Most Microsoft 365 admins know they have a few stale guest accounts. Projects wrap up, vendors move on, and the accounts stay in your Entra directory holding whatever permissions they were granted.
A stale guest account is an external identity in Microsoft Entra ID that’s no longer actively used, either because the guest stopped signing in or because they were invited and never signed in at all. That distinction changes how you prioritize cleanup, and it runs through this whole guide.
Two things make this urgent now. Copilot respects whatever permissions exist in your tenant, so a guest account from 2023 is a live access path whether or not anyone has used it since. And with Microsoft routing all external sharing through Entra B2B by August 31, 2026, every external share now mints a permanent “shadow guest.” We covered that change in SharePoint external sharing changes; this guide is about clearing the backlog it leaves behind, first with the native Entra tools and then with Orchestry when the native path runs out.
When you invite an external user to a Teams channel, a SharePoint site, or directly through Entra B2B, Microsoft creates a guest account in your directory. That account persists unless someone explicitly removes it. There’s no default expiration, no inactivity alert, and no automatic cleanup in a standard Microsoft 365 configuration.
This creates two distinct accumulation patterns.
Mid-market organizations running active external collaboration for two or more years routinely accumulate hundreds to thousands of guest accounts. A guest account visibility in Teams audit often surfaces more than you’d expect if you haven’t run one recently.
The OTP change doesn't just add guests, it adds them faster than manual cleanup clears them. Every external share now creates a standing guest with no expiration and no alert, so if you were already behind, the gap widens by the day. This is the shadow guest backlog: accounts minted by routine sharing that no one decided to create and no one owns.
Orchestry's Guest Dashboard is built for exactly this inflow, flagging inactive and never-redeemed guests so the pile doesn't outrun you.
Copilot answers are scoped to the permissions of the person asking, and guests can't be licensed for Copilot, so the risk isn't a guest querying it. It's that a stale guest is standing access an AI can traverse: the same over-broad permissions surface to an employee's Copilot, and any agent running under that guest's identity inherits whatever the guest can still reach. Microsoft's Copilot oversharing blueprint identifies stale guest access as a prerequisite to clean up before deployment, not a hypothetical edge case.
Sharing links compound the problem. "Anyone with the link" permissions aren't tied to an account identity, but stale guest accounts with those links in their history represent open access vectors that Copilot doesn't filter out.
Guests can widen this themselves: a SharePoint setting, "Allow guests to share items they don't own," governs whether external users can re-share content they were only invited to, and Microsoft recommends keeping it off, because when it's on, a stale guest can generate new sharing links to content nobody internal created or tracks.
If your org is preparing for Copilot deployment or already running it, stale identities belong on your Copilot readiness checklist.
This is the group most inactivity audits miss, because they filter on sign-in activity and a never-redeemed guest has no sign-in record to surface, just a creation date and a blank last-sign-in field. But the access grant is still live: someone invited to a project site three years ago who never logged in still holds those permissions today.
Because they never used the access, the safe cleanup threshold is shorter. Someone inactive at 90 days may have a reason to return; someone who never signed in after 45 days probably never needed it.
Here’s how that never-redeemed group looks when it’s surfaced as its own report rather than buried inside a full guest list.
Orchestry's Not Redeemed view lists every guest that was invited but never accepted, with domain, date added, and last login, and a one-click export.
Orchestry surfaces this group as its own Not Redeemed list, every guest invited but never accepted, separated from your active and inactive guests. Because it's isolated from the rest of your guest population, you can review and clear the highest-risk accounts in one pass instead of scrolling a full export.
Microsoft's built-in tooling has improved. The Entra admin center includes a dedicated inactive guest insights report that gives you a starting point without PowerShell, though the report itself requires a Microsoft Entra ID Governance or Entra Suite license.
That's a separate add-on, not bundled into Microsoft 365 E5, and guest governance is billed per guest on top of it, so cleaning up dormant external accounts natively can carry a real recurring cost.
Step 1: Sign in to the Microsoft Entra admin center and navigate to ID Governance > Dashboard. Locate the Guest access governance card and select View inactive guests. You’re now in the inactive guest insights report.
Step 2: Review the default inactivity threshold, set to 90 days. Adjust it via Edit inactivity threshold based on your organization’s needs. The report shows your total guest count, your inactive guest count, and a breakdown of guests who have never signed in versus those who signed in but not recently. This split is useful: the never-signed-in group is your highest-confidence cleanup target.
Step 3: Export the list via Download all data. The CSV includes guest identity details and activity state. Sort by guests who have never signed in first. These accounts never accessed anything during the active invitation, so removal risk is low.
