Office 365 applications create lots of Azure Active Directory guest accounts. Here’s how to find old accounts and check their Office 365 group membership. If you know the accounts that are old and stale and aren’t members of any Office 365 group, you can consider removing them from your tenant.
Office 365 makes extensive use of Azure Active Directory guest accounts. Implementing a risky sign-in policy is a good idea, but it can have the unfortunate side-effect of suddenly blocking guest accounts that could previously access tenant resources. If blocks happen, they can only be lifted through administrative intervention in the guest account’s home tenant.
Microsoft makes a strong case that all Azure Active Directory accounts should be protected with multi-factor authentication (MFA). That’s a great aspiration, but the immediate priority is to check accounts holding admin roles. This post explains how to use a PowerShell script to find and report those accounts.
A reader asks if it’s possible to create a dynamic Office 365 group for global administrators. Well, it is and it isn’t. Azure Active Directory doesn’t give us the ability to execute the right kind of query to find global administrators, but with some out-of-the-box thinking, we can find a way to accomplish the task.
The Groups section of the Azure Active Directory portal now includes a preview of a feature to configure the Office 365 Groups naming policy without going near PowerShell. Although those proficient with scripts and GUIDs will lament this sad reduction in standards, the normal administrator will welcome the chance to forget some obscure syntax.