Review and remove AAD inactive users in Public Preview
Published May 24 2022 12:30 PM 20.6K Views

Howdy folks, 

 

I’m excited to share with you the public preview of access reviews for inactive users, part of Azure Active Directory Identity Governance. We have seen an explosion in collaboration growth over the past two years, both within and between organizations.  While this growth has been great for productivity, it’s also expanded the likelihood that “stale” accounts—accounts that were needed at one time, but not any longer—might be lurking in your environment.  Examples include former employees who have left the organization, or contractors whose assignments have ended.  It’s an easy but powerful way to reduce security risks by uncovering these stale accounts, and removing them if they truly have no purpose going forward.  

 

The public preview of access reviews for inactive users enables administrators to review and remove stale accounts that have not signed in for a certain number of days.  Both interactive and non-interactive sign-in activities are covered under sign-in activity.  As part of the review process, stale accounts can automatically be removed.  This, in turn, improves your organization’s security posture. 

 

Want to help reduce the risk of inactive users? Try the access reviews now. You can specify an inactive duration for up to two years for guest users, or all users.   

  

jtrupp_1-1652738121933.png

 

For detailed instructions on how to set up inactive user reviews, see our Azure AD access review documentation. To try these reviews out via our MS Graph APIs (beta), review our MS Graph API documentation 

 

Best regards,  

Alex Simons (Twitter: @Alex_A_Simons) 

Corporate Vice President of Program Management 

Microsoft Identity Division 

 

 

Learn more about Microsoft identity: 

 

 

13 Comments
Occasional Contributor

Great to see more targets coming to AAD Access Reviews!

 

Edit - removed incorrect comment about the inability to review on-premises groups. :flushed:

Contributor

This is great, very useful.

What about inactive devices? That feature coming soon?

New Contributor

@Mike Crowley Sync groups can be targeted in Access Reviews.

Occasional Contributor

@MaximeRastello Apologies, I stand corrected. In my head I combined the inability to include them in a catalog with the recommendation in the documentation to use cloud groups. I see now that I was wrong here.

Occasional Contributor

Is there a way to target all inactive guest users in the tenant, rather than just those that are in M365 groups or teams? We have a lot of guest users in standalone SharePoint sites that are not connected to M365 groups.

Microsoft

@David Cober this feature works for M365 groups, security groups and applications. It does not work with SharePoint sites. 

Hi Alex , what a wonderful news! This is a difficult topic for many organizations and with the help of access reviews, managing stale accounts becomes much easier than sifting through a CSV export.  

You mentioned in your post "As part of the review process, stale accounts can automatically be removed". This is not an option yet, test it myself out. This is an option if you set the scope to 'Guest users only', when creating the access review. With the 'Guest users only' scope you have the option 'block user from sign- in for 30 days, then remove user from tenant'. It would be wonderful if this will be implemented for scope 'All users' to.

 

Regards,

Ricardo

 

Senior Member

Hi! We had a access review run with "inactive guests" and discovered that recently invited guests (still in pending state) are also counted as "inactive". So, we had many cases where guests were just invited (like today or the day before) and received access review requests. This happens because the last sign-in date of pending guests is empty, which can also be the case if guest hasn't been using the account since 2018. If I could choose, I'd filter out guests with pending state from the access review.

Established Member

How does this work with a Hybrid environment?  Will inactive users be automatically removed from an on-prem AD if they are removed from AAD using this governance tool?

Occasional Contributor

Would be great to offer a search filter in the users section of AAD that allows you to search on last logon time. This information can be grabbed from the signInActivity resource type:

signInActivity resource type - Microsoft Graph beta | Microsoft Docs

 

This way there is also a manual way to remove these stale accounts when tenants do not have a P2 license.

Occasional Visitor

As @helipetr2 already mentioned, the inactive since X days feature in access reviews also flag very recently created accounts (in my case member accounts).
It would be a real benefit of we were able to exclude the group members newer than Y days directly while configuring the inactive users access review.

Thanks!

Senior Member

good one, but how about archive groups and users to which we may need access after some duration?

Regular Contributor

@ludoviclbit @helipetr2 This is working now. I had another community post open and they fixed it.

So if you set this - the new created users are not affected

StephanGee_0-1665060010174.png

https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/access-review-would-quot-den...

Version history
Last update:
‎May 19 2022 02:13 PM
Updated by:
www.000webhost.com