Stale guest accounts are a liability and security risk for every organisation utilizing guest accounts. This script was designed to remove guest accounts in the following two scenario’s: (1) when invitation has not been accepted and has expired (90 days) and (2) when an account has become inactive after a user defined period of time.
17/04/3023 Important Update: Due to MS changing the paging sizes guest might be removed incorrectly. Please update the script ASAP and report any further issues.
27/02/2023 Access Reviews now support custom days inactive values which could be used instead of this script.
## Remove-StaleGuests.ps1 [-InactiveTimeSpan <Integer>] [-ForceRemoval <Boolean>]
[-RemoveExpiredGuests <Boolean>] [-RemoveInactiveGuests <Boolean>] [-DifferentialScope <Integer>]
[-AppID <String>] [-TenantID <String>] [-CertificatePath <String>] [-ClientSecret <String>]
[-AutomationPSConnection <String>] [-AutomationPSCertificate <String>] [-ExportCSVPath <String>]
.PARAMETER InactiveTimeSpan
The InactiveTimeSpan parameter defines the number of days that a guest user has not logged
using the guest account.
.PARAMETER RemoveExpiredGuests
The RemoveExpiredGuests parameter allows the removable of guests who have not accepted
the invitation for 90 days at which time it expires and needs to be resent. This removal
would require the guest account to be recreated. Must be used with the InactiveTimeSpan parameter.
.PARAMETER RemoveInactiveGuests
The RemoveInactiveGuests parameter allows the removable of guests as defined in the
InactiveTimeSpan. Must be used with the InactiveTimeSpan parameter.
.PARAMETER ForceRemoval
The ForceRemoval parameter allows the removable of guests with default logon information
older than Apr-2020 or for accounts that have not yet had a signin. The DateTime value
might be displayed as 01-01-0001. As exact logon details cannot be provided these accounts
are excluded from remove by default.
The ExportCSVPath parameter specifies that all results will be exported to a CSV file.
Insert the full path such as a string 'c:\temp\guest.csv' or just the file name to output
the data to current location.
.PARAMETER DifferentialScope
The DifferentialScope parameter defines how many guests can be removed in a single
operation of the script. The goal of this setting is throttle bulk changes to limit
the impact of misconfiguration by an administrator. What value you choose here will
be dictated by your userbase and your script schedule. The default value is set to
10 Objects.
The AppID parameter is used in manual mode and defines Azure AD Application ID.
The TenantID parameter is the GUID for the Tenant.
.PARAMETER CertificatePath
The CertificatePath parameter is the path for the Cert for example:
'Cert:\CurrentUser\My\<ThumbPrint>' or 'cert:\LocalMachine\my\<ThumbPrint>' Must
be used with parameters AppID and TenantID.
.PARAMETER ClientSecret
The ClientSecret parameter is the plain text authenication string. This should be used
only for test purposes. Not recommeneded for use in production. Must be used with
parameters AppID and TenantID.
.PARAMETER AutomationPSConnection
The AutomationPSConnection parameter defines the connection details such as AppID,
Tenant ID. Parameter must be used with -AutomationPSCertificate
.PARAMETER AutomationPSCertificate
The AutomationPSCertificate parameter defines the name of the automation certificate
that has been loaded in Azure Automation.
Remove-StaleGuests.ps1 -ExportCSVPath guest.csv
In this example the script will provide detailed report information on your guest accounts.
Remove-StaleGuests.ps1 -InactiveTimeSpan 365 -RemoveExpiredGuests:$true -AppID "7af89f06-f1cc-4ff7-aee8-b6a43f6a0ae2"
-TenantID "557febb4-aa10-4520-80d1-280058cb8353" -CertificatePath "cert:\LocalMachine\my\303A498735t987876245kjlnsfv3495784"
In this example the script will remove expired guests that have not accepted the invite after 90 days.
Remove-StaleGuests.ps1 -InactiveTimeSpan 720 -RemoveExpiredGuests:$true -RemoveInactiveGuests:$true -AppID "7af89f06-f1cc-4ff7-aee8-b6a43f6a0ae2"
-TenantID "557febb4-aa10-4520-80d1-280058cb8353" -ClientSecret '2pT\H8{u28y^fhG,'
In this example the script will remove guests that have not accepted the invitation after 90 days
and have been inactive for 2 years.
Remove-StaleGuests.ps1 -InactiveTimeSpan 365 -RemoveInactiveGuests:$true -AutomationPSConnection AzureAuto-Connect -AutomationPSCertificate AzureAuto-Cert
In this example the script will remove guests that have been inactive for 1 year. Running this script in Azure Automation
requires that you enable the use of
NOTE! Script Requires the MSAL.PS Module. Run - Install-Module -Name MSAL.PS -
IMPORTANT! Hey! Graph API Beta is used. You must use user creds or an Azure Application which is
granted the following permissions.
AuditLog.Read.All - Access LastLogon information
Directory.Read.All - Fix auditlog bug
User.ReadWrite.All - Needed for guest removal (Allow only after extensive testing)
IMPORTANT! The use of client serect is not recommended in production. It is highly recommended that you use
Certifcate based authenication. Graph API Beta is also not recommended in production.
ANOTHER NOTE! MSAL.PS Module: was bombing with the Az Module. You may receive the error:
"The property 'Authority' cannot be found on this object."
AND... ANOTHER NOTE! - Guests changed from the default setting of hidden in the GAL will not be removed.
You will need to amend the script to allow this if needed.
Joshua Bines, Consultant
Tony Redmond (Tony let's say I took inspiration from your blog post and script! :) )
Nicolas Honsberger -
0.0.1 20200421 - JBINES - Created the bare bones
0.0.2 20200423 - JBines - [BUGFIX] Exclude from removal guests if they are enabled in the address book
- [Feature] Added RemoveInactiveGuests and ExportCSVPath Switch
1.0.0 20200427 - JBines - [MAJOR RELEASE] Works like a dream as long as you read the notes...
1.0.1 20200617 - JBines - [Feature] Improved default reporting mode, examples and some extra error checking.
1.0.2 20200915 - JBines - [Info] Azure Signin Logs are kept for 7-30 days depending on the user Licence.
2.0.0 20200915 - JBines - [MAJOR RELEASE] Complete script rewrite.
- Added support for App Only Connections with Graph API. Also Started Graph API for the Last Login Date which is vaild back to Apr-2020.
2.0.1 20220210 - JBines - [BUGFIX] Small issue found with VAR client secret. Line 305 -
2.0.2 20220404 - JBines - [BUGFIX] PowerShell v7 has has strict header parsing added switchto bypass -SkipHeaderValidation
Add Email Notication Prior to Guest Removal / MED