This blog is part of a series on Teams. For more articles, check back often.
Written: 09/02/2020 | Updated: N/A
Guest access is an amazing feature of Teams. Why? Because it gives members of the Team access to other organisations’ Teams, resources and assets. It allows them to collaborate seamlessly with others outside of the organisation. However, for many reasons, collaboration comes to an end. This may be because the project has ended and collaboration was only ever short-term. This may be because we now do things in a different way I.e. via private channels in our own tenant as opposed in collaborating in another. Whilst Azure AD access reviews and entitlement management can remove guests from Teams and from other organisations’ tenants, it is often a case that the other organisations haven’t implemented them or don’t have the licencing (Currently Azure AD P2). Therefore, as guests, we can have access to tenants we don’t need or don’t want. It creates complexity and clutter. In the same way we now recognise Teams sprawl, tenant sprawl can also be an issue. We need to know how we can remove ourselves or how the other organisation can remove us
Note: Some may be of the opinion that organisations ought to periodically review guests and be proactive in terms of their management. I absolutely agree. However, I find from personal experience that a great many do not. I only have access to the half a dozen tenants I need now, but I previously had access to over 30 – and many of these I had zero interaction with for many months. For a long time I had no idea the options which were open to me to remove myself
WHY WOULD WE DO IT?
- We have finished collaborating with another organisation
- To reduce the number of tenants one has access to as a guest
- To reduce tenant sprawl
PREREQUISITES
Users need Teams licences – usually via Office/Microsoft 365. The other organisation who are doing the removal needs administrative access to Azure AD if they are manually removing via method 1
HOW – METHOD 1 – ADMIN LED REMOVAL
1.) I have been added to a Team within another organisation’s tenant for collaboration. It has sent me an invitation to join that Team, and that organisation, as a guest
2.) After accepting the invitation, I can access the tenant of the other organisation through the client (top right next to the menu). As shown below the other organisation’s tenant is marked out in red and once selected, my tenant switches into the other tenant and this new Team which I am a part of
3.) After some time that project ends. I no longer need to access either the team, or the tenant. I can leave the team easily through selecting ellipsis and leave the team but there is no option in the client to leave the tenant itself – it simply remains part of my list of accessible tenants in the Teams client which clutters everything up
4.) Through Teams (you still have access to private chat through the other tenant unless this is switched off via a messaging policy) or through Email request that the other organisation removes you as a guest through Azure AD
5.) The admin of the other organisation should now log into the Microsoft 365 panel at https://login.microsoftonline.com
6.) Select Admin
7.) Select Azure Active Directory in the left navigation under admin centres
8.) Select Users
9.) Select the guest to be deleted and then select delete user. The guest should be marked out by a world/globe icon, a user type of guest and a source of external azure active directory
10.) Azure AD will ask for confirmation. Select Yes
11.) Azure will confirm the deletion
12.) Now go to Deleted Users and select Delete Permanently. It will again ask for confirmation and confirm the action has been completed
12.) Once this has been completed, the tenant should disapear from the teams client within 24 hours. Attempting to access the tenant during this period – when it it is still visible in the tenants list – may endlessly cycle whilst attempting to switch which may need a restart of Teams – or there will be an invitation redemption failed window
This has shown steps for a manual removal, Guest users can also be removed via Powershell and Microsoft Graph. For Powershell, this follows
PS C:\>Remove-AzureADUser -ObjectId “TestUser@example.com”
HOW – METHOD 2 – SELF REMOVAL
1.) Sign into https://myapps.microsoft.com. Select the profile picture then the cog next to the list of other organsations you have access to
2.) Under organisations, select sign in to leave organisation
3.) This will take you to the organisation’s myapps page. Select Profile Picture and Cog again then Leave Organisation
4.) Select Leave
5.) This is then confirmed
6.) Alternatively, you can also remove via http://myprofile.microsoft.com/organisations Select Manage Organisations
7.) Select Leave Organisation
Like the previous method, once this has been completed the tenant should disapear from the teams client within 24 hours. Attempting to access the tenant during this period – when it it is still visible in the tenants list – will either endlessly cycle whilst attempting to switch which may need a restart of Teams – or there will be an invitation redemption failed window
————————————-
Our job here is done.
Tenant sprawl, like Teams sprawl, is important to be mndful of. It may already be an issue for someone who actively works in a few tenants, but over time has built up access to dozens or hundreds. It increases the complexity of Teams and the clutter. However, simply knowing that you can, and how you can, be removed as a guest or leave by your own account, is important as this isn’t something you have to live with. I personally felt better when I had been removed from over two dozen tenants and no longer had access. Raising this with other organisations does make them ask what they are doing to manage guests, and creating that kind of awareness is good from both a productivity and security perspective.