Azure Guest access is a great concept primarily wrapped in the Microsoft Teams, SharePoint and Onedrive experience, however reporting and keeping a lid on Azure Guest access accounts can be a daunting task. Luckily there's a few ways to poll Azure Guest accounts, with PowerShell providing the best experience so far.
Accessing https://portal.azure.com and selecting Azure Active Directory | All Users | and then selecting 'Show: Guest Users Only' will give you a list of the current Azure AD Guest Users in your directory. Unfortunately however, the UI is very limited in being able to get more information than what is presently shown.
Luckily the new Azure AD PowerShell Preview module can provide better insight to guest users for your Directory and we can utilise the shell to create a report for administrative purposes.
Let's take a look; once you have the module installed, utilise Connect-AzureAD, the module supports modern authentication by default so if you're looking to pre-enter credentials utilise the -credential parameter and $Credential = Get-Credential for scripting purposes.
We can simply list all users with Get-AzureADUser
We can get more information on a user by utilising -ObjectID and utilising the Azure AD User objects ObjectID GUID. For example Get-AzureADUser -ObjectID "object guid" |FL
What we see here is the parameter UserType - this is how we can differenciate a normal user to a Guest.
With a simple where statement we can specify all Guest users.
Get-AzureADUser |where {$_.UserType -eq 'Guest'}
The 'CreationType' attribute will also list if the account was created from an invitation from a user.
With a fairly simply PowerShell one liner we can retrieve all Azure Guest Users and format their most appropriate attributes easily.
Get-AzureADUser |where {$_.UserType -eq 'Guest'} |Select DisplayName, UserPrincipalName, AccountEnabled, mail |FT
We can utilise https://portal.azure.com | Azure Active Directory | Users | Audit Logs to see who has invited the external users and also when an external user accepted the invite. Just filter on the activity and specify 'Invite external user' and 'Redeem esxtgernal user invite'.
Selecting the audit log will show you more information including the time and date of the activities.
If I check Azure Active Directory | Users | Sign-ins I can see audit logs for user sign-in. I can specify user search terms to get more detailed information on an Azure Guest User accessing my Office 365 tenant. Note I can get immediate access to Sign-in Info, Device Info and whether they had to have any 2nd factor authentication or conditional access rules apply.
And whilst both the Audit Log and Sign-ins allow me to download reports, Sign-ins provides richer integration with Power BI once you've configured it (which i'll detail in a future blog post).
So, getting back to creating a nice list of Azure Guest Users, we can utilise the Azure AD Preview PowerShell module to get this data and wrap it up in an email to send to us as and when needed. I've written a script and uploaded it to the TechNet Gallery here.
You can use it to get a list of Azure Guest users in the session window
Or use the -email switch where you'll be able to use it as a scheduled task - be aware the password needs to be in the script, however a standard user will work as all they need is read access which they have by default.
Have fun!
@OliverMoazzezi
1 comment:
Hi, for some reason I get just a limited number (22) of values. Script didn't provide a whole list of people. Can I raise that number? Can you advise?
Post a Comment