Why are some users DELETED and other DISABLED as a result of an Azure AD Identity Governance Access Review?

Charlie G 81 Reputation points
2024-03-01T23:15:57.8066667+00:00

Thank you in advance for your help,

I currently have an access review set up for guest users in my tenant.

This access review looks for inactive guest users that have been inactive for over 90 days or more. This review runs every 30 days. When I am finish reviewing the accounts and denying them access, I received an e-mail confirming that the access review was done. When I reviewed the results, under applied results, I received two different results, randomly, for the list of users.

·         Failed - An error occurred while removing the user. Please try again.

·         Success - Blocked from signing-in, waiting to be removed from the tenant.

All user with a Failed status in the Access Review – The corresponding account in Entra has been Deleted and located in the list of deleted users.

All user with a Success status in the Access Review – The corresponding account in Entra has been Disabled.

Key things to note.

·         The access review period is 3 days.

·         The users that are deleted are deleted approximately 24 hours prior to the other accounts.

For example,

  1. Mike was identified, Access review status is Failed, In Entra he is in the Deleted users list, his account was deleted Feb 29, 2024, at 12 noon.
  2. Sam was identified, Access review status is Success, In Entra his account is Disabled (not Deleted), his account was disabled Mar 01, 2024, at 12 noon.

What am I missing here.

Thank you

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,293 questions
{count} votes

Accepted answer
  1. Navya 9,320 Reputation points Microsoft Vendor
    2024-03-04T09:56:43.9+00:00

    Hi @Charlie G

    Thank you for posting this in Microsoft Q&A.

    I understand your query that some users DELETED and other DISABLED as a result of an Azure AD Identity Governance Access Review?

    Could you please check this settings Action to apply on denied guest users in Azure AD Identity Governance access reviews?

    This option is only available if the access review is scoped to include only guest users to specify what happens to guest users if they're denied either by a reviewer or by the If reviewers don't respond setting.

    upon completion settings

    Remove user's membership from the resource: This option removes a denied guest user's access to the group or application being reviewed. They can still sign in to the tenant and won't lose any other access.

    Block user from signing-in for 30 days, then remove user from the tenant: This option blocks a denied guest user from signing in to the tenant, no matter if they have access to other resources. If this action was taken in error, admins can reenable the guest user's access within 30 days after the guest user was disabled. If no action is taken on the disabled guest user after 30 days, they're deleted from the tenant.

    If your access settings select Block user from signing-in for 30 days, then remove user from the tenant option this might be the reason for some users DELETED and other DISABLED as a result of an Azure AD Identity Governance Access Review

    For more information: https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-external-users#disable-and-delete-external-identities-with-microsoft-entra-access-reviews

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it.


1 additional answer

Sort by: Most helpful
  1. Aakash Sehgal 80 Reputation points
    2024-03-04T10:08:44.6333333+00:00

    Inactive users are checked timely and removed due to inactivity or if someone spams or has inappropriate behaviour then also they are removed


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.