Keeping Your Tenant Clean: How to Remove Stale Guest Accounts in Microsoft Entra

As organizations increasingly adopt cloud services and collaborate with external partners, the number of guest accounts in their tenants can quickly accumulate. While guest access is a valuable feature that facilitates secure sharing and collaboration, stale or unused guest accounts can pose potential security risks and clutter your tenant. Fortunately, Microsoft Entra (formerly Azure Active Directory) provides a straightforward way to identify and remove these stale guest accounts, helping you maintain a clean and secure tenant.

Microsoft has published a comprehensive guide on how to clean up stale guest accounts in Entra, available on GitHub: https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/users/clean-up-stale-guest-accounts.md

This guide walks you through the following process:

1. Define the criteria for stale guest accounts: Determine the inactivity threshold that defines a guest account as "stale." This could be based on the last sign-in date (e.g., accounts that haven't signed in for 90 days or more), the last password change date, the user account creation date, or a combination of factors. The criteria should align with your organization's policies and requirements.
2. Retrieve a list of stale guest accounts: Use the Microsoft Graph API or PowerShell cmdlets to query guest accounts based on the defined criteria. For example, you can use the Get-MgUser cmdlet with a filter to retrieve guest accounts that haven't signed in for the specified period.
3. Review and validate the list: Carefully examine the list of guest accounts retrieved in the previous step. Cross-reference the list with any known active collaborations or projects involving external partners, and consult with relevant stakeholders or project managers to ensure no active guest accounts are inadvertently removed. Remove any guest accounts from the list that should remain active.
4. Remove the stale guest accounts: Once you've validated the list, use the Microsoft Graph API or PowerShell cmdlets to remove the stale guest accounts from your tenant. For example, you can use the Remove-MgUser cmdlet to delete the guest accounts identified as stale.
5. Monitor and maintain: Implement a regular schedule (e.g., monthly or quarterly) to run the process of identifying and removing stale guest accounts. Automate the process using PowerShell scripts or Azure Automation runbooks. Review and adjust the criteria for stale guest accounts as needed based on your organization's evolving policies and requirements. Additionally, consider implementing additional guest access governance policies, such as enforcing periodic access reviews or setting expiration dates for guest accounts.

By following the guidance provided in the Microsoft documentation, you can streamline the process of removing stale guest accounts, reducing potential security risks and maintaining a clean and organized tenant. This proactive approach to tenant hygiene not only enhances security but also improves overall tenant management and efficiency.