Inactive Guest Users: Forgotten External Access Risk

Why this risk matters

Inactive guest users are external identities that were invited into the tenant — often for a specific project, vendor engagement, or file share — and have not signed in for an extended period but still retain active access to tenant resources.

Unlike dormant employee accounts, inactive guest users represent a different risk profile. The account exists in an external organisation's identity provider, and neither party is actively managing it. The guest has no reason to notice their access is still active, and the host organisation has no workflow prompting a review. The result is access that quietly persists, often indefinitely.

Overe flags guest users with no recent sign-in activity while still holding active resource access. These accounts are low-visibility from an attacker's perspective — if credentials for the guest's home account are compromised, access to your tenant's resources is an additional prize that may not be quickly detected.

What happens if this is abused

  • Guest's home account compromised — attacker discovers the guest has access to a partner organisation's SharePoint or Teams and uses it to access sensitive files without triggering internal alerts
  • Former vendor retains read access to a SharePoint site containing financial, technical, or client data long after the engagement ended, and their employer shares that access with a new employee
  • Inactive guest account used as a stepping stone by an attacker who wants to appear as a legitimate external collaborator rather than an unknown threat actor
  • Guest who left a contractor organisation still has access to internal Teams channels used for sensitive discussions; their successor at the same contractor inherits the access informally
  • Access token or session for an inactive guest used from a new device or location without triggering MFA because the guest account is excluded from the relevant Conditional Access policy
  • A compromised guest account used to explore internal Teams channels, SharePoint sites, and shared files without triggering alerts because no unusual sign-in pattern exists for a previously legitimate identity
  • Guest retained in a high-trust project group after the project closes, providing residual access to sensitive materials with no active oversight or review cycle

When this is expected or acceptable

Some guests are legitimately inactive for periods of time — a seasonal contractor who will return, a partner who accesses resources infrequently, or an auditor whose annual review has passed but is expected to return.

The key distinction is documentation and expectation. An inactive guest with a defined re-engagement date and a named internal sponsor is different from an orphaned account that nobody remembers inviting. Any guest without a clear ongoing purpose should be reviewed before their inactive status is treated as acceptable.

Checks to perform before taking action

Before removing or modifying an inactive guest account:

  • Check the guest's last sign-in date and the resources they currently have access to
  • Identify whether there is a named internal sponsor who is aware of and accountable for the guest's access
  • Confirm whether the guest's original purpose — project, vendor engagement, shared file — is still active
  • Check whether the guest holds any group memberships or permissions beyond basic resource access
  • Review Overe for any unusual sign-in activity associated with the account before assuming it is safely inactive
  • Confirm with the internal sponsor whether the access should be retained, reduced, or removed

Safe remediation steps

  1. Use Overe to review inactive guest users sorted by last sign-in date and access scope
  2. For guests with no active sponsor and no clear ongoing purpose, remove their access
  3. For guests with a named sponsor, contact the sponsor to confirm whether access is still required
  4. Where access is confirmed unnecessary, remove the guest from groups and revoke resource access before removing the account
  5. Set up access reviews in Entra ID Governance to ensure inactive guests are reviewed on a regular cycle
  6. Consider setting guest account expiry policies in Entra External Identities to automatically prompt review after a defined period

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Require MFA for guests and external users — Creates a Conditional Access Policy that requires MFA for guests and external users accessing tenant resources.
  • Block access from unknown device platforms — Creates a Conditional Access Policy that blocks sign-ins from devices not in the allowed platforms list.
  • Allow guest user for Teams — Determines whether guest users can access your Teams environment.

Supporting documentation

Related risks and follow-on checks

After investigating inactive guest users, review these related risk areas:

  • Guest Users with Risky Access — inactive guests and actively risky guests represent two ends of the same problem; review both categories together as part of the same guest access hygiene cycle
  • Conditional Access Exclusions — guest accounts are frequently excluded from CA policies that only target member accounts; confirm whether inactive guests benefit from any exclusions that should be removed alongside the access cleanup
  • Dormant Users — inactive guests and dormant internal users represent parallel access hygiene risks; apply the same review cycle and remediation approach to both
  • Apps with Risky Permissions — guests may have granted OAuth permissions to applications that persist even after the guest becomes inactive; review any app consents associated with guest identities before removing the account
  • External Email Forwarding Rules — if the guest's access was associated with a shared mailbox or Teams integration, check for forwarding rules or delegation changes made by or for that guest identity
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.