Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

How to set up external user account expiration for Azure AD?

Brass Contributor

Right now, we are collaborating with external users using B2B functionalities. These external users are automatically added to our Azure AD Directory when they accept and register thru MFA.

 

Now we want to set up expiration on these external users (guest user lifecycle) that automatically removes these guest users from our Azure AD directory after X days. Otherwise the list of external users will continue to grow with time.

 

Any help appreciated! 

 

 

6 Replies

@Jonathan Nunez , hope you are well?

 

I think you would need to look at identity governance within Azure AAD.

 

Specifically around Access Packages and Access Reviews.

 

This will require AAD P2 licencing and possibly E5.

 

Best,

 

Steve

 

 

@STN2000 

 

We have E5 license and Azure AD Premium 2.

 

How would that feature work? 

Azure AD doesn't support for setting expiration date for Azure AD accounts currently. currently we use access review from Identity governance and set a quarterly review to validate the user accounts.
You can also use access packages for privilege's users you have an option to define the "Maximum allowed eligible duration is permanent." or make them eligible and define the maximum JIT duration

There use cases Access Reviews is suboptimal, we highly appreciate an option to time limited guest user accounts in Azure (for example for test purposes in Azure, Company Users want Guest Accounts. And we all know it, it will happen that Users stay on the Guest User becasue there no compliant device restrictions etc.! Aslong we cant limit them in a timly manner there is no option for us). Access Reviews etc are not granular enough for this scenario. 

Adding an Expiration Date for Azure AD Guest Accounts

Microsoft has long been asked to support guest account expiration, just like the functionality available for on-premises Active Directory accounts. Engineering priorities have not allowed the developers to work on the feature, but it's possible to do the job with PowerShell as we explain here.

 

https://practical365.com/guest-account-expiration/

1 best response