Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Guest Users - Clean Up

Copper Contributor

Does anyone have any experience with policies and planning for cleaning up guest users?  We want to make sure that when guest users leave their company we can make sure they no longer have access to our Teams?  Is there an audit process or a expiration process for guest users?

 

Thanks!

18 Replies
+1 on this question. The 'get-azureaduser -filter "usertype eq 'guest'" doesn't show too much that might lend itself to expiration and the like. I'm looking for the same thing. The closest thing I've come up with is something I did in our on-prem AD to handle expiring accts. At time of guest user creation I include the requestor's objectID and populate it in the 'manager' field. I want to cut a report off of that which will email the requestor at regular intervals (i.e. quarterly, or some kind of 90-days from creation date). While not elegant, it at least gives us a means of tracking and managing.
Any assistance is appreciated.

Use the Access Reviews feature: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-re...

 

If you don't like the fact that it requires AAD P2 license, you can write your own workflow that uses the same principle :)

that's really not the same thing, the post author is asking a way to remove guest users when they get removed from other tenants which there really isn't a way to do that. Your tenant has no way to know what is going on with that tenant, so that link will never be updated and or removed since all the b2b happens on the guest side and not the originating tenant it has no knowledge of that guest account in your tenant.

Only way you can maybe really tell is by using that Password reset field for updates, if it goes inactive because it hasn't been used / reset for so long (which is automated based on token or something) then you can remove those users from your tenant.

I could be way off base here, but from dabbling into guest access, and writing a report of who's accepted guest invites etc. seeing those fields and how this works, seems to me there is a disconnect there that could be problematic over time, but basically your going to have to govern access to your Teams etc. yourself.
Well, didn't see this entry on the Azure Access thing: You can recertify guest user access by using access reviews of their access to applications and memberships of groups. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.

But this is just basically providing a system to go out and say hey, do you still need access, or hey, here are guests to audit. Still basically doing your own governance on the guest accounts.

Well how exactly do you imagine managing it otherwise, being able to go directly to the partner Azure AD instance and remove the user from there? :) You have two options - rely on the partner organization to disable access to those accounts or take matter in your own hands.

 

The Access Reviews are basically a user-friendly way for Guest attestation, you can of course do your own workflow around it (the P2 requirement is just enough motivation to do so). Querying the Audit logs for the last action performed by a Guest is a good starting point for example.

I concur. That’s basically what I said but you said it better :face_with_tears_of_joy:

@Deletedand @Vasil Michev thanks for sharing you insights, this is what makes the community valuable and keeps giving me a reason to read and participate

+1 on the proposed 'Access Reviews' solution. 

 

Using the info from the responses, I've looked into Access Reviews, and found it to be a really good way to meet these needs. 

 

I created a review, set the schedule/interview, specified Guest Users only, and saw all of the other options that are available to be set, including who to notify for re-attestation (.the guest users themselves, owners of a designated group who are responsible for managing a given set of guest users <which can be a dynamic security group based on an attribute populated for different sets of guest users>, a designated 'guest user manager(s)', and others).

 

Probably the best option was the fact that it had a 'what action to take if user doesn't respond to the access review.'  Haven't validated this yet but one option was to revoke access, which our Infosec dept will love.  

 

We're an E5 org, but don't have AAD P2.  We have P1 with one of those custom-bundle license packages.  I've added a P2 trial, but don't know what it will necessarily give us with our needs in this dept.  Our MS Acct Mgrs are willing to work with us given the FY Close in June, so if someone in the know could provide me some info about the enhancements/value-add of P2 in the Access Review, Cloud App Discovery, and anything else that I can use to enhance security in Azure/O365 I'd appreciate it.  

 

 

I'm looking at the Access Reviews feature but each review is scoped to a particular Azure AD group.

I want to create a review with the scope of all Guest users.

Is that possible?

Create a dynamic group with all guest users and then run an access review on that group...

You could query stale guest accounts and remove them automatically via Azure Automation if you wanted. I think that would help. 

 

You will need to update this but it's a start. If I have time I'll try and finish this. 

 

https://www.undocumented-features.com/2018/06/22/how-to-find-staleish-azure-b2b-guest-accounts/ 

 

 

@Vasil Michev I've come across an Ignite video (~2 min) explaining how external guests expiration works in Sharepoint, but I am not able to find any documentation about that feature. Do you know if its a part of Access Review package?

The functionality described in this video is not generally available yet. Here is a blog post describing that there will be a public preview in 3Q2019. I think we will hear more in the next few weeks during Ignite.

@Vasil Michev old thread, but the User Access Reviews for Guest access appear to be able to remove them from a Group / Team, but the Guest accounts still remain in Azure AD and are not disabled as far as I can tell. I don't see anything about the User Access Reviews that actually disables the stale accounts. Am I missing it?

I realize this is an older thread, but replying for the benefit of those who may come later. I had a similar requirement, except that we needed to allow a 6 month window before declaring a guest account as stale/dormant. After some searching I was able to put together pieces from other posts I found to create a PowerShell script that uses the MS Graph api which will generate a report of the guest accounts, their creation date, and last login date. You can then use Excel to query the results according to what ever criteria you might need to use.

Note: it assumes the Graph PowerShell module has already been installed.

***********************************************************************************************

Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All","AuditLog.Read.All"
Select-MgProfile beta

$usertype = "Guest" #Enter Guest or Member

$Result=@()
$usersUPN = Get-MgUser -All -Filter "UserType eq '$usertype'" | Select UserPrincipalName, ID, DisplayName, CreatedDateTime
foreach($user in $usersUPN)
{
$usersignindate = Get-MgUser -UserId $user.ID -Select SignInActivity | Select -ExpandProperty SignInActivity
$userprops = [ordered]@{
UserPrincipalName = $user.UserPrincipalName
DisplayName = $user.DisplayName
LastSignInDateTime = $usersignindate.LastSignInDateTime
CreatedDateTime = $user.CreatedDateTime
}
$userObj = new-object -Type PSObject -Property $userprops
$Result += $userObj
}
$Result |select *|export-csv c:\scripts\userlastlogin.csv


 

If you want the full end to end solution try this ;) https://github.com/JBines/Remove-StaleGuests

@Joshua Bines Thanks, I think I had looked at that, or one like it, but I generally have to vet the list before going ahead with disabling of accounts. We have some contactors, vendors that we make allowances for, so just generating the report of dormant accounts is what worked best for us.

no worries, I'm a bit brutal when it comes to guest accounts these days... I guess we could add an exclude group/value to the removal process but I don't think I like that idea either unless you still had an automated process to clean them up. hmmm thinking out loud... lastlogin -gt 6 month DEL except 'someGuest' then have another process to clean up the excluded guests say lastlogin -gt 18 months. but manual works of course.