How to Cleanup your M365 or AzureAD Guest Users account ?

-

Cleanup Guest user accounts from Basic Azure AD/ Premium P1 Tenant

             Clean the stalled Guest user accounts from Microsoft365 tenant is very important to maintain the security of your tenant in-line and reduce the attack surface of your tenant. But this is challenging, when you are using Basic Azure AD  or Azure AD Premium P1 License, since this license plan is not included the Access review features, hence cleaning up the Guest user account is challenging for basic AD Licensing Tenant.

              But as a M365 Administrator it's our responsibility to find them and clean those stalled guest accounts. In this article it will give you an idea to cleanup guest user accounts without using PowerShell.



Roles needed to perform this activity:

1.Global administrator role
2.User administrator role

Why do we need to cleanup Guest account?

          Once we invite external guest users to collaborate with our Microsoft 365 resources like teams, SharePoint, Power BI, etc.., Once the invitation sent guest user account has been created in our Azure AD. The Guest user ID will receive notification to their email ID.

Below are the reason to clean up guest account,

        1. The guest user may or mayn't accept invitation at any reason, incase if the guest user account (@gmail.com,@abc.com) compromised after we sent the invitation the attacker could get it to our tenant with the invitation.

        2. Since the guest user account IAM is managed by their Org IT team we don't know the security hardness of their account, so cleaning up Guest account is in-evitable.  

        3. Microsoft 365 Security Score also impact because of the Guest user account. Because per user MFA also included in the Security Score, (Example) if Guest account created not logged in and not completed MFA that also will reduce your tenant security score.

        4. Ideally if a guest account is not actively using in our tenant what is use of having such account.

How to clear the stalled guest accounts?

Based on Invitation State:

    1. AzureAD --> Users --> Filtered with User type as below --> Download Users.


    2. Make sure you have "invitation state" option in the export file.
  •    By Using the invitation state option you can filter the "Invitation Pending". 
  •    Copy those Pending users details in separate Excel.
  •    By using the bulk operation we can delete them all.

Based on last logon (30 days not logged-in):

    1. Export last 30 days of User Sign-in logs from Azure AD. -->  select "last 30 days" --> Download CSV --> InteractiveSignIns.
              

    2. Compare this sheet's "User ID" with Guest user details exported sheet's "ID". (The mentioned options are only common in both Sheets).

    3. If the guest account is not present in 30 days signin data, you may delete them.

    4. if you want to delete only 60 days not logged in users, you should have the Azure sign in for 60 days.

    5. To have 60 days or more than 30 days sign in logs, you should have Azure log analytics to store that data.

    6. As per Microsoft basic AzureAD or AzureAD P1 Subscription by default it will give only 30 days of SignIn data.

    7. To avoid this cost investment, you may have to define process such a way like "Every month end (28th) you should download last 30 days of Azure SignIn Report for Guest users".

    8.This can be done through PowerShell Script or manually based on your wise. By using this 60 Days data (2 months 28th Exported) you can do cleanup the guest accounts which are not logged in more than 60 days.

    9. The same approach can be followed for two month once or monthly basis.

Comments

  1. Mr PJune 22, 2021 at 5:39 AM

    Super useful. Kudos!

    ReplyDelete
    Replies
    1. UnknownJune 22, 2021 at 6:29 AM

      Thanks for warm words.. Go through rest of the blogs it may help you.. 😎👍🏼

      Delete

Post a Comment

Popular posts from this blog

How to fix the calendar free/busy or calendar sharing issue?

-
Image
How to fix the calendar free/busy or calendar sharing issue?      Calendar is one of the top most part in the production environment, by using that we can schedule call with the person whom we would like to have meeting or call. This calendar feature is can be shared to inside and outside of the organization users. Mostly all the organization make all user's calendar is visible for everyone in the organization.      But in some cases we may wanted to share our organization users calendar to our customers/partnership organization. In such cases exchange administrator has to make trust the partner domain and define sharing policy for their domain in office admin center. This something can be done by using GA Role.      In that policy we can limit which kind of calendar information to shared with the partnership organization. If this pre-requisite met, then the federated partner can view our user calendar. The same kind of policy has to be made ...
Read more

How to cleanup Recoverable item folder from a mailbox ?

-
Image
  Cleanup Recoverable Item Folder                     The mails are deleted from inbox or other folder moves to deleted items then based on your organization retention policy it would be moved to Recoverable item folder.                     In this folder the deleted mails will be available for next 14 days, post that the mails will be deleted permanently. In some cases if the mailbox is enabled for litigation hold or legal hold those mail available in the recoverable folder won't  delete after 14 days. Below is the flow of the Process,                     Recoverable item folder is limited for each mailbox based on the subscription(office 365). (Ex:- if your user account has 50GB of mailbox Storage, the recoverable items folder also have 50 GB of Storage).   ...
Read more