Forum Discussion

Copper Contributor

May 01, 2018

Guest Users - Clean Up

Does anyone have any experience with policies and planning for cleaning up guest users? We want to make sure that when guest users leave their company we can make sure they no longer have access to ...

Access Management

Azure Active Directory (AAD)

microsoft 365

VasilMichev

MVP

Use the Access Reviews feature: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview

If you don't like the fact that it requires AAD P2 license, you can write your own workflow that uses the same principle :)

Deleted

May 01, 2018

that's really not the same thing, the post author is asking a way to remove guest users when they get removed from other tenants which there really isn't a way to do that. Your tenant has no way to know what is going on with that tenant, so that link will never be updated and or removed since all the b2b happens on the guest side and not the originating tenant it has no knowledge of that guest account in your tenant.

Only way you can maybe really tell is by using that Password reset field for updates, if it goes inactive because it hasn't been used / reset for so long (which is automated based on token or something) then you can remove those users from your tenant.

I could be way off base here, but from dabbling into guest access, and writing a report of who's accepted guest invites etc. seeing those fields and how this works, seems to me there is a disconnect there that could be problematic over time, but basically your going to have to govern access to your Teams etc. yourself.

Deleted
May 01, 2018
Well, didn't see this entry on the Azure Access thing: You can recertify guest user access by using access reviews of their access to applications and memberships of groups. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.

But this is just basically providing a system to go out and say hey, do you still need access, or hey, here are guests to audit. Still basically doing your own governance on the guest accounts.
- VasilMichev
  MVP
  May 02, 2018
  Well how exactly do you imagine managing it otherwise, being able to go directly to the partner Azure AD instance and remove the user from there? :) You have two options - rely on the partner organization to disable access to those accounts or take matter in your own hands.
  
  The Access Reviews are basically a user-friendly way for Guest attestation, you can of course do your own workflow around it (the P2 requirement is just enough motivation to do so). Querying the Audit logs for the last action performed by a Guest is a good starting point for example.
  - Deleted
    May 02, 2018
    I concur. That’s basically what I said but you said it better 😂