cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Cleanup stale guests

TherealKillerbe
Brass Contributor

‎Mar 29 2024 07:00 AM

‎Mar 29 2024 07:00 AM

Cleanup stale guests

Hi, we have Entra ID p2 licenses, however cannot select the option "Inactive Users (On Tenant Level) only" in the access review. Wherefore i cannot specify the timeframe after which guests account are deemed inactive.

 

To circumvent this i wrote a script, which connects to Microsoft Graph with a registered app. This to list and remove guest accounts within their proper time frames. I wanted the run the script with an automation account (PowerShell Runbook), however the script does not recognize the Microsoft.graph commands, even though both modules have been installed (Microsoft.graph.users and Microsoft.Graph.Beta.users). Also the 2 modules are explicitly imported at the start of the PowerShell script.

 

The script works when i run it from a computer, so the script is valid. But also onprem i bump into a strange issue. I created a scheduled task to run the script from an OnPrem Server, when i run the scheduled task under my account, then the script works as expected, however when i run the task under a single managed service account, then the script runs but fail to retrieve any guests users from the tenant. Script logging shows that the script successfully connects to the tenant as the registered application, but does not retrieve any guest accounts. This cannot be related to permission as the script always runs on the Graph API permissions assigned to the registered app.

231 Views
0 Likes
2 Replies
Reply
2 Replies
TherealKillerbe

‎Mar 29 2024 08:14 AM

‎Mar 29 2024 08:14 AM

Re: Cleanup stale guests

I managed to have the script running via a runbook (import-module Microsoft.Graph.Authentication), but have the same result as with the single managed service account. I have used write-output to see what is going on in the script and i can see that it is retrieving the Guests account as expected.
29/3/2024 15:55:01
Output
Retrived 317 guest accounts which did not accept their invitation
29/3/2024 15:55:02
Output
retrieved 302 guest accounts which have not accepted the invitation in the last 90 days

Looking at the output, i sort of getting a idea why the final report says:
Summary
Entra ID contained 0 guest accounts, of which 0 and 0 have been deducted.
Which brings the remaining Guest accounts to 0.
I use two registered apps, one to perform the operations and one to send email notifications. Wherefore i am guessing that it creates two sessions, and variable are not available in the second session wherefore the Object counts are 0.
0 Likes
Reply
best response confirmed by TherealKillerbe (Brass Contributor)
Joe Stocker

‎Mar 30 2024 12:51 PM

‎Mar 30 2024 12:51 PM

Solution

Re: Cleanup stale guests

For those who do not know, this feature was recently moved from Entra P2 to require an add-on license called "Microsoft Entra ID Governance." Reference: https://learn.microsoft.com/en-us/entra/identity/users/clean-up-stale-guest-accounts#license-require...
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by TherealKillerbe (Brass Contributor)
Joe Stocker

‎Mar 30 2024 12:51 PM

‎Mar 30 2024 12:51 PM

Solution

Re: Cleanup stale guests

For those who do not know, this feature was recently moved from Entra P2 to require an add-on license called "Microsoft Entra ID Governance." Reference: https://learn.microsoft.com/en-us/entra/identity/users/clean-up-stale-guest-accounts#license-require...

View solution in original post

0 Likes
Reply