Time to Spring-Clean Your Stale Guest Accounts

They Came, They Logged In, They Never Left

In most organizations, bringing in guest users is quick and easy, just a few clicks and they’re in. Whether it’s consultants, suppliers, or project-based collaborators, guest access is often set up to meet an immediate need.

But while onboarding is simple, offboarding is where things often fall short.

Once the project wraps up or the collaboration ends, these accounts often stay active in Entra ID. They might no longer be needed, but without a proper process in place, no one remembers to remove them. Over time, this leads to a growing number of inactive accounts, unused, unmanaged, and potentially risky.

A Quick Fix for Stale Guest Accounts: Clean Up in a Few Clicks

There are many ways to handle guest account management, and ideally, if you regularly collaborate with external companies, I’d recommend setting up proper lifecycle workflows. But in this post, I want to show you a quick and simple way to clean up stale guest accounts with just a few clicks and minimal cost.

The easiest way to manage and remove inactive guest accounts is by using Entra ID Governance with an Access Review. If you have fewer than 50,000 guest users, they are included in your Microsoft Governance licenses. For larger numbers, Microsoft uses a Monthly Active User (MAU) model, which you can read more about here.

To run an Access Review, each person doing the review needs a Governance license. Note that an Entra ID P2 license doesn’t give access to all the features needed for this process.

Ensure that you have a user with at least the Identity Governance Administrator role to enable the Access Reviews.

Target Your Guest Accounts

By default, Microsoft lets you choose what to review in your access reviews. You can select either Teams and Groups or Applications. These options give you enough flexibility to focus on the resources that matter most.

In my case, I want to review all guest users. The easiest way to do this is by creating a dynamic security group that automatically includes every guest account. I find this approach really useful, targeting all guests and then applying more restrivite policies to sensitive teams, groups or apps without missing anything.

To get started, create a new group with a dynamic membership rule. In my example, I want to target all active guest accounts, so I use the following rule.

(user.userType eq "Guest") and (user.accountEnabled eq true)

Create a New Access Review

After you’ve made a dynamic group that includes all active guest users, the next step is to set up an access review to help you manage them.

Go to the Entra admin center, open Identity Governance, and click on Access Reviews. Then choose New Access Review to get started.

First, choose to review Teams + Groups, and pick the security group you just created. This makes sure the review only checks your enabled guest users.

Turn on the option to include inactive users only, and set how many days a user can be inactive before they should be reviewed. In my case, I want to look at guests who haven’t signed in for 90 days.

When it’s time to decide who should review the guest users, I choose a few specific people who are in charge of checking access. But you can also let group owners or sponsors do it if that works better for you.

Next, define the frequency and duration of the review. I set the duration to tree to seven days, giving reviewers a few days to complete their task.

For recurrence, I prefer to run this weekly. Running reviews more frequently helps keep the number of accounts per review manageable and prevents backlogs.

I also choose to have the review run indefinitely, so I don’t have to recreate it each time.

I also choose to follow the system’s recommendations if a reviewer doesn’t respond. This means that if no one takes action, the system will automatically remove inactive users instead of leaving them active by default.

Lastly, I enable the decision helper that shows when a user hasn’t signed in for 30 days, giving reviewers helpful context when making decisions.

This setup lets me stay on top of guest account access with minimal effort, and ensures that users who no longer need access are automatically removed.

Why I Believe Access Reviews Are a Game Changer

Guest users often stick around long after they’ve stopped needing access, which can create risk and confusion. In this post, I showed how to set up a quick and simple access review in Entra ID to help keep things clean. By using a dynamic group and setting the review to run regularly, it becomes much easier to stay on top of inactive accounts without extra work. I also chose to apply recommendations automatically, so if someone forgets to respond, the system helps clean things up anyway.

Setting up access reviews like this helps make sure the right people are checking who should still have access. It also makes it easier to follow rules and internal policies. This is a good starting point for guest accounts, but I’d recommend setting up more strict reviews for apps and areas that are extra sensitive.