Does anyone have any experience with policies and planning for cleaning up guest users? We want to make sure that when guest users leave their company we can make sure they no longer have access to our Teams? Is there an audit process or a expiration process for guest users? Thanks!

Well how exactly do you imagine managing it otherwise, being able to go directly to the partner Azure AD instance and remove the user from there? :) You have two options - rely on the partner organization to disable access to those accounts or take matter in your own hands. The Access Reviews are basically a user-friendly way for Guest attestation, you can of course do your own workflow around it (the P2 requirement is just enough motivation to do so). Querying the Audit logs for the last action performed by a Guest is a good starting point for example.

Deletedand VasilMichev thanks for sharing you insights, this is what makes the community valuable and keeps giving me a reason to read and participate

Use the Access Reviews feature: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview If you don't like the fact that it requires AAD P2 license, you can write your own workflow that uses the same principle :)

+1 on this question. The 'get-azureaduser -filter "usertype eq 'guest'" doesn't show too much that might lend itself to expiration and the like. I'm looking for the same thing. The closest thing I've come up with is something I did in our on-prem AD to handle expiring accts. At time of guest user creation I include the requestor's objectID and populate it in the 'manager' field. I want to cut a report off of that which will email the requestor at regular intervals (i.e. quarterly, or some kind of 90-days from creation date). While not elegant, it at least gives us a means of tracking and managing.Any assistance is appreciated.

that's really not the same thing, the post author is asking a way to remove guest users when they get removed from other tenants which there really isn't a way to do that. Your tenant has no way to know what is going on with that tenant, so that link will never be updated and or removed since all the b2b happens on the guest side and not the originating tenant it has no knowledge of that guest account in your tenant.Only way you can maybe really tell is by using that Password reset field for updates, if it goes inactive because it hasn't been used / reset for so long (which is automated based on token or something) then you can remove those users from your tenant.I could be way off base here, but from dabbling into guest access, and writing a report of who's accepted guest invites etc. seeing those fields and how this works, seems to me there is a disconnect there that could be problematic over time, but basically your going to have to govern access to your Teams etc. yourself.

Guest Users - Clean Up | Microsoft Community Hub

VasilMichev
MVP
May 01, 2018
Use the Access Reviews feature: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview

If you don't like the fact that it requires AAD P2 license, you can write your own workflow that uses the same principle :)
- Deleted
  May 01, 2018
  that's really not the same thing, the post author is asking a way to remove guest users when they get removed from other tenants which there really isn't a way to do that. Your tenant has no way to know what is going on with that tenant, so that link will never be updated and or removed since all the b2b happens on the guest side and not the originating tenant it has no knowledge of that guest account in your tenant.
  
  Only way you can maybe really tell is by using that Password reset field for updates, if it goes inactive because it hasn't been used / reset for so long (which is automated based on token or something) then you can remove those users from your tenant.
  
  I could be way off base here, but from dabbling into guest access, and writing a report of who's accepted guest invites etc. seeing those fields and how this works, seems to me there is a disconnect there that could be problematic over time, but basically your going to have to govern access to your Teams etc. yourself.
  - Deleted
    May 01, 2018
    Well, didn't see this entry on the Azure Access thing: You can recertify guest user access by using access reviews of their access to applications and memberships of groups. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
    
