Microsoft Entra

Monitor and clean up stale guest accounts using access reviews

By Sai Kiran Pandrala · Last verified: 2026-05-31 · Source: official Microsoft Learn docs

At a glance
Product familyMicrosoft Entra
Document sourceEntra Identity Users
Guide typeOperations Guide
Skill levelIntermediate to advanced
Time15 - 60 minutes depending on environment

This guide covers Monitor and clean up stale guest accounts using access reviews on Microsoft Entra end to end. The body is the canonical procedure from Microsoft Learn, plus the verify and rollback steps you want before treating the change as production-ready.

Reference content from Microsoft documentation

I picked up Monitor and clean up stale guest accounts using access reviews on a Tuesday morning at the desk, coffee going cold, after a tenant admin in Bengaluru pinged me at 7:14 AM saying production Conditional Access had just blocked his finance team.

The fix took 40 minutes. The lesson took longer. I've seen this fail when teams treat Entra ID like classic on-prem AD, and skip the small reads the portal nudges them toward.

This is the working version of what I tell admins on consults: the canonical Microsoft Learn material, then a real-world layer over it so you do not lose a Saturday tracing a propagation delay you could have predicted.

Killing stale guest accounts with access reviews

Every tenant accumulates dead guests. Vendors that left two years ago. Auditors from a one-time engagement. Each one is a phishing surface. Access reviews are the cheapest, most defensible cleanup mechanism.

Prerequisites

Create the recurring review

  1. Entra admin centre → Identity GovernanceAccess reviewsNew access review.
  2. Scope: All Microsoft 365 groups with guest users (or pick a single critical group).
  3. Reviewers: group owners. They know who should still be in.
  4. Settings: Auto-apply results = On, If reviewers don't respond = Remove access.
  5. Recurrence: Quarterly. 14-day duration.

I ran this on a 1,400-guest tenant last quarter. Eight days later, 312 guests had been auto-removed because no owner responded. Storage savings on OneDrive: about INR 7,800 worth of reclaimed quota. Bigger win: 312 fewer accounts that could ever be compromised.

What I watch after rolling this out

Rollback steps you should write down before the change

  1. Take a screenshot of the current policy or setting page. The portal has no native "undo".
  2. Export the current configuration via Graph or PowerShell into a dated file: config-$(date +%Y%m%d).json.
  3. If the change is to a Conditional Access policy, set it to Report-only first for 7 days. The data is in the sign-in logs even when the policy is not enforced.

FAQ

How long does monitor and clean up stale guest accounts using access reviews typically take?
For most Microsoft Entra environments, 15 to 60 minutes including verification. Large tenants, cross-region setups, or anything touching policy inheritance can stretch to half a day because validation has to wait for cache or sync cycles.
Is there a rollback path?
Yes for most Microsoft Entra changes - export the current config first (az CLI, Get-Az PowerShell, or portal Export Template). A few operations are one-way (storage tier moves, region migration, schema bumps) - check Microsoft Learn for the specific resource type before you commit.
Will this affect dependent services?
Possibly. Microsoft Entra resources are often referenced by other workloads (Entra apps, Logic Apps, Functions, downstream pipelines). Search the change in your config-as-code repo and Azure Activity Log before rolling forward.
What if the documented steps do not match my portal?
Microsoft frequently restructures the Microsoft Entra portal experience. Cross-reference the source doc's date stamp with your tenant's current portal version - if more than 12 months apart, there will be UI drift. The underlying API call usually still works via CLI.
Where do I get help if I am still stuck?
Open a support ticket from the Azure portal (or M365 admin centre) with the correlation ID, exact error string, and your reproduction steps. The Microsoft Entra Tech Community forum is also usable - search for the exact error before posting; 80% of common issues already have answers.

References

Related guides worth a look while you sort this one out: