Sponsors Are The People Who Invite Guests to Join a Tenant
Nearly two years ago, Entra ID added the ability to assign sponsors to guest accounts. A sponsor is someone in the tenant who can attest to the need to give an external person a guest account (or so the theory goes). Since then, Entra ID changed its processing so that the person who invites someone to join a tenant as a guest automatically becomes their sponsor less another person is explicitly selected during the invitation process. In most cases, no one will bother changing the sponsor (or know that they can), and the person who issues the invite is the sponsor.
Assessing whether old guest accounts should remain in a tenant is a good practice to perform periodically. It’s easy to create a report about guest accounts that includes details like the date created, last sign in date, days since the last sign in, any groups a guest belongs to, and so on. If you then decide to remove some guest accounts, you might like to flag the decision to the sponsors for those accounts.
Finding Guest Accounts
The Microsoft Graph PowerShell SDK has changed a lot since I originally wrote about sponsors, so here’s some new code to report guests and their sponsors (you can download the script from GitHub).
The first task is to find guest accounts and retrieve their sponsors. This is easily done by running the Get-MgUser cmdlet with a suitable filter and making sure to retrieve and expand the Sponsors property:
Write-Host "Finding guest accounts to analyze..." -ForegroundColor Green
[array]$Guests = Get-MgUser -Filter "userType eq 'Guest'" -All -Property Id, DisplayName, Sponsors, CreatedDateTime, SignInActivity, Mail -ExpandProperty Sponsors | Sort-Object DisplayName
If (!($Guests)) {
Write-Host "No guest accounts found." -ForegroundColor Red
}
Reporting Guest Accounts and Their Sponsors
After that, it’s a matter of looping through the guest accounts to extract and report the relevant information. Here’s the code:
Write-Host ("Checking {0} guest accounts..." -f $Guests.Count) -ForegroundColor Green
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Guest in $Guests) {
$SponsorNames = $null
If ($Null -eq $Guest.Sponsors.Id) {
$SponsorNames = "No sponsor assigned"
} Else {
$SponsorNames = $Guest.Sponsors.additionalProperties.displayName -join ", "
}
$SignInDate = $null
If ([string]::IsNullOrEmpty($Guest.SignInActivity.LastSuccessfulSignInDateTime)) {
$SignInDate = "No sign-in activity"
[int]$DaysSinceSignIn = (New-TimeSpan $Guest.CreatedDateTime).Days
} Else {
$SignInDate = Get-Date($Guest.SignInActivity.LastSuccessfulSignInDateTime) -format 'dd-MMM-yyyy HH:mm'
[int]$DaysSinceSignIn = (New-TimeSpan $SignInDate).Days
}
$ReportLine = [PSCustomObject] @{
Name = $Guest.DisplayName
Email = $Guest.Mail
'Sponsor Names' = $SponsorNames
Created = Get-Date($Guest.CreatedDateTime) -format 'dd-MMM-yyyy HH:mm'
'Last Sign In' = $SignInDate
'Days Since Sign In' = $DaysSinceSignIn.ToString()
}
$Report.Add($ReportLine)
}
$Report | Out-GridView -Title "Entra ID Guest Account Sponsors"
The number of days since sign in is calculated from the last successful sign-in date recorded by Entra ID for the account. If this information isn’t available (because the sign-in occurred before Entra introduced the last successful sign-in date property in late 2023), the creation date for the account is used. Figure 1 is an example of the output report.
Some guest accounts don’t have sponsors because they were added to the tenant before Entra ID updated its processes to make the person who invites a guest their sponsor.
Figuring Out Old Guests
Because we compute the number of days since the last sign-in, it’s easy to list the set of guests that haven’t signed in since a set threshold. After that, it’s up to you how to contact the sponsors to ask them what to do with their old guests.
# List all the guest accounts (and their sponsors) that haven't signed in for more than the threshold number of days
$OldGuests = $Report | Where-Object {$_.'Days Since Sign In' -as [int] -gt $Threshold}
Write-Host ""
Write-Host ("The following guest accounts have not signed in for more than {0}} days:" -f $Threshold) -ForegroundColor Red
Write-Host ""
$OldGuests | Format-Table Name, 'Sponsor Names', 'Days Since Sign In', 'Last Sign In' -AutoSize
Tenants don’t have to use the sponsor information if they don’t want to. However, given that Entra ID now populates the sponsor data for new guest accounts, it seems like a pity not to use it.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.