    But this is just basically providing a system to go out and say hey, do you still need access, or hey, here are guests to audit. Still basically doing your own governance on the guest accounts.
- Nikita Skitsko
  Copper Contributor
  Oct 23, 2019
  VasilMichev I've come across an Ignite video (~2 min) explaining how external guests expiration works in Sharepoint, but I am not able to find any documentation about that feature. Do you know if its a part of Access Review package?
  - Nikita Skitsko
    Copper Contributor
    Oct 24, 2019
    The functionality described in this video is not generally available yet. Here is a blog post describing that there will be a public preview in 3Q2019. I think we will hear more in the next few weeks during Ignite.
- CameronGo
  Brass Contributor
  Dec 15, 2021
  VasilMichev old thread, but the User Access Reviews for Guest access appear to be able to remove them from a Group / Team, but the Guest accounts still remain in Azure AD and are not disabled as far as I can tell. I don't see anything about the User Access Reviews that actually disables the stale accounts. Am I missing it?
Deleted
May 01, 2018
+1 on this question. The 'get-azureaduser -filter "usertype eq 'guest'" doesn't show too much that might lend itself to expiration and the like. I'm looking for the same thing. The closest thing I've come up with is something I did in our on-prem AD to handle expiring accts. At time of guest user creation I include the requestor's objectID and populate it in the 'manager' field. I want to cut a report off of that which will email the requestor at regular intervals (i.e. quarterly, or some kind of 90-days from creation date). While not elegant, it at least gives us a means of tracking and managing.
Any assistance is appreciated.
Deleted
May 04, 2018
+1 on the proposed 'Access Reviews' solution.

Using the info from the responses, I've looked into Access Reviews, and found it to be a really good way to meet these needs.

I created a review, set the schedule/interview, specified Guest Users only, and saw all of the other options that are available to be set, including who to notify for re-attestation (.the guest users themselves, owners of a designated group who are responsible for managing a given set of guest users <which can be a dynamic security group based on an attribute populated for different sets of guest users>, a designated 'guest user manager(s)', and others).

Probably the best option was the fact that it had a 'what action to take if user doesn't respond to the access review.' Haven't validated this yet but one option was to revoke access, which our Infosec dept will love.

We're an E5 org, but don't have AAD P2. We have P1 with one of those custom-bundle license packages. I've added a P2 trial, but don't know what it will necessarily give us with our needs in this dept. Our MS Acct Mgrs are willing to work with us given the FY Close in June, so if someone in the know could provide me some info about the enhancements/value-add of P2 in the Access Review, Cloud App Discovery, and anything else that I can use to enhance security in Azure/O365 I'd appreciate it.
- Levente Rog
  Copper Contributor
  Nov 14, 2018
  I'm looking at the Access Reviews feature but each review is scoped to a particular Azure AD group.
  I want to create a review with the scope of all Guest users.
  Is that possible?
  - Stephen Kerkmann
    Copper Contributor
    Dec 03, 2018
    Create a dynamic group with all guest users and then run an access review on that group...
John_R007
Copper Contributor
Aug 30, 2022
I realize this is an older thread, but replying for the benefit of those who may come later. I had a similar requirement, except that we needed to allow a 6 month window before declaring a guest account as stale/dormant. After some searching I was able to put together pieces from other posts I found to create a PowerShell script that uses the MS Graph api which will generate a report of the guest accounts, their creation date, and last login date. You can then use Excel to query the results according to what ever criteria you might need to use.

Note: it assumes the Graph PowerShell module has already been installed.

***********************************************************************************************
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All","AuditLog.Read.All" Select-MgProfile beta $usertype = "Guest" #Enter Guest or Member $Result=@() $usersUPN = Get-MgUser -All -Filter "UserType eq '$usertype'" | Select UserPrincipalName, ID, DisplayName, CreatedDateTime foreach($user in $usersUPN) { $usersignindate = Get-MgUser -UserId $user.ID -Select SignInActivity | Select -ExpandProperty SignInActivity $userprops = [ordered]@{ UserPrincipalName = $user.UserPrincipalName DisplayName = $user.DisplayName LastSignInDateTime = $usersignindate.LastSignInDateTime CreatedDateTime = $user.CreatedDateTime } $userObj = new-object -Type PSObject -Property $userprops $Result += $userObj } $Result |select *|export-csv c:\scripts\userlastlogin.csv
- Joshua Bines
  Iron Contributor
  Aug 30, 2022
  If you want the full end to end solution try this 😉 https://github.com/JBines/Remove-StaleGuests
  - John_R007
    Copper Contributor
    Aug 30, 2022
    Joshua Bines Thanks, I think I had looked at that, or one like it, but I generally have to vet the list before going ahead with disabling of accounts. We have some contactors, vendors that we make allowances for, so just generating the report of dormant accounts is what worked best for us.

Forum Discussion

Guest Users - Clean Up

Resources