Guest account got deleted and Azure AD audit logs shows actor as "Microsoft B2B Admin Worker"

Ajaz Khan 266 Reputation points
2021-08-02T02:28:22.657+00:00

Couple of guest users were deleted from Azure AD. I checked the audit logs in AAD admin center, the actor is "Microsoft B2B Admin Worker" and type is "Application".
Kindly assist in understating the actor "Microsoft B2B Admin Worker" Can we further check to identify how the guest account were deleted?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,768 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,316 Reputation points
    2021-08-02T11:54:23.79+00:00

    Hi @Ajaz Khan · Thank you for reaching out.

    This happens when user goes to https://myaccount.microsoft.com/organizations and clicks on leave organization, as shown below:
    119846-image.png

    I tested this out and found below logs gets generated in that case:
    119777-image.png

    The Delete User log is generated with actor "Microsoft B2B Admin Worker" and Delete External user event is generated with actor Username, which is user's own account. You can look for Delete External user events which will provide you with correct actor.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful