EXT-09: Guest User Lifecycle Review

Overview

This guide walks you through finding stale guest (B2B) accounts, those inactive for 90 or more days and those that were invited but never signed in, and disabling or removing them. Guest accounts accumulate quietly: a partner leaves, a project ends, an invitation is never redeemed, and the identity lingers with whatever access it had. Regular lifecycle review closes those forgotten doors.

Control ID: EXT-09 Category: Guest & External Access Baseline Level: Level 1 (Recommended Secure) Severity: Medium License Required: None (guest review is possible on all tiers; automated access reviews add richer workflow on Entra ID P2)

Why This Matters

Stale guest accounts are attack targets. Unlike internal accounts, guest accounts may not be subject to your password policies or MFA requirements. Regular lifecycle review prevents unauthorized access through forgotten guest identities.

A guest identity you have forgotten is one you are not monitoring, not re-verifying, and not covered by the same controls as your employees. If that partner's account is compromised on their side, it is a valid way into your resources. Pruning inactive and never-signed-in guests shrinks that external footprint on a schedule.

Expected State

  • Guest accounts inactive for 90+ days are identified
  • Stale guests are disabled or removed
  • Guest accounts that never signed in are reviewed

Prerequisites

RequirementDetails
Role RequiredUser Administrator to disable/delete guests; Global Administrator or Identity Governance Administrator to configure access reviews
License RequiredNone for manual review. Automated access reviews require Microsoft Entra ID P2.
AccessMicrosoft Entra admin center (entra.microsoft.com)
Recommended PrerequisiteSign-in logs available to determine last activity (see LOG-01)

Before You Start

  1. Decide your inactivity threshold (this control uses 90+ days) and how you treat never-signed-in guests (review, and disable/remove if the invitation is stale).
  2. Decide disable vs delete. A safe pattern is disable first (reversible, breaks nothing permanently), then delete after a grace period if still unused.
  3. Identify guests you must keep even if quiet (dormant but legitimate partner contacts) so review does not remove them.

Time Estimate

TaskDuration
Pull the guest inventory and last sign-in data20-30 minutes
Identify 90+ day inactive and never-signed-in guests15 minutes
Disable, then later remove, stale guests15-30 minutes
Set up a recurring review20-30 minutes
Total~1.5 hours initial, then recurring

TrueConfig Remediation

This control supports one-click enablement / auto-remediation. TrueConfig can automatically disable guest accounts inactive for 90+ days, so stale external identities do not linger between manual reviews. Disable is reversible, so this is a safe automated action; you can then remove confirmed-dead guests on your own schedule. You can also run the review manually with the steps below.


Step-by-Step Instructions

Step 1: Inventory Guest Accounts and Their Last Activity

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity > Users > All users.
  3. Filter User type = Guest to list every guest.
  4. To find last activity, use one of:
    • Users > Monitoring or the Sign-in logs filtered to the guest.
    • The last sign-in activity property (available via the users list and Microsoft Graph signInActivity), which shows the last successful sign-in date.
  5. Also identify guests in a PendingAcceptance state or with no sign-in activity at all, these are the never-signed-in accounts.

Step 2: Identify Stale Guests

Build two buckets:

  • Inactive 90+ days: guests whose last sign-in is more than 90 days ago.
  • Never signed in: guests with no recorded sign-in, especially those whose invitation was sent long ago and never redeemed.

Cross-check against your keep-list of dormant-but-legitimate contacts before acting.

Step 3: Disable Stale Guests First

Disabling is reversible and immediately stops sign-in.

  1. In Users, open a stale guest.
  2. On the profile, set Account enabled / Block sign-in to Yes (blocked).
  3. Save. Repeat for each stale guest, or handle them in bulk.

Blocking rather than deleting first gives you a safety window in case a guest turns out to be needed.

Step 4: Remove Confirmed-Dead Guests

After a grace period (for example 30 days) with no legitimate need surfacing:

  1. Open the still-disabled guest.
  2. Select Delete user and confirm.
  3. Document the removal for audit purposes.

Never-signed-in guests with long-stale invitations can usually be removed without a long grace period, since they never had access to lose.

Step 5: Make It Recurring

Manual once is good; recurring is the control. Two options:

Access reviews (recommended, requires Entra ID P2):

  1. Go to Identity governance > Access reviews > + New access review.
  2. Scope it to Guest users (all guests, or guests in specific groups/apps).
  3. Set a recurring schedule (for example quarterly).
  4. Configure reviewers (resource owners, or self-review by the guest's sponsor).
  5. Set the outcome for non-response to remove access (or disable) so unreviewed guests are cleaned automatically.

License-free path:

  1. Schedule a recurring manual review (quarterly) using Steps 1-4.
  2. Or rely on TrueConfig's automated disable of 90+ day inactive guests plus periodic deletion.

Verification Checklist

  • A current guest inventory with last sign-in data exists
  • Guests inactive for 90+ days are identified
  • Never-signed-in guests are identified and reviewed
  • Stale guests are disabled (blocked from sign-in)
  • Confirmed-dead guests are deleted after the grace period
  • Legitimate dormant contacts are preserved via a keep-list
  • A recurring review is in place (access reviews on P2, or scheduled manual / TrueConfig automation)

Troubleshooting

"Last sign-in shows blank for many guests"

A blank last sign-in usually means the guest has never signed in (or predates activity tracking). Treat blank-plus-old-invitation as never-signed-in and review for removal. Ensure you are reading the signInActivity last successful sign-in, which can lag by a short interval.

"I disabled a guest and a project broke"

Disable is reversible: re-enable the guest (set sign-in blocked back to No). This is exactly why the recommended flow disables before deleting.

"We do not have Entra ID P2 for access reviews"

Access reviews need P2. Without it, run the recurring review manually or use TrueConfig's automated disable of 90+ day inactive guests, then delete on a schedule.

"A guest is inactive but we must keep them"

Add them to a documented keep-list and exclude them from disable/delete. Dormant-but-legitimate partner contacts are a valid exception; the point is that it is a deliberate, recorded decision.

"Deleting a guest did not remove their access somewhere"

Removing the guest identity removes their directory access. If they had access granted outside Entra (for example a directly shared external link), review those sharing surfaces separately (see EXT-06 external sharing visibility).


Cost Considerations

ComponentCost Impact
LicenseNone for manual review and for disabling/deleting guests.
Entra ID P2Required only for automated access reviews (recurring, reviewer workflows, auto-remove on non-response). Included in Microsoft 365 E5, EMS E5, or P2 standalone.
OperationalLow if automated (access reviews or TrueConfig); moderate if done fully by hand each quarter.

Note: Even without P2, you get most of the value by disabling inactive guests on a schedule. Access reviews mainly reduce the manual effort and add an auditable reviewer trail.


Related Controls

Additional Resources