I've been working on a project to clean up our user accounts in Entra ID. While looking through the accounts, I found a ton of guest accounts with invitations that are never accepted, guest users who haven't logged in for 2-3 months, and even disabled users still hanging around. I'm planning to tackle this cleanup, but I'd love to hear how others prevent this issue from arising in the first place. Do you block users from inviting guests? Have you set up access reviews for group monitoring? I want to implement a solid process to keep our directory tidy. I'm also creating a dynamic group to easily see guest users as a starting point. Any tips would be appreciated! Thanks!
2 Answers
In my company, we deal with more guests than full-time employees, so blocking guest invitations isn’t an option. I wrote a quick Graph script to check user activity, and if they haven't signed in for over 90 days, I just remove them.
Yeah, blocking guest invitations and setting up access reviews are both solid strategies if those are causing your issues. Another useful tip is to disable normal users from creating groups — I find that often creates chaos in larger companies. Just be careful about the licensing needed for access reviews; it can get pretty tricky!
Exactly! We had to disable group creation for regular users when one group was made for a printer and another had a pretty inappropriate name.
About the access review licensing, do both the person who starts the review and the reviewers need the P2 license?