Guest Access Reviews

TL;DR – A super simple way to review all guests with access to a tenant.

In certain scenarios guests from other tenants have to be invited to the enterprise tenant, i.e. B2B. However, good security practices dictate that guests should be reviewed to ensure users do not keep access when no longer needed. The documentation offers a few great options, including the ability to review all Microsoft 365 groups, which allows admins to manage guest access to those groups. However, I’ve worked with organizations that needed to review generic guest access to the tenant, that might have not been particularly associated with a specific group, and they also needed ability to automatically remove those guests from the tenant.

In this scenario, I just had to create a new dynamic group, which I creatively called “All Guests”, using the dynamic membership rule ‘(user.userType -eq “Guest”)‘.

Then I created an Access Review for the new ‘All Guests’ dynamic group. The key here is to ensure the scope is “Guest users only”, this is because the next option will not be available if that is not selected.

Then under “Upon completion settings” I chose the option to “Block user from signing-in for 30 days, then remove user from the tenant“.

Note: This option is only available when the scope is “Guest users only”.

When this option is selected, any users that are denied during the review processes are updated with ‘Block sign in’ set to ‘Yes’ and that remains in place for 30 days. At the end of the 30 days, any users which administrators have not updated the value of ‘Block sign in‘, i.e. those that still have blocked sign-in, are then removed from the tenant.

Reviewers still follow the standard procedure to provide feedback, by accessing the MyAccess URL and approving or denying the access.

Once the access review period is over or the review is manually stopped, the system automatically applies the changes as shown below:

Since the access review included the options above, at the end of the review period we can then see those denied users have been disabled, with ‘Block sign in’ set to ‘Yes’.

After 30 days those users are then automatically removed from the tenant, unless the value of this setting is manually updated by the administrators.

This is a very easy and efficient way to remove those guest users that no longer require access to a tenant.