One note on sign-in logs: on Entra ID Free, sign-in logs are retained for only 7 days, extending to 30 days with Entra ID P1 or P2 (P1 is included in Microsoft 365 E3 and above). Guests who have never signed in are identified by account creation date, so log retention doesn’t affect that segment at all.
Orchestry’s Guest Dashboard surfaces the same data from Entra and adds configurable thresholds and recommended actions, so you’re not re-running the export every time you want a current view.
Entra's Access Reviews let you automate periodic reviews of inactive guests: you set who's in scope, who reviews, the inactivity threshold, and what happens when a reviewer doesn't respond. Microsoft Learn covers the full setup, and for a deeper walkthrough see the ultimate guide to guest access reviews in Microsoft 365. They need a Microsoft Entra ID Governance or Entra Suite license; without one, your options are manual admin action or PowerShell.
Even licensed, native tooling has gaps. Access Reviews always require a reviewer, automation only kicks in when a reviewer fails to respond, and there's no way to auto-delete clear-cut cases (long-inactive accounts, unredeemed invitations) on a daily basis without a review step for each. So a quarterly review handles the backlog, but nothing keeps pace with the guests arriving in between.
The inactive guest insights report and Access Reviews both require a Microsoft Entra ID Governance or Entra Suite license. Manually deleting a guest from the Entra admin center needs no license beyond your existing Microsoft 365 plan, but finding stale guests at scale through the insights report, or automating their removal, does. That governance license is a separate add-on, not bundled into Microsoft 365 E5, and it's billed per guest, so the native path to cleaning up stale guests at scale carries a recurring cost many teams don't expect.
No. Removing a guest from a specific Teams channel or SharePoint site only revokes their access to that resource. Their guest account stays in your Entra directory with any other permissions still attached. To fully remove a stale guest from your tenant, you need to delete the account directly from Entra, either through the admin center or through an automated policy.
Run the inactive guest insights report in the Entra admin center and sort by the never-signed-in segment. Those accounts have a blank last sign-in field and are identified by their creation date, and they’re the lowest-risk group to remove because they never accessed anything during the invitation.
Copilot and agents run with the permissions of the identity behind the request, and you can't assign a Copilot license to a guest, so a stale guest won't be prompting Copilot directly. The exposure is different: the broad permissions that leave stale guests with standing access are the same ones an employee's Copilot will surface, and an agent operating under a guest's identity inherits everything that guest can still reach. Removing stale guests shrinks the standing access an AI system can traverse.
Yes. As external sharing in OneDrive and SharePoint moves from one-time passcodes to Microsoft Entra B2B, completing by August 31, 2026, each external share creates a standing Entra guest account instead of a temporary passcode session. Your guest directory grows with routine sharing, so a cleanup process that keeps pace matters more after the transition than before it.
Review guests at least quarterly if you collaborate externally on an ongoing basis, and pair those reviews with continuous automated cleanup for the clear-cut cases (long-inactive accounts and unredeemed invitations) so the backlog doesn’t rebuild between cycles.
When external collaboration is ongoing, the manual cycle compounds faster than it clears. That's the gap Orchestry's guest management is built to close.
Orchestry’s Guest Management module gives admins a centralized dashboard showing inactivity status, redemption status, and recommended actions across the full guest population, synced from Entra. The inactivity threshold is configurable (default: 90 days) and applies across all dashboard views and insight reports.
Orchestry's guest dashboard summarizes the full guest population, with lifecycle-status tiles (active, inactive, not redeemed, recently renewed, recently deleted), redemption status, and a link into Orchestry's recommended actions.
Guest Review Policies assign recurring reviews to workspace owners, with configurable notification cadence and escalation. If an owner doesn’t respond by the end of the review period, Orchestry’s default enforcement automatically removes all non-reviewed guests from that workspace, with no PowerShell required.
Orchestry is building a Guest Delete Policy that automatically retires old, inactive, and unredeemed guests from Entra on configurable thresholds (for example, 90 or 180 days), with no PowerShell or manual cleanup. It closes the lifecycle alongside Guest Request and Guest Review, and logs every deletion to an audit trail and a daily digest. Since deleted guests can be restored for up to 30 days, anything removed in error is recoverable.
Orchestry automates the full cycle: finding stale guests, segmenting inactive accounts from unredeemed invitations, and removing accounts without requiring IT to run the process on a recurring basis. If you’d rather not do this by hand every quarter, request a demo to see how it works across your tenant.