azure AD. We cannot leave inactive external users forever in the tenant. 

Running the script/tool on a monthly basis seems like a sensible approach. But again, depends on the organization policies, some organizations will be perfectly fine doing the cleanup once per quarter.

Highlighted

Does anyone have a Power Shell script that would provide a list of stale guest accounts with the last log in date for users who don't have a mailbox?  External users who have been granted access to sites or documents in classic SharePoint sites and modern Team and Communication sites don't have mailboxes. 

the only way I've seen to check user activity is to go to the sign in logs.

Aside from that nothing

Hi, old thread, Ive just posted a similar question:

https://techcommunity.microsoft.com/t5/identity-authentication/add-remove-external-guest-user-from-s...

 

What I found interesting is that SP has the power to create a guest tenant but not the reverse. Seems odd that when deleting a User from an SP site the option isn't presented to remove the AD tenant. In addition any SP sites that are deleted should present the Guest User Tenants to be remove also..... if the Guest User Tenant is in use on another Site then a simple warning/pop up to say "not removed as in use on other Sites"

 

One issue Ive thought of is the 1:5 ratio of LicenseUser:GuestUser…… how did you overcome this? Or did you keep paying for additional Tenant Licenses?

 

Related Conversations
guest invitation language
Charles-André Bélanger in Office 365 on
3 Replies
guest invitation language
Charles-André Bélanger in Office 365 on
1 Replies
Guest user invintation
aurelius25 in Microsoft Teams on
8 Replies
Diversity and Inclusion in the Workplace
Jamie Bertha in Microsoft Teams on
0 Replies