Azure AD Guest User is not disabled when removed in Home Tenant

Meili, Lukas 1 Reputation point
2021-10-06T14:54:36.42+00:00

Hi

We're currently facing an issue when we invite guest users into our AAD. When the guest user is disabled or removed in their home directory, it does not update the user in our directory. The user can't log in anymore but is neither disabled nor removed in our directory. This has multiple implications for us:

  • Disabled/Removed users clutter our directory
  • Other applications sync all users from our directory. This includes the disabled/removed users -> may cause additional license costs

Is there a way to make Azure Ad sync the removal/disabled state of the guest user with their home directory? Or is there a way that we can check if the user in the home directory is still active?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,454 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Paul van Berlo 821 Reputation points
    2021-10-06T18:27:45.357+00:00

    I am not aware of an automated way to do this, except for running access reviews in Azure AD for guest users. There’s no attribute available to determine if the account in the home tenant was blocked or deleted, so this also can’t be scripted.

    0 comments No comments

  2. Clément BETACORNE 2,031 Reputation points
    2021-10-06T20:06:22.25+00:00

    Hello,

    Same here I'm not aware of something like that but a workaround can be to use "Terms of use" like that if your guest user don't re-accept it on the frequency basis you defined you can assume that this account should be removed :
    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use

    0 comments No comments

  3. Florian Frommherz 76 Reputation points Microsoft Employee
    2022-06-14T20:15:17.25+00:00

    If you have the right licenses, you could create an access review and have the "inactive" guest users self-attest and thereby declare, if they still need access. If they come back and complete the access review, you keep them. If not, or they come back and say that they don't need access any more, you remove them. Access Reviews has a built-in functionality for that.

    Without Access Reviews, you can query the Graph API: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts, https://learn.microsoft.com/en-us/graph/api/resources/signinactivity?view=graph-rest-beta

    0 comments No comments