I am not aware of an automated way to do this, except for running access reviews in Azure AD for guest users. There’s no attribute available to determine if the account in the home tenant was blocked or deleted, so this also can’t be scripted.
Azure AD Guest User is not disabled when removed in Home Tenant
Hi
We're currently facing an issue when we invite guest users into our AAD. When the guest user is disabled or removed in their home directory, it does not update the user in our directory. The user can't log in anymore but is neither disabled nor removed in our directory. This has multiple implications for us:
- Disabled/Removed users clutter our directory
- Other applications sync all users from our directory. This includes the disabled/removed users -> may cause additional license costs
Is there a way to make Azure Ad sync the removal/disabled state of the guest user with their home directory? Or is there a way that we can check if the user in the home directory is still active?
3 answers
Sort by: Most helpful
-
-
Clément BETACORNE 2,496 Reputation points
2021-10-06T20:06:22.25+00:00 Hello,
Same here I'm not aware of something like that but a workaround can be to use "Terms of use" like that if your guest user don't re-accept it on the frequency basis you defined you can assume that this account should be removed :
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use -
Florian Frommherz 76 Reputation points Microsoft Employee
2022-06-14T20:15:17.25+00:00 If you have the right licenses, you could create an access review and have the "inactive" guest users self-attest and thereby declare, if they still need access. If they come back and complete the access review, you keep them. If not, or they come back and say that they don't need access any more, you remove them. Access Reviews has a built-in functionality for that.
Without Access Reviews, you can query the Graph API: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts, https://learn.microsoft.com/en-us/graph/api/resources/signinactivity?view=graph-rest-beta