A Proliferation of Guest User Accounts Within Office 365 Tenants
Azure Active Directory Guest User Accounts are terrifically useful in terms of allowing people outside your Office 365 tenant to access resources inside the tenant. Applications like Teams, SharePoint Online, Planner, and Outlook Groups use the Azure B2B Collaboration framework to create new guest accounts to share information, whether it’s the membership of a team or access to a shared document or folder.
All is good, except for the proliferation of guest accounts that can quickly accumulate inside a tenant. In short, a regular spring cleaning is needed to ensure that unwanted guests are ejected.
The Problem of Deciding When to Leave
As always, the problem is to decide when a guest account should be removed. Left by themselves, guest accounts will remain in the tenant directory because neither Office 365 nor Azure Active Directory include an automated method to clean up guests past their best-by date. One approach is to review guest accounts that are older than a certain age and look for evidence to indicate if they should be removed.
For example, you might decide that membership of multiple Office 365 groups is sufficient reason to keep guest accounts. The logic here is that these memberships give people access to Teams (conversations), Outlook Groups (conversations delivered via email), and Planner (group tasks). Therefore, if we write a script to scan for guest accounts older than x days and then check if these accounts are members of groups, we should have some evidence upon which to base a decision to remove or keep.
PowerShell Script to Highlight Stale Guest Users and their Group Membership
The script below does the following:
- Finds all guest accounts in the tenant.
- Checks each guest to discover its age based on the RefreshTokensValidFromDateTime attribute, which is updated when the guest account is created. The New-TimeSpan cmdlet calculates how many days have elapsed since Azure B2B Collaboration created the guest account in the tenant directory.
- If the guest account is older than 365 days, we look for its group membership by running the Get-Recipient cmdlet to check the account’s distinguished name (an old but still useful X.500 construct) against the membership of Office 365 groups.
- Writes the discovered information out to an array.
- After all guest accounts are processed, writes the contents of the array to a CSV file.
Here’s the code. Remember that you might want to update the code to add error handling and do whatever testing is necessary before you run the script against your production tenant. You need to connect your PowerShell session to Exchange Online and Azure Active Directory before running the script.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# Script to find Guest User Accounts in an Office 365 Tenant that are older than 365 days and the groups they belong to # Find guest accounts $GuestUsers = Get-AzureADUser -All $true -Filter "UserType eq 'Guest'" $Today = (Get-Date); $StaleGuests = 0 $Report = [System.Collections.Generic.List[Object]]::new() # Check each account and find those over 365 days old ForEach ($Guest in $GuestUsers) { $AADAccountAge = ($Guest.RefreshTokensValidFromDateTime | New-TimeSpan).Days If ($AADAccountAge -gt 365) { $StaleGuests++ Write-Host "Processing" $Guest.DisplayName $i = 0; $GroupNames = $Null # Find what Office 365 Groups the guest belongs to... if any $DN = (Get-Recipient -Identity $Guest.UserPrincipalName).DistinguishedName $GuestGroups = (Get-Recipient -Filter "Members -eq '$Dn'" -RecipientTypeDetails GroupMailbox | Select DisplayName, ExternalDirectoryObjectId) If ($GuestGroups -ne $Null) { ForEach ($G in $GuestGroups) { If ($i -eq 0) { $GroupNames = $G.DisplayName; $i++ } Else {$GroupNames = $GroupNames + "; " + $G.DisplayName } }} $ReportLine = [PSCustomObject]@{ UPN = $Guest.UserPrincipalName Name = $Guest.DisplayName Age = $AADAccountAge Created = $Guest.RefreshTokensValidFromDateTime Groups = $GroupNames DN = $DN} $Report.Add($ReportLine) } } $Report | Sort Name | Export-CSV -NoTypeInformation c:\Temp\OldGuestAccounts.csv |
The output CSV file is shown (somewhat obscured to protect the names of the guilty) in Figure 1. Any guest that isn’t a member of at least one Office 365 group is a potential delete target. As you can see from the created column, it’s easy for old and stale guest accounts to linger on unless you clean them up from time to time.
We have lots of other PowerShell examples of how to manage Azure Active Directory guest users and other Office 365 objects in the Office 365 for IT Pros eBook.
Another approach is to use the Azure AD Access Review process which delegates this responsibility to the Group Owners, see https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Access reviews are indeed a good way to push responsibility down to group owners. However, they require Azure AD Premium licenses and don’t give tenants an overview of what’s happening with guests across all groups.
I must be missing some simple step. Powershell is dumping this error message for each user found. Can someone help?
Get-Recipient : The term ‘Get-Recipient’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At line:13 char:14
+ $DN = (Get-Recipient -Identity $Guest.UserPrincipalName).Distin …
+ ~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-Recipient:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PowerShell is telling you that it can’t find the Get-Recipient cmdlet. This is most likely because you haven’t connected to Exchange Online.