Automatically clean up inactive Guest users – Azure AD

Using Azure AD Access Reviews (available with AAD P2), you can automatically remove users from your tenant who haven’t had access in a specified number of days. In this guide, we will implement the access review step by step.

This is a great way to clean up your tenant automatically and can be scheduled.

WARNING: The procedure used to clean up only users who didn’t have access in the last 30 days. This has now been expanded to support a variable number of days (ex. 60, 90, etc).

As a prerequisite, you’ll need to create a dynamic group in AAD, which will contain all guest users who can log in to the tenant:

  • To create the group, go to AAD Groups, then click on “New Group”.
  • Select Group Type as “Security“, give the group a name, and select “Membership type” as “Dynamic User“.
  • Under “Dynamic user members”, click on “Add dynamic query“.
  • The query you will want to create is:
 (user.userType -eq "Guest") and (user.accountEnabled -eq true)

You can create this group also using Powershell, and pasting this command after installing the Graph module.

Import-Module Microsoft.Graph.Groups

$params = @{
	DisplayName = "Guest_review_dynamicgroup"
	MailEnabled = $false
	MailNickname = "fb7kk308-6"
	SecurityEnabled = $true
	Description = "Group used for the automatic guest removal process"
	GroupTypes = @(
		"DynamicMembership"
	)
	MembershipRule = "(user.userType -eq "Guest") and (user.accountEnabled -eq true)"
	MembershipRuleProcessingState = "On"
}

New-MgGroup -BodyParameter $params

The accountEnabled attribute lets you filter for users who can log in. Since the access review will deactivate the account for 30 days before deleting it permanently, this way we’ll filter only for the guest users active in the tenant and not the ones ready to be automatically deleted.

  • Once done, click on “Create”.

To create the access review, open this link, then follow the steps listed below:

Identity Governance | Access Reviews

  • Click on “New access review“.
  • Select “Teams + Groups” under “Select what to review”, “Select Teams + groups” under “Select review scope”, under “Group” enter your group, then click on “Guest users only” under “Scope”.
  • You can then filter only for the guest that did not had access in a specified number of days. This is accomplished using this part of the wizard:
  • Click on Next, and under “Select reviewers”, click on “Selected user(s) or group(s)“. The person or people that will manually review the users to delete should be selected just below. If not needed, insert an admin and go ahead. I always give at least 3 to 5 days for the reviewers to check if somebody should not be blocked or deleted. If some guest user should always be excluded from the review, you can add an exclusion in the AAD Group membership rules.
  • In the last paragraph, you’ll want to select auto-apply results to make the automation work. Under “If reviewers don’t respond”, choose “Take recommendations“. The recommendations will be based on whether the user has logged in recently or not. There are no other recommendations that I am aware of at this moment. Under “Action to apply on denied guest users”, select “Block user from signing-in for 30 days, then remove user from the tenant“. Be sure that “No sign-in within 30 days” is selected as reviewer decision helper, as per the image below.
  • If you want this to be fully automated, deselect “Justification required”.
  • Once done, click on “Review + create”, give the review a name and click on “Create”.

Now you will automatically have the guest users who haven’t logged in in the specified number of days blocked. After 30 days, the blocked user will be removed from the tenant.