TJ Hoag

The Guest Account Nobody Remembered

TJ
Timothy J. Hoag
IAM & IT Operations Specialist

A guest account showed up in an access review that nobody could identify.

Not the user. Not the team that invited them. Nobody remembered the project, the vendor, or why the account existed in the first place. The account had been sitting there for months with access it no longer needed, attached to a tenant that had no record of creating it.

That is not unusual. That is what unmanaged guest access looks like when no one is actively watching it.

How Guest Accounts Accumulate

Guest accounts in Microsoft Entra ID are easy to create. An external collaborator needs to see a SharePoint site. A vendor needs to join a Teams channel for a project kickoff. Someone sends an invite, the guest accepts, and the account is live in minutes.

The problem is not the invitation. The problem is what happens after the project ends.

There is no HR offboarding trigger for an external guest. There is no deprovisioning event when a vendor contract closes. The account does not expire unless someone specifically configured it to. Without an expiration policy or an assigned owner, that guest account sits active six months later when nobody in the organization can tell you who it belongs to.

What Makes Guest Accounts Different

Internal user accounts have a lifecycle. HR creates a hire record, IT provisions the account, and when the employee leaves, the offboarding process disables and removes it. That chain is not perfect, but it exists.

Guest accounts have none of that scaffolding. There is no hiring record. There is no manager of record in most cases. The only thing connecting that guest to your organization is the original invitation, and the person who sent it may have moved teams, changed roles, or left the company entirely by the time an access review catches the account.

Guest accounts outlive the projects that created them because there is no automatic signal to remove them. You have to go looking.

What an Access Review Actually Finds

When you run a structured access review that includes guest accounts, a consistent pattern surfaces:

  • Accounts with no recent activity but valid access
  • Accounts with no identifiable owner in the organization
  • Accounts tied to vendors or partners whose contracts have ended
  • Accounts with display names that do not match any active project or relationship

The license cost for a guest account is minimal, which is part of why they accumulate. There is no billing pressure to clean them up. The invite takes ten seconds. The cleanup requires someone to care enough to look.

The Compliance Problem

In healthcare and higher ed, unclaimed access is not just a hygiene issue. It is a HIPAA or FERPA problem waiting for an audit.

If a guest account retains access to a SharePoint site containing patient records, protected student data, or research files, and that account cannot be traced to an active business relationship, you have an unauthorized access exposure. An auditor does not need to find evidence of a breach. They need to find evidence that access was not controlled.

Guest accounts that outlive their purpose are exactly that kind of evidence.

What Good Looks Like

Managing guest account sprawl does not require a major platform investment. It requires policy and follow-through:

  • Set expiration policies. Entra ID allows guest account expiration at the tenant level. A default review period of 90 or 180 days means accounts require active renewal to stay alive.
  • Assign ownership at invite time. The person sending the invite should be the owner of record. Make it part of the invitation workflow, not an afterthought.
  • Include guests in access reviews. Many access reviews default to internal users only. External guests need to be in scope.
  • Tie the account lifecycle to the business relationship. When the vendor contract ends or the project closes, that is the trigger to review and remove associated guest access.

None of these steps eliminate the problem entirely. But they shift the default from "accounts persist until someone notices" to "accounts require active justification to stay active."

This Is Not Just a Guest Account Problem

The guest account nobody remembered is a symptom of a broader identity governance gap: access created for a legitimate reason, with no mechanism to remove it when that reason ends.

Guest accounts are one version of it. Shared mailboxes outlast the teams that used them for the same reason. Service accounts from decommissioned projects stay active years past their useful life for the same reason. The mechanism is different; the failure is the same.

Access reviews surface these accounts, but only when the review scope is wide enough to catch what the directory does not actively manage.

Does your organization have a guest account expiration policy, or do those accounts outlive the projects that created them?


Scenarios in this post are drawn from common patterns observed across enterprise and institutional environments. No specific organization, client, or individual is referenced.

Opportunities
Open to Remote Roles

IAM Analyst, Junior Systems Administrator, or IT Operations Analyst — ideally in healthcare or higher education. Direct hire, W-2.

Discuss opportunities