Back to GSO Recommendations

Inactive Guest Users: Forgotten External Access Risk

Why this risk matters

Inactive guest users are external identities that were invited into the tenant — often for a specific project, vendor engagement, or file share — and have not signed in for an extended period but still retain active access to tenant resources.

Unlike dormant employee accounts, inactive guest users represent a different risk profile. The account exists in an external organisation's identity provider, and neither party is actively managing it. The guest has no reason to notice their access is still active, and the host organisation has no workflow prompting a review. The result is access that quietly persists, often indefinitely.

Overe flags guest users with no recent sign-in activity while still holding active resource access. These accounts are low-visibility from an attacker's perspective — if credentials for the guest's home account are compromised, access to your tenant's resources is an additional prize that may not be quickly detected.

What happens if this is abused

  • Guest's home account compromised — attacker discovers the guest has access to a partner organisation's SharePoint or Teams and uses it to access sensitive files
  • Former vendor retains read access to a SharePoint site containing financial, technical, or client data long after the engagement ended
  • Inactive guest account used as a stepping stone by an attacker who wants to appear as a legitimate external user rather than an unknown threat
  • Guest who left a contractor organisation still has access to internal Teams channels used for sensitive discussions
  • Access token or session for an inactive guest allows access without requiring full re-authentication

When this is expected or acceptable

Some guests are legitimately inactive for periods of time — a seasonal contractor who will return, a partner who accesses resources infrequently, or an auditor whose annual review has passed but is expected to return.

The key distinction is documentation and expectation. An inactive guest with a defined re-engagement date and a named internal sponsor is different from an orphaned account that nobody remembers inviting. Any guest without a clear ongoing purpose should be reviewed before their inactive status is treated as acceptable.

Checks to perform before taking action

Before removing or modifying an inactive guest account:

  • Check the guest's last sign-in date and the resources they currently have access to
  • Identify whether there is a named internal sponsor who is aware of and accountable for the guest's access
  • Confirm whether the guest's original purpose — project, vendor engagement, shared file — is still active
  • Check whether the guest holds any group memberships or permissions beyond basic resource access
  • Review Overe for any unusual sign-in activity associated with the account before assuming it is safely inactive
  • Confirm with the internal sponsor whether the access should be retained, reduced, or removed

Safe remediation steps

  1. Use Overe to review inactive guest users sorted by last sign-in date and access scope
  2. For guests with no active sponsor and no clear ongoing purpose, remove their access
  3. For guests with a named sponsor, contact the sponsor to confirm whether access is still required
  4. Where access is confirmed unnecessary, remove the guest from groups and revoke resource access before removing the account
  5. Set up access reviews in Entra ID Governance to ensure inactive guests are reviewed on a regular cycle
  6. Consider setting guest account expiry policies in Entra External Identities to automatically prompt review after a defined period

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: Manage inactive guest users in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/external-id/manage-guest-access

Microsoft: Access reviews for guest users - https://learn.microsoft.com/en-us/entra/id-governance/manage-guest-access-with-access-reviews

Microsoft: Configure external collaboration settings - https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure

Related risks and follow-on checks

  • Guest users with risky access
  • Dormant users
  • Conditional Access exclusions creating risk
TBD CTA