Every time someone shares a Teams channel, a SharePoint folder, or a single document with an outside vendor, Microsoft Entra ID quietly creates a guest account in your tenant. The invite takes one click, the cleanup takes a deliberate process nobody set up, and so the guests accumulate. Years later you have thousands of external identities, most tied to projects that ended, contractors who left, or partners you stopped working with. These are not workload identities or app service principals, those are a separate problem. These are real human accounts with real access, and they are one of the most consistent blind spots we find when we audit an Entra ID tenant.
1. Guests Who Never Get Offboarded
The vendor finished the engagement in 2024, but their guest account still has access today, because nobody told Entra ID the project was over. Guest lifecycle is almost never tied to anything automatic, so the account just sits there with whatever it was granted on day one. Set up Microsoft Entra Access Reviews scoped to guest users, with the reviewer being the inviting sponsor or resource owner, and configure the review to auto-remove access when a reviewer does not respond. That last setting matters, because reviews that only flag accounts and never remove them just generate reports nobody reads.
2. Guests With No MFA and Weak External Authentication
A guest invited last year may be signing in with nothing but a one-time passcode to an email address you do not control, and if that mailbox is compromised, so is your tenant. Guest accounts are frequently left out of the same Conditional Access policies that protect your employees. Build a Conditional Access policy that targets the Guest or external users selection, require multifactor authentication for every guest sign-in, and decide deliberately whether you trust MFA claims from the guest's home tenant through cross-tenant access settings rather than letting the default stand.
3. Guests Holding Privileged Roles or Ownership
A guest should almost never hold a directory role, yet we routinely find external accounts that are owners of security groups, owners of app registrations, or assigned roles like Application Administrator. Group ownership is the quiet one, because owning a group can mean controlling who gets into it and what it grants. Audit role assignments and group and application ownership for any account where the user type is Guest, move any genuinely needed privileged access into Privileged Identity Management with activation and approval, and add guest-held roles to a recurring access review so the assignment has to be justified again on a schedule.
4. Stale Guests Inactive for 90 Days
The fastest way to shrink your guest blast radius is to find the accounts that have not signed in at all. Microsoft Entra ID records last sign-in through the signInActivity property, which you can pull through Microsoft Graph to surface every guest that has been dormant for 90 days or more. Feed that population into an access review or a disable-then-delete workflow, so a guest goes inactive, gets disabled after a grace period, and is removed if nothing changes. An account that nobody has used in three months is pure risk with no offsetting value.
5. Over-Permissive External Collaboration Settings
Often the sprawl is downstream of a single permissive switch: any employee can invite any external user, from any domain, into anything. Review your external collaboration settings and restrict who can issue invitations, ideally limiting it to the Guest Inviter role rather than leaving it open to all members. Use cross-tenant access settings to define which partner organizations you actually collaborate with and on what terms, and use allow or block lists for invitation domains so guests can only come from organizations you have chosen to trust.
6. Guests With Access to Sensitive SharePoint and Teams Data
A guest invited to one Teams channel can end up with a path to far more than the file someone meant to share, because SharePoint and Teams permissions inherit and spread in ways that are hard to see from the invite screen. Set the SharePoint and OneDrive external sharing controls to the least permissive level your business can tolerate, and prefer governed access packages in Entitlement Management over ad hoc sharing, so external access to a resource comes with a defined sponsor, an expiration date, and an audit trail instead of a link that lives forever.
7. No Access Reviews Means No Accountability
The pattern underneath all of this is the absence of a recurring checkpoint where a human confirms each guest still needs to be here. Without reviews, access only ever accumulates. Stand up multi-stage Access Reviews where the guest's sponsor reviews first and a resource owner confirms second, run them quarterly for sensitive resources, and keep the records, because the review history is exactly the evidence an auditor or a cyber-insurance underwriter will ask for when they want proof that external access is being governed.
Why It Keeps Happening
Guest accounts are created by the people doing the work, in the flow of getting something shared, and offboarding them is nobody's job by default. The invite is frictionless and the removal requires a process that has to be deliberately built, so the natural state of any busy tenant is more guests this quarter than last. SecValley surfaces stale guests, unprotected external sign-ins, guest-held privilege, and over-permissive collaboration settings across its 500+ controls, so you see the sprawl as it builds instead of discovering it during an incident. A guest account you forgot about is still a door into your tenant.
Frequently Asked Questions
How is guest sprawl different from service principal sprawl?
Guest sprawl is about human external identities created through Entra ID B2B collaboration, the contractors, vendors, and partners you invite into Teams, SharePoint, and apps. Service principal sprawl is about non-human workload identities, the app registrations and enterprise applications that machines authenticate as. Both accumulate and both need governance, but the accounts, the risks, and the cleanup workflows are different.
Can I automatically remove guests that have been inactive for 90 days?
Yes. Microsoft Entra Access Reviews can target inactive guest users and be configured to automatically remove access when a reviewer does not respond, and you can identify dormant accounts through the signInActivity property in Microsoft Graph. Pairing the two gives you a hands-off pipeline that disables and then deletes guests who have stopped signing in.
Who should be allowed to invite guests into our tenant?
Restrict invitations rather than leaving them open to every member. Assigning the Guest Inviter role to a defined set of people, combined with cross-tenant access settings that limit which partner domains are permitted, keeps external accounts from entering your tenant through paths nobody is watching.
