May 01 2018
06:30 AM
- last edited on
Jan 14 2022
05:34 PM
by
TechCommunityAP
May 01 2018
06:30 AM
- last edited on
Jan 14 2022
05:34 PM
by
TechCommunityAP
Does anyone have any experience with policies and planning for cleaning up guest users? We want to make sure that when guest users leave their company we can make sure they no longer have access to our Teams? Is there an audit process or a expiration process for guest users?
Thanks!
May 01 2018 07:35 AM
May 01 2018 11:03 AM
Use the Access Reviews feature: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-re...
If you don't like the fact that it requires AAD P2 license, you can write your own workflow that uses the same principle 🙂
May 01 2018 11:16 AM
May 01 2018 11:18 AM
May 01 2018 11:18 AM
May 01 2018 11:49 PM
Well how exactly do you imagine managing it otherwise, being able to go directly to the partner Azure AD instance and remove the user from there? 🙂 You have two options - rely on the partner organization to disable access to those accounts or take matter in your own hands.
The Access Reviews are basically a user-friendly way for Guest attestation, you can of course do your own workflow around it (the P2 requirement is just enough motivation to do so). Querying the Audit logs for the last action performed by a Guest is a good starting point for example.
May 01 2018 11:53 PM
May 02 2018 06:42 PM
@Deletedand @VasilMichev thanks for sharing you insights, this is what makes the community valuable and keeps giving me a reason to read and participate
May 03 2018 06:34 PM
+1 on the proposed 'Access Reviews' solution.
Using the info from the responses, I've looked into Access Reviews, and found it to be a really good way to meet these needs.
I created a review, set the schedule/interview, specified Guest Users only, and saw all of the other options that are available to be set, including who to notify for re-attestation (.the guest users themselves, owners of a designated group who are responsible for managing a given set of guest users <which can be a dynamic security group based on an attribute populated for different sets of guest users>, a designated 'guest user manager(s)', and others).
Probably the best option was the fact that it had a 'what action to take if user doesn't respond to the access review.' Haven't validated this yet but one option was to revoke access, which our Infosec dept will love.
We're an E5 org, but don't have AAD P2. We have P1 with one of those custom-bundle license packages. I've added a P2 trial, but don't know what it will necessarily give us with our needs in this dept. Our MS Acct Mgrs are willing to work with us given the FY Close in June, so if someone in the know could provide me some info about the enhancements/value-add of P2 in the Access Review, Cloud App Discovery, and anything else that I can use to enhance security in Azure/O365 I'd appreciate it.
Nov 14 2018 03:27 AM
I'm looking at the Access Reviews feature but each review is scoped to a particular Azure AD group.
I want to create a review with the scope of all Guest users.
Is that possible?
Dec 03 2018 05:34 AM
Create a dynamic group with all guest users and then run an access review on that group...
Sep 26 2019 06:00 AM
You could query stale guest accounts and remove them automatically via Azure Automation if you wanted. I think that would help.
You will need to update this but it's a start. If I have time I'll try and finish this.
https://www.undocumented-features.com/2018/06/22/how-to-find-staleish-azure-b2b-guest-accounts/
Oct 23 2019 12:02 PM
@VasilMichev I've come across an Ignite video (~2 min) explaining how external guests expiration works in Sharepoint, but I am not able to find any documentation about that feature. Do you know if its a part of Access Review package?
Oct 24 2019 04:05 AM
The functionality described in this video is not generally available yet. Here is a blog post describing that there will be a public preview in 3Q2019. I think we will hear more in the next few weeks during Ignite.
Dec 15 2021 05:57 AM
@VasilMichev old thread, but the User Access Reviews for Guest access appear to be able to remove them from a Group / Team, but the Guest accounts still remain in Azure AD and are not disabled as far as I can tell. I don't see anything about the User Access Reviews that actually disables the stale accounts. Am I missing it?
Aug 30 2022 08:24 AM
I realize this is an older thread, but replying for the benefit of those who may come later. I had a similar requirement, except that we needed to allow a 6 month window before declaring a guest account as stale/dormant. After some searching I was able to put together pieces from other posts I found to create a PowerShell script that uses the MS Graph api which will generate a report of the guest accounts, their creation date, and last login date. You can then use Excel to query the results according to what ever criteria you might need to use.
Note: it assumes the Graph PowerShell module has already been installed.
***********************************************************************************************
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All","AuditLog.Read.All"
Select-MgProfile beta
$usertype = "Guest" #Enter Guest or Member
$Result=@()
$usersUPN = Get-MgUser -All -Filter "UserType eq '$usertype'" | Select UserPrincipalName, ID, DisplayName, CreatedDateTime
foreach($user in $usersUPN)
{
$usersignindate = Get-MgUser -UserId $user.ID -Select SignInActivity | Select -ExpandProperty SignInActivity
$userprops = [ordered]@{
UserPrincipalName = $user.UserPrincipalName
DisplayName = $user.DisplayName
LastSignInDateTime = $usersignindate.LastSignInDateTime
CreatedDateTime = $user.CreatedDateTime
}
$userObj = new-object -Type PSObject -Property $userprops
$Result += $userObj
}
$Result |select *|export-csv c:\scripts\userlastlogin.csv
Aug 30 2022 09:52 AM
Aug 30 2022 09:58 AM
@Joshua Bines Thanks, I think I had looked at that, or one like it, but I generally have to vet the list before going ahead with disabling of accounts. We have some contactors, vendors that we make allowances for, so just generating the report of dormant accounts is what worked best for us.
Aug 30 2022 11:59 AM