remove b2b user when host account is removed
We use Azure B2B extensively. However where B2B users have been into our directory and the user has left the third party organisation and thus had their account removed does not clean up the guest account records in our directory.
Over time this leaves thousands of 'orphaned' guest accounts in our directory, with no ability for our administrators to identify which accounts are orphaned. and thus numbers of guest users in our our directory expands over time infinity
Azure AD should automatically in the in the event of a user object being removed from the third party directory remove the guest pointer record from any directories where the object has been invited as a guest.
This is in our backlog, but votes and comments about how you would expect this to work are very helpful to our planning/designing the feature so please keep them coming.
Also, for some scenarios in this space Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) can be a good way of removing users who no longer need access, including those who don’t have accounts anymore. (Thanks Shawn for pointing that out for everyone!)
Pete Butler commented
Agree with the general sentiment. At a minimum I'd like to see these users placed in a separate group. A more ambitious approach might be to indicate the upstream status of users during an access review.
As it is I wind up relying on time-consuming steps like checking the corporate directory to see if these users still exist when I'm doing access reviews.
Access reviews using Identity governance wont remove the orphaned user from Azure AD.
Any progress on this request? Definitely this is a limitation.
Yaroslav Solovyov commented
Ideally the behaviour shall be configurable to align to an individual organisation needs or policies. Upon detection of an account termination in the External AAD guest AAD can:
1. Automatically terminated in GuestAAD,
2. Automatically deactivate B2B user account in guest AAD (set "Block sign in" to "Yes") and initiate a review by a responsible person.
3. No change to an account and instigate a revision by a responsible person (central function or Manager field)
Current user account revision process lacks completeness and if a user account is neither a member of a group or assigned to an Application (eg. directly invited to the SharePoint site, or removed from groups) such account will not be reviewed. So, organisations willing to have 360 degree control over Azure AD accounts including B2B have a need to augment Azure AD with either a manual process or a 3rd party tool such as an Identity Governance and Administration Tool.
Shawn Reagan commented
You could setup Access Reviews https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews to poll the users periodically to see if they are still using an app\group. If the user has been removed in the 3rd party they won't get the email and can't respond. The policy would assume opt-out until the user responds otherwise. This would allow you to remove them and reclaim licenses for users no longer using your Azure AD.
Ypersiel Jean-pol commented
This is definitely the way that it should be performed (automatically removed) , first it's better to have the guest reference isolated from our main directory, then it should be extremely link to the company user lifecycle if the user change of department we should be warned too .
James Mayhair commented
Any direction from the product group would be greatly appreciated.
I would like to propose a slightly different approach. I do not want to see a guest user disappear because the actual user in the third party organization got deleted. I rather would like to see an attribute with the guest user showing the status of the user in the third party organization. This allows us to make a choice in keeping, disabling or removing the guest account.