Guest accounts in Entra ID accumulate quietly over time, contractors, vendors, project collaborators, and are rarely cleaned up when the engagement ends. In most M365 tenants Hamilton365 reviews, the number of active guest accounts significantly exceeds what anyone in the business is aware of.
An external Identity invited into your Microsoft 365 environment. Identifiable by the #EXT# notation in the user principal name. Created when someone accepts a Teams invitation, a SharePoint document is shared externally, or a vendor requests tenant access for support.
Vendors typically request broad permissions. When you change IT providers, the previous vendor's access is not automatically removed. Hamilton365 has reviewed tenants where two or three previous IT providers still had active guest or delegated access years after those relationships ended.
Access reviews (Entra ID P2). Guest invitation policies, restrict invitations to IT administrators only. Expiry policies, 90 or 180-day default expiry with renewal requirements. Documented vendor access management.
Entra ID Guest Access Audit