EntraAnalyzer
Medium

Stale Guest Users

Identifies guest users who have not signed in for 90+ days

Category
Identity
Default severity
Medium
Rule key
CHECK_STALE_GUEST_USERS
Last updated

Why this matters

What this means

Guest users (external identities) were found that have not signed in for over 90 days. These stale accounts represent unnecessary access paths into your tenant.

Why is it a security risk?

  • Inactive guest accounts may still have access to Teams channels, SharePoint sites, and other resources.
  • The external user's home organisation may have been compromised without your knowledge — their credentials could be used to access your data.
  • Compliance frameworks (ISO 27001, SOC 2) require regular review and removal of unused external access.

Recommended next steps

  1. Go to Microsoft Entra admin center → Users → Guest users and sort by last sign-in date.
  2. For each stale guest, verify with the inviting team whether the collaboration is still active.
  3. Remove guests that are no longer needed or disable their sign-in.
  4. Set up Access Reviews to automatically review guest access on a recurring schedule.

How to fix it

Review and remove inactive guest accounts

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

  • Directory.Read.All
  • User.Read.All
  • AuditLog.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →