remove b2b user when host account is removed
We use Azure B2B extensively. However where B2B users have been into our directory and the user has left the third party organisation and thus had their account removed does not clean up the guest account records in our directory.
Over time this leaves thousands of 'orphaned' guest accounts in our directory, with no ability for our administrators to identify which accounts are orphaned. and thus numbers of guest users in our our directory expands over time infinity
Azure AD should automatically in the in the event of a user object being removed from the third party directory remove the guest pointer record from any directories where the object has been invited as a guest.
This is in our backlog, but votes and comments about how you would expect this to work are very helpful to our planning/designing the feature so please keep them coming.
Also, for some scenarios in this space Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) can be a good way of removing users who no longer need access, including those who don’t have accounts anymore. (Thanks Shawn for pointing that out for everyone!)
Shawn Reagan commented
You could setup Access Reviews https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews to poll the users periodically to see if they are still using an app\group. If the user has been removed in the 3rd party they won't get the email and can't respond. The policy would assume opt-out until the user responds otherwise. This would allow you to remove them and reclaim licenses for users no longer using your Azure AD.
Ypersiel Jean-pol commented
This is definitely the way that it should be performed (automatically removed) , first it's better to have the guest reference isolated from our main directory, then it should be extremely link to the company user lifecycle if the user change of department we should be warned too .
James Mayhair commented
Any direction from the product group would be greatly appreciated.
I would like to propose a slightly different approach. I do not want to see a guest user disappear because the actual user in the third party organization got deleted. I rather would like to see an attribute with the guest user showing the status of the user in the third party organization. This allows us to make a choice in keeping, disabling or removing the guest account.