This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 61%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELN%3C/text%3E%3C/svg%3E)
Hi Microsoft support team,
I'm using EntraID trial and I faced with 1 problem.
That is when I register an Enterprise Application, I config Supported Account type to Multiple Tenant.
After that some users used their Microsoft Account to authorized the authentication of my EntraID, then I update the config into Single Tenant but they still can authorize.
I've checked from All Users but I can't find their user on it.
So how can I find their user and how can I block access of them.
Please help me to resolve this problem.
Thanks, Regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello Long Nguyen Thanh,
Thanks for your question.
They might still have active access tokens or refresh tokens. See: Modify the accounts supported by an application
You can view the list of your guest users with the command below
Install-Module AzureAD
Connect-AzureAD
Get-AzureADUser -Filter "userType eq 'Guest'" -All $true
To remove user from your tenant and block access:
Remove-AzureADUser -ObjectId "TestUser@example.com"
You can also consider conditional access policies to setup policies that can limit in future
Regards,
Abiola
You can mark it 'Accept Answer' and upvote if this helped.
I try to get user used Powershell but I do not see their account in there.
Their account not in any tenant, just a Microsoft account so can it be a user of my tenant?
I try to get user used Powershell but I do not see their account in there.
Their account not in any tenant, just a Microsoft account so can it be a user of my tenant?
Thank you for posting this in Microsoft Q&A.
To better understand the issue, please provide more details. How did you say that the user was authenticated after updating the application account type from Multitenant to Single Tenant? Did you notice any sign-in logs in your tenant. Does external user retrieve any access token from multitenant application. If you noticed anything, please share with us and also can you please check that external user will be part of your tenant?
You can check via Microsoft Enterprise Admin Center or use the PowerShell below.
Get-AzureADUser -ObjectId "Navya#EXT#@M365x37.onmicrosoft.com"
Users may encounter an authentication error when attempting to authenticate after changing the application account type from Multitenant to Single Tenant.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.