This blog is part of a series on Teams. For more articles, check back often.

Written: 09/02/2020 | Updated: N/A

Guest access is an amazing feature of Teams. Why? Because it gives members of the Team access to other organisations’ Teams, resources and assets. It allows them to collaborate seamlessly with others outside of the organisation. However, for many reasons, collaboration comes to an end. This may be because the project has ended and collaboration was only ever short-term. This may be because we now do things in a different way I.e. via private channels in our own tenant as opposed in collaborating in another. Whilst Azure AD access reviews and entitlement management can remove guests from Teams and from other organisations’ tenants, it is often a case that the other organisations haven’t implemented them or don’t have the licencing (Currently Azure AD P2). Therefore, as guests, we can have access to tenants we don’t need or don’t want. It creates complexity and clutter. In the same way we now recognise Teams sprawl, tenant sprawl can also be an issue. We need to know how we can remove ourselves or how the other organisation can remove us

Note: Some may be of the opinion that organisations ought to periodically review guests and be proactive in terms of their management. I absolutely agree. However, I find from personal experience that a great many do not. I only have access to the half a dozen tenants I need now, but I previously had access to over 30 – and many of these I had zero interaction with for many months. For a long time I had no idea the options which were open to me to remove myself

WHY WOULD WE DO IT?

  • We have finished collaborating with another organisation
  • To reduce the number of tenants one has access to as a guest
  • To reduce tenant sprawl

PREREQUISITES

Users need Teams licences – usually via Office/Microsoft 365. The other organisation who are doing the removal needs administrative access to Azure AD if they are manually removing via method 1

HOW – METHOD 1

1.) I have been added to a Team within another organisation’s tenant for collaboration. It has sent me an invitation to join that Team, and that organisation, as a guest

TMS4

2.) After accepting the invitation, I can access the tenant of the other organisation through the client (top right next to the menu). As shown below the other organisation’s tenant is marked out in red and once selected, my tenant switches into the other tenant and this new Team which I am a part of

TMS2

TMS3

3.) After some time that project ends. I no longer need to access either the team, or the tenant. I can leave the team easily through selecting ellipsis and leave the team but there is no option in the client to leave the tenant itself – it simply remains part of my list of accessible tenants in the Teams client which clutters everything up

TMS5

TMS2

4.) Through Teams (you still have access to private chat through the other tenant unless this is switched off via a messaging policy) or through Email request that the other organisation removes you as a guest through Azure AD

TMS6

TMS7

5.) The admin of the other organisation should now log into the Microsoft 365 panel at https://login.microsoftonline.com

TPin4

6.) Select Admin 

TPin5

7.) Select Azure Active Directory in the left navigation under admin centres

TMS8

8.) Select Users

TMS9

9.) Select the guest to be deleted and then select delete user. The guest should be marked out by a world/globe icon, a user type of guest and a source of external azure active directory

TMS10

10.) Azure AD will ask for confirmation. Select Yes

TMS11

11.) Azure will confirm the deletion

TMS12

12.) Now go to Deleted Users and select Delete Permanently. It will again ask for confirmation and confirm the action has been completed

TMS14

12.) Once this has been completed, the tenant should disapear from the teams client within 24 hours. Attempting to access the tenant during this period – when it it is still visible in the tenants list – will either endlessly cycle whilst attempting to switch which may need a restart of Teams – or there will be an invitation redemption failed window

TMS13

This has shown steps for a manual removal, Guest users can also be removed via Powershell and Microsoft Graph. For Powershell, this follows

PS C:>Remove-AzureADUser -ObjectId “TestUser@example.com”

HOW – METHOD 2

1.) Sign into https://myapps.microsoft.com. Select the profile picture then the cog next to the list of other organsations you have access to

TMS15

2.) Under organisations, select sign in to leave organisation

TMS16

3.) This will take you to the organisation’s myapps page. Select Profile Picture and Cog again then Leave Organisation

TMS17

4.) Select Leave

TMS18

5.) This is then confirmed

TMS19

Like the previous method, once this has been completed the tenant should disapear from the teams client within 24 hours. Attempting to access the tenant during this period – when it it is still visible in the tenants list – will either endlessly cycle whilst attempting to switch which may need a restart of Teams – or there will be an invitation redemption failed window

————————————-

Our job here is done.

Tenant sprawl, like Teams sprawl, is important to be mndful of. It may already be an issue for someone who actively works in a few tenants, but over time has built up access to dozens or hundreds. It increases the complexity of Teams and the clutter. However, simply knowing that you can, and how you can, be removed as a guest or leave by your own account, is important as this isn’t something you have to live with. I personally felt better when I had been removed from over two dozen tenants and no longer had access. Raising this with other organisations does make them ask what they are doing to manage guests, and creating that kind of awareness is good from both a productivity and security perspective.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.