SOLVED

How do you handle external users who have left the company?

Brass Contributor

When you enable guest access in Teams, those users get brought into your Azure AD environment, but unlike your regular internal users, you have no way of knowing if those external users are still active or not. How do people typically handle this? Do you just monitor sign in activity maybe and disable accounts that had not logged in for a while? Do you require your external users to periodically response to an email saying that are still active? Maybe this not an issue people are typically concerned about so nothing needs to be done? 

4 Replies
best response confirmed by michaelkubala (Brass Contributor)
Solution

Azure AD Access Reviews, Entitlement management if you have the licensing, or just periodically checking their activity via the Unified audit log.

@michaelkubala For us it is a joint responsibility.  The HR department are responsible for notifying the IT department of any staff who are leaving in advance, providing IT with a leaving/last date, and if available the named person who will be taking over that persons role or position (Account).  We then schedule to a) change the password and b) forward incoming emails or allow shared access to that account either to check, or manage the account for an agreed period of time.  Once this time is up, the account is set to auto-reply for a further month before being archived.  Additionally any New starters, IT are again notified by the HR department in order to setup and prepare any accounts in good time.

Thanks @AlexWaterton, but I referring to guest users. For example, I work for company A and there are external users from company B in our Active Directory. Typically for internal employees, we have a system as you described for handling user accounts, but for our external users in company B, we wouldn't know that those employees are no longer with the company so those accounts would stick around forever in our system.
For those users I would setup and automatic email to go out maybe every 3 months to confirm user is still active and in post. If they do not reply then the account gets suspended within 30 days and archived after 60 days. Could well be just a Group Contacts setting that goes out quarterly in BCC,. Still may not be a full proof system, but may well result in a reduction of redundant accounts. Best of luck with whichever way you plan to attack the problem. :)
1 best response

Accepted Solutions
best response confirmed by michaelkubala (Brass Contributor)
Solution

Azure AD Access Reviews, Entitlement management if you have the licensing, or just periodically checking their activity via the Unified audit log.

View solution in original post