How can we improve Azure Active Directory?

B2B Guest User Expiration

Looking for the functionality where you can schedule Azure B2B users to exist in your tenant for a predetermined period of time. This would operate similarly to the O365 Groups expiration functionality that exist today. Additionally, managers would be allowed to extend these periods of time and automated reminders would be sent to the manager of these users.

118 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Thomas shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

We do have some capabilities in this space by using either Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) or the newly-released-to-preview Entitlement Management feature (https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview).

If neither of those fulfill your requirements, please add a comment with your scenario for the feature to help us prioritize and design it better.

/Elisabeth

15 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Mike commented  ·   ·  Flag as inappropriate

    Access reviews and entitlements are poorly planned and require too much operational overhead for on demand access for external guests for spo, teams etc
    You need to scale it back to basic account expiry and attestation.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Hi Elisabeth,

    Access Review requires a Premium P2 edition of Azure AD or a Microsoft Enterprise Mobility + Security, E5 license and additionally a process needs to be setup to initiate an access review.

    As with AD on prem it would be great if for a new Guest user a expiration date could be set. If not extended (e.g. via Access review process) the user account EXPIRES and has no access anymore unless the user (or the owner of the site) can proove the access is still required.

    Guest user handling is horrible right now.

    Thanks!

  • Anonymous commented  ·   ·  Flag as inappropriate

    The feature we are looking for is guest invite expiry. If a user hasn’t accepted the invite in a set amount of time it should expire.

  • Nitin commented  ·   ·  Flag as inappropriate

    Both of those capabilities mentioned above do help but both require the AAD Premium P2 or EMS E5 license. A majority of the organizations don't have those licenses.

    If the guest account is a capability in the base AzureAD then ideally some capability to manage them should be part of it too.

    Currently there's not enough value in the additional capabilities of AAD Premium P2 license to justify the additional spend on it. Microsoft should consider making one of the above capabilities available at a lower licensing level (AAD Premium P1) or even the base Office365/AAD license.

  • Nitin commented  ·   ·  Flag as inappropriate

    I think it's time for the AAD team to make a concerted effort to put some governance/structure around this. It's a huge security risk to have external users within our enterprise directory yet it's something that's needed due to apps that promote external collaboration (i.e. Teams).

  • Damien commented  ·   ·  Flag as inappropriate

    Hi, this feature is a must for B2B colloration in Teams. We need a full guest user lifecycle. The current rever process it entirely manual which isn't good enough.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I know something similar is part of the AzureAD Premium P2 license but that’s too much cost for very limited increase in functionality. This has to be part of the core product.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a definite MUST have feature given how guests are mushrooming within Azure AD with the proliferation of Guest access in O365 workloads

Feedback and Knowledge Base