Forum Discussion
How to set up external user account expiration for Azure AD?
Right now, we are collaborating with external users using B2B functionalities. These external users are automatically added to our Azure AD Directory when they accept and register thru MFA.
Now we want to set up expiration on these external users (guest user lifecycle) that automatically removes these guest users from our Azure AD directory after X days. Otherwise the list of external users will continue to grow with time.
Any help appreciated!
I think you can find some information to your question here:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Jonathan Nunez , hope you are well?
I think you would need to look at identity governance within Azure AAD.
Specifically around Access Packages and Access Reviews.
This will require AAD P2 licencing and possibly E5.
Best,
Steve
I think you can find some information to your question here:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
- Azure AD doesn't support for setting expiration date for Azure AD accounts currently. currently we use access review from Identity governance and set a quarterly review to validate the user accounts.
You can also use access packages for privilege's users you have an option to define the "Maximum allowed eligible duration is permanent." or make them eligible and define the maximum JIT durationThere use cases Access Reviews is suboptimal, we highly appreciate an option to time limited guest user accounts in Azure (for example for test purposes in Azure, Company Users want Guest Accounts. And we all know it, it will happen that Users stay on the Guest User becasue there no compliant device restrictions etc.! Aslong we cant limit them in a timly manner there is no option for us). Access Reviews etc are not granular enough for this scenario.
Adding an Expiration Date for Azure AD Guest Accounts
Microsoft has long been asked to support guest account expiration, just like the functionality available for on-premises Active Directory accounts. Engineering priorities have not allowed the developers to work on the feature, but it's possible to do the job with PowerShell as we explain here.
