How can we improve Azure Active Directory?

remove b2b user when host account is removed

We use Azure B2B extensively. However where B2B users have been into our directory and the user has left the third party organisation and thus had their account removed does not clean up the guest account records in our directory.

Over time this leaves thousands of 'orphaned' guest accounts in our directory, with no ability for our administrators to identify which accounts are orphaned. and thus numbers of guest users in our our directory expands over time infinity

Azure AD should automatically in the in the event of a user object being removed from the third party directory remove the guest pointer record from any directories where the object has been invited as a guest.

30 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

This is in our backlog, but votes and comments about how you would expect this to work are very helpful to our planning/designing the feature so please keep them coming.

Also, for some scenarios in this space Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) can be a good way of removing users who no longer need access, including those who don’t have accounts anymore. (Thanks Shawn for pointing that out for everyone!)

/Elisabeth

4 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Shawn Reagan commented  ·   ·  Flag as inappropriate

    You could setup Access Reviews https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews to poll the users periodically to see if they are still using an app\group. If the user has been removed in the 3rd party they won't get the email and can't respond. The policy would assume opt-out until the user responds otherwise. This would allow you to remove them and reclaim licenses for users no longer using your Azure AD.

  • Ypersiel Jean-pol commented  ·   ·  Flag as inappropriate

    This is definitely the way that it should be performed (automatically removed) , first it's better to have the guest reference isolated from our main directory, then it should be extremely link to the company user lifecycle if the user change of department we should be warned too .

  • Addie commented  ·   ·  Flag as inappropriate

    I would like to propose a slightly different approach. I do not want to see a guest user disappear because the actual user in the third party organization got deleted. I rather would like to see an attribute with the guest user showing the status of the user in the third party organization. This allows us to make a choice in keeping, disabling or removing the guest account.

Feedback and Knowledge Base