Manage guest user lifecycle (preview)

Entitlement management allows you to gain visibility into the state of a guest user's lifecycle through the following viewpoints:

  • Governed - The guest user is set to be governed.
  • Ungoverned - The guest user is set to not be governed.
  • Blank - The lifecycle for the guest user isn't determined. This happens when the guest user had an access package assigned before managing user lifecycle was possible.


When a guest user is set as Governed, based on entitlement management tenant-wide settings their account will be deleted or disabled in specified days after their last access package assignment expires. Learn more about entitlement management settings here: Manage external access with Microsoft Entra entitlement management.

You can directly convert ungoverned users to be governed by using the Mark Guests as Governed (preview) functionality in the top menu bar.

Manage guest user lifecycle in the Microsoft Entra admin center


Steps in this article may vary slightly based on the portal you start from.

To manage user lifecycle, you'd follow these steps:

Prerequisite role: Global Administrator, Identity Governance Administrator, Catalog owner, Access package manager or Access package assignment manager

  1. Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

  2. Browse to Identity governance > Entitlement management > Access package.

  3. On the Access packages page open the access package you want to manage guest user lifecycle of.

  4. In the left menu, select Assignments.

  5. On the assignments screen, select the user you want to manage the lifecycle for, and then select Mark guest as governed (Preview). Screenshot of the govern user lifecycle selection.

  6. Select save.

Manage guest user lifecycle programmatically

To manage user lifecycle programatically using Microsoft Graph, see: accessPackageSubject resource type. For bulk conversion, see: ConvertTo-EmGovernedGuest.ps1.

Next steps