Teams Creates Many Guest Accounts
Propelled by the success of Teams, guest accounts are becoming more popular across the Microsoft 365 ecosystem. There’s goodness and badness here. The good comes from being able to share and collaborate through the Microsoft 365 group membership model and Azure B2B collaboration. The bad is that it’s easy to accumulate a large set of guest accounts from different tenants (organizations) over time. For instance, Teams is used by many conferences to deliver online events, so I now have guest accounts in five organizations used for just that purpose.
Because Teams makes users switch focus to a different tenant to access resources there, guest accounts are more obvious in Teams than in any other Office 365 application. It can become distracting when you have a long list of tenants to choose from when the time comes to switch. Should I just dip into that tenant to see what’s going on there? Or which tenant has that information I’m looking from.
By comparison, guests access SharePoint Online and OneDrive for Business documents and folders via URLs and sharing invitations which look like those used for content stored in the tenant. And guests participating in Outlook group conversations do so via email, just like they’d send messages to any other distribution list.
Tenant administrators have their own challenges to manage guest accounts in the tenant’s Azure AD instance. Last July, I wrote about the lack of visibility tenant administrators have about the other Microsoft 365 tenants where people have guest account. And it can be hard to figure out when guest accounts are past their best-by date and should be removed because they are unused (but here’s one approach).
Removing Your Guest Account from a Tenant
The simple fact is that tenant administrators are busy people and tend to leave guest accounts alone, even those which aren’t in active use. If you want to clean up the list of organizations you belong to, you can do so as follows. The first step is to open the Organizations section in your My account page to view the set of Azure AD tenants where you have a guest account (Figure 1). Microsoft has done a lot of work to improve the My account page recently to add features like the ability to see your account sign-in activity (My sign-ins). Overall, the page is easier to use and more informative, which is a good reason to check it out and highlight the page’s existence within your organization.
Select the organization you want to remove your account from and click Leave organization. If you are not already signed into that tenant, you’ll be asked to do so to authenticate your ownership of the account and right to remove it. I use a private browser session when cleaning up guest accounts because I have encountered some problems with the sign-in process in the past. Once connected to the target organization, you’ll be asked to confirm the decision to leave (Figure 2).
Clicking Leave starts the process of removing the guest account from the target organization. Once Azure AD has removed the account, you’ll receive an email confirmation that the deed is done (Figure 3). Removing the account has the effect of removing membership to all groups and teams and nullifying any sharing links to documents or folders in the tenant. In short, you’re now a nobody in the eyes of that tenant.
Caching means that it takes a little longer before all traces of your membership of a now-left tenant disappear. For instance, the list of organizations you belong to won’t update immediately and it can take up to a day or so before Teams desktop and mobile clients refresh their local cache and pick up the new organization list. Because it works online, the Teams browser client is much faster at detecting changes in the set of organizations (Figure 4).
If You Need to Rejoin
If you leave a tenant and then find that you need to rejoin to access some resource, someone (an administrator or team/group owner) must extend another invitation to join. This will create a new guest account. After you accept the invitation, you’ll be able to access any resource in the tenant available to the account – but not resources you previously could access until that access is regranted.
For this reason, it’s unwise to leave a tenant until you know that you don’t need anything stored there.
Need to know more about how Office 365 tenants use Azure AD? Look no further than the words of wisdom you’ll find in the Office 365 for IT Pros eBook. Some of the words even make sense!