Admins commonly fail to prioritize a key responsibility: the regular removal of inactive guest accounts in Microsoft 365. This task is often overlooked due to its time-intensive nature, requiring manual checks and deletions. It would be better if we had a virtual assistant to make this automated, right?
That’s where the “Access review in Microsoft Entra ID” comes into play! Access reviews automatically identify and remove inactive guest accounts, making the management process more efficient and hassle-free. 💯.
Explore the blog and learn how to monitor and clean up inactive guest accounts using access reviews👇.
What are Access Reviews in Microsoft Entra ID?
Access reviews in Microsoft Entra ID play a crucial role in efficiently managing user access within Microsoft 365. This feature helps admins ensure that users’ access is reviewed regularly, allowing only the right users to maintain continued access. Also, it helps admins to identify and remove inactive accounts in M365.
What Is the Need to Delete Inactive Guest Accounts in Microsoft 365?
Here are the reasons why admins should undergo stale Azure AD guest account clean-up in their organization.
1. Prevent Sensitive Data Leakage: When the stale guest user account gets compromised due to social engineering techniques, then there is a high chance of sensitive data leakage in the organization. However, deleting those unused guest accounts can prevent such things from taking place in the organization.
2. Optimize License Allocation: Even though the guest accounts become stale, they continue to utilize licenses in your organization. So, by cleaning up inactive guest users in Azure AD, you can optimize resource allocation and reduce unnecessary costs.
3. Streamline Account Management: Admins already have their hands full managing numerous user accounts. Amidst this, monitoring inactive guest accounts is like an additional burden to them, consuming time. So, deleting the unused guest accounts is needed to prioritize time for managing and monitoring active accounts, rather than spending it on stale ones.
Enough with benefits? Now, let’s dive into the steps to create access reviews to restrict stale guest accounts in Microsoft Entra ID.
Note: To create a review for inactive guest users, you need to have a Microsoft Entra ID Governance license.
Use Access Reviews to Clean Up Stale Guest Accounts in Microsoft 365
Microsoft Entra ID Governance access reviews have proven to be the most efficient method for managing inactive guest accounts. You can create a single-stage or multi-stage access review based on your organization’s requirements. Let’s delve into them one by one here.
- Create a single-stage access review to clean up stale guest accounts
- Create a multi-stage access review to remove inactive Guests
Important: Prior to configuring the steps below, it’s recommended to familiarize yourself with creating access reviews in Microsoft Entra for a smoother setup process.
1. Create a Single-stage Access Review to Remove Inactive Guest Accounts
To create an access review for deleting unused guest accounts, follow the steps below.
- Create a dynamic group containing all the guest users with the respective rule syntax below or use an existing group. For example,
(user.userType -eq “Guest”) and (user.mail -contains “@contoso.com”) and (user.accountEnabled -eq true). - Navigate to the Microsoft Entra admin center.
- Scroll down to ‘Identity governance’ and select “Access Reviews”.
- Click the “New Access review” option at the top.
Here, you are presented with three tabs that must be configured correctly to ensure the successful creation of the access review.
In the ‘Reviews type’ tab:
5. Configure the “Review type” tab with the respective values given below.
- Select what to review → Teams + Groups.
- Review Scope → Select Teams + Groups.
- Group → Select the created dynamic group.
- Scope → Guest users only.
- Check the box for Inactive users (on tenant level) only.
- Days inactive → Configure the days for inactivity.
6. Select “Next”.
In the ‘Review’ tab:
7. Configure the “reviews” tab with the following values.
- Select reviewers → Group owner(s).
- Duration (in days), Review recurrence, Start date, End date → Specify the days based on your requirement.
8. Then, select “Next”.
In the ‘Settings’ tab:
9. Configure the “Settings” tab with the values given here.
- Check the box “Auto apply results to resource”.
- If reviews don’t respond → Remove access.
- Action to apply on denied guest users → Block user from signing in for 30 days, then remove user from the tenant.
- Leave the other configurations as it is by default.
10. Select “Next”.
11. Finally, proceed to create an access review from the Review + Create tab by giving a suitable name to it.
2. Create a Multi-stage Access Review to Remove Inactive Guest Accounts
The multi-stage review process lets you consider guest users’ input, helping determine whether they still need access or not. It’s a collaborative approach that ensures access decisions are mutually beneficial for both the organization and external collaborators in Microsoft 365.
Setting up multi-stage access is quite like the single-stage review, except for the “Reviews” tab. In this explanation, we’ll focus on the “Reviews” tab specifically for multi-stage reviews. For the other tabs, you can apply the configurations used in the single-stage review.
- In the Reviews tab, check the “multi-stage review” box.
- Then, under the “First stage review” blade, configure the below.
- Select reviewers → Users review their own access.
- Stage duration (in days) → Configure based on your organization’s need.
- Under the ‘second stage review’ blade, configure the following values.
- Select reviewers → Group owner(s).
- Stage duration (in days) → specify the days based on your need.
- Check the “Show previous stage(s) decisions to later stage reviewers” box.
- Specify review recurrence, start date and end date based on your requirements.
- Configure the “Reviewees going to the next stage” with Reviewees marked as “Don’t know” option or any other from the dropdown.
- Finally, review all the tabs in the multi-stage review and click ‘Create’.
The access review you set up (whether it’s a single-stage or multi-stage process) will disable access for users who haven’t signed in for the specified number of days.
Note: These disabled accounts are kept for 30 days before being permanently deleted. If needed, you can restore guest accounts within 30 days; beyond that, a fresh invitation is required.
Monitor Stale Guests Using Inactive Guest Report in Microsoft Entra
In addition to access reviews, you can also identify obsolete guest accounts using inactive guest reports. To obtain this report, follow the steps below.
- Sign into Microsoft Entra admin center.
- Navigate to Identity governance and click Dashboard.
- Scroll down to Guest access governance card and then select View inactive guests.
Here, you’ll find a list of users who have been inactive for the past 90 days by default. However, you can adjust the inactivity threshold according to your specific needs. This report provides you with:
- A list of guest accounts that haven’t signed at least once.
- A breakdown of guest users based on the number of days since their last sign-in.
- Comprehensive insights into the activity status of all guest accounts.
With this report, you can check for inactive guest accounts and take wise decision to delete them in Microsoft 365. You can keep an eye on the report to ensure that inactive guest users are removed on a monthly basis for enhanced Microsoft 365 security.
I hope this blog brings you more information on how to auto-delete inactive guests using access reviews. Furthermore, if you have any queries regarding guest accounts governance and clean up, you can reach out to us in the comment section.