When I started my current role account management was a bit of a disaster. Active Directory was like the wild west, and Azure Active Directory wasn’t a lot better. In fact, it was probably worse, because there were thousands of additional guest accounts in there as well. Every time someone had shared something externally, a guest account was created. And never cleaned up.
Naturally, it’s useful for someone to be able to share files with external users from time to time, and more secure than emailing it as an attachment. But that access should be for a limited period, and once they no longer need access, they should be removed.
Once you delete a guest account, they will no longer have access to whatever resources were shared with them. If they need access again, the internal user will need to re-share it.
Now, cleaning up thousands of accounts manually was not going to be an easy process, and it was also not going to be a one-off. Users were going to keep sharing, guests were going to keep appearing. So I needed something that could automate the process, and make worrying about guest accounts a thing of the past.
Enter Azure Access Reviews.
Azure Access Reviews require an Azure AD Premium P2 license, which is expensive yes, but come with a wealth of features that help improve an organisations security, such as the full Identity Protection suite including risky users and sign ins, Privileged Identify Management (PIM), and Conditional Access (which is included in P1, but still). And remember, you only need a license for one user to make the whole tenant license P2.
An Access Review essentially sends a list of users to a approver and asks them to decide on their fate. For example, you could have all the Finance team in an Azure AD group that grants them access to the Finance SharePoint page. You could create an access review that emails the Head of Finance once a month and asks them to approve the members. If someone is in there that shouldn’t be (maybe they’ve moved roles and no-one told IT) then a click later and they’re gone.
So, without further ado, let’s create our access review:
Step 1 – Create a Dynamic Group to Capture all Guest Accounts
In Azure AD, select Groups, and create a new group. Set the type to Microsoft 365, give it a name and a description. Set the membership type to Dynamic User.
Click ‘Edit Dynamic Query’. You can choose the properties manually, or click the edit button above the syntax box and paste the following query:
(user.userType -eq “Guest”) and (user.accountEnabled -eq true)
Click ‘Create’ to finish making your group.
Step 2: Create an Access Review for Guest Users
In Azure AD, go to Identity Governance, Access Reviews, and click New Access Review.
Select Teams and Groups, then select the group you made in step 1. Leave the rest of the settings and click next.
Select the users (or groups) you want to act as the reviewers, and set the review recurrence to monthly. Click next.
Check the box to auto apply actions, and change the action to ‘Block user signing in for 30 days, then remove access from the tenant.’ Click Review + Create
Give your review a name, and click Create.
And that’s it! Bear in mind that to act as a reviewer, a user must have the P2 license assigned. Once it’s created, the reviewer will receive an email every 30 days asking them to review the guest users, with recommendations on the action to apply. The first review removed over 2,000 guest users, but now I’m down to between 20 and 30, and most importantly, know that my guest users population is being automatically pruned.
SysAdmin Tales 
Leave a Reply