A few months ago I was doing a demo for a company in Västerås. About 80 employees. Standard Nordic mid-market setup: Microsoft 365, Entra ID, a handful of SaaS tools.
Before the demo, I asked if I could take a quick look at their Entra ID tenant to understand their current state. They said sure.
80 employees. 1,200 guest users.
The IT manager went quiet for a second. "That can't be right," he said.
It was right.
How guests pile up
Guest users in Entra ID get created when you invite someone external to collaborate. A partner company, a consultant, a vendor, someone at a client who needs access to a shared Teams channel or a SharePoint site.
Each invitation creates a guest user object in your directory. Simple enough.
The problem is that nobody thinks about these guest accounts after the collaboration ends. The project wraps up. The consultant's contract expires. The partner relationship changes. But the guest user object stays.
Most companies have no process for reviewing guest users. There is no offboarding workflow for people who were never onboarded in the first place. They are not in your HR system. They are not in your employee directory. They exist in a blind spot.
And they accumulate fast.
Teams makes it especially easy. Anyone with the right permissions can invite external people to a channel, which creates a guest user in your directory automatically. One active Teams environment can generate dozens of guest accounts per month. Multiply that over a few years and 1,200 stops sounding so surprising.
Default permissions are more generous than you think
Here is what makes this a security issue, not just a tidiness issue.
By default, guest users in Entra ID can see quite a lot. They can enumerate other users in your directory. They can see group memberships. Depending on your configuration, they might have more visibility than you expect.
Microsoft has settings to restrict guest permissions (look for "External collaboration settings" in Entra ID), but many organisations never touch the defaults. Those 1,200 guest accounts — many belonging to people who have no current relationship with your company — can browse your directory.
Most of them will never do anything with that access. But "most" is not "all." And if a guest account's credentials get compromised (which happens, because you have no control over their password hygiene or MFA setup), that account has a foothold in your tenant.
The compliance gap
If you are going through ISO 27001, SOC 2, or preparing for NIS2, guest users are something auditors pick up on quickly.
They will ask: who are these external users? When were they invited? Do they still need access? Who approved their access? When was it last reviewed?
For your own employees, you might have decent answers. For guest users, the answer is usually a variation of "we are not entirely sure."
That is an uncomfortable position during an audit.
What to actually do about it
First, just go look. Open Entra ID, navigate to Users, filter by user type: Guest. See the number. If it surprises you, that is useful information.
Then sort through them:
Active and needed. Guests who are currently involved in active projects or ongoing partnerships. Keep them, but put a quarterly review in the calendar.
Unknown or stale. Guests who have not signed in for 90+ days, or whose purpose nobody can explain. Remove them. If they need access again later, you can reinvite them in two minutes.
Service accounts dressed as guests. Sometimes I find guest accounts that are actually being used for integrations or automated processes. These should be converted to proper service principals or managed identities, not guest user objects.
For the ongoing problem, you need a recurring review process. Something that periodically asks: do these external accounts still need to be here? Entra ID P2 has access reviews that can cover guest users, or you can use a dedicated tool. The specific method matters less than actually doing it regularly.
Go filter by Guest right now. Sort by last sign-in date. Count the ones that have not signed in for six months or more. Remove the stale ones. Ten minutes well spent.