Monitor and clean up stale guest accounts using access reviews
| Product family | Microsoft Entra |
|---|---|
| Document source | Entra Identity Users |
| Guide type | Operations Guide |
| Skill level | Intermediate to advanced |
| Time | 15 - 60 minutes depending on environment |
This guide covers Monitor and clean up stale guest accounts using access reviews on Microsoft Entra end to end. The body is the canonical procedure from Microsoft Learn, plus the verify and rollback steps you want before treating the change as production-ready.
Reference content from Microsoft documentation
I picked up Monitor and clean up stale guest accounts using access reviews on a Tuesday morning at the desk, coffee going cold, after a tenant admin in Bengaluru pinged me at 7:14 AM saying production Conditional Access had just blocked his finance team.
The fix took 40 minutes. The lesson took longer. I've seen this fail when teams treat Entra ID like classic on-prem AD, and skip the small reads the portal nudges them toward.
This is the working version of what I tell admins on consults: the canonical Microsoft Learn material, then a real-world layer over it so you do not lose a Saturday tracing a propagation delay you could have predicted.
Killing stale guest accounts with access reviews
Every tenant accumulates dead guests. Vendors that left two years ago. Auditors from a one-time engagement. Each one is a phishing surface. Access reviews are the cheapest, most defensible cleanup mechanism.
Prerequisites
- Entra ID P2 (included in Microsoft 365 E5; ~USD 9 / user / month standalone).
- Identity Governance Administrator role at minimum.
- A target group, application, or "All guests" scope.
Create the recurring review
- Entra admin centre → Identity Governance → Access reviews → New access review.
- Scope:
All Microsoft 365 groups with guest users(or pick a single critical group). - Reviewers: group owners. They know who should still be in.
- Settings: Auto-apply results = On, If reviewers don't respond = Remove access.
- Recurrence: Quarterly. 14-day duration.
I ran this on a 1,400-guest tenant last quarter. Eight days later, 312 guests had been auto-removed because no owner responded. Storage savings on OneDrive: about INR 7,800 worth of reclaimed quota. Bigger win: 312 fewer accounts that could ever be compromised.
What I watch after rolling this out
- The Audit logs blade in Entra. Filter by the activity type touched in this change. If nothing logs for 24 hours, the change did not propagate.
- The Sign-in logs blade. New CA policies show up here as success or failure with reason. Watch for unusual
54000or53003result codes in the first 48 hours. - Help-desk ticket volume. If it spikes by more than ~15% the morning after, roll back. The setting is not worth the productivity hit.
Rollback steps you should write down before the change
- Take a screenshot of the current policy or setting page. The portal has no native "undo".
- Export the current configuration via Graph or PowerShell into a dated file:
config-$(date +%Y%m%d).json. - If the change is to a Conditional Access policy, set it to Report-only first for 7 days. The data is in the sign-in logs even when the policy is not enforced.
Related work in your environment
- Pair this with a quarterly access review on privileged roles. Even 30 minutes of review per quarter beats most audit findings.
- Document the AD-to-Entra attribute mapping in your runbook. The next admin (or future you) will thank you.
- Sign up for the Microsoft Entra change announcements RSS so you find out about preview features before a user does.
FAQ
az CLI, Get-Az PowerShell, or portal Export Template). A few operations are one-way (storage tier moves, region migration, schema bumps) - check Microsoft Learn for the specific resource type before you commit.References
- Microsoft Learn - official documentation for Microsoft Entra
- Microsoft tech community forums and Q&A
- Azure / Microsoft 365 service health dashboards
Related fixes
Related guides worth a look while you sort this one out:
- Restrict guest access permissions in Microsoft Entra ID
- Step 1 - Configure a Conditional Access location based policy for your target users
- Users are unable to sign in to the Microsoft Entra Domain Services managed domain
- Many users are receiving the "You can't get there from here" message
- Change subdomain authentication type in Microsoft Entra ID
- Delete an Azure subscription