Lost and found: How to discover Microsoft 365 orphaned users
Table of contents
We learned about Orphaned workspaces in the first episode. In the second episode, you’ll get insights into identifying orphaned users, understanding the risks, and managing them in a Microsoft 365 environment with practical recommendations. Watch the whole episode here:
Orphaned Users in SharePoint
Orphaned users are specific to SharePoint. It occurs in SharePoint Online when an account in Entra ID is removed but still exists in SharePoint User Information List (UIL) and potentially in a SharePoint Group. A sync still occurs between Entra ID and user objects and the SharePoint Online profile store. It does not exist for Microsoft 365 groups but can exist if SPO-specific permissions are used.
Risks and issues with Orphaned Users
The main concern is that permissions may still be applied to orphaned users, confusing users checking access. While there’s no direct technical risk (since the account is deleted), the visual impact and potential for confusion are highlighted. For example, when a user wants to check who has access to their content, orphaned users can cause unnecessary confusion and waste time doing cleanup.
The red herring in SharePoint
Furthermore, orphaned users can cause unnecessary errors during migrations, especially from older versions of SharePoint. Error messages about non-existent users can clutter migration reports, potentially diverting attention from genuine errors. This visual deception emphasizes the importance of proactively managing orphaned users before embarking on migration projects.
Identifying and managing orphaned users
There are no built-in solutions available for managing orphaned users in Microsoft 365. One potential solution is scripting, specifically SharePoint Online PowerShell and Graph PowerShell, to identify and remove orphaned users. An example script involves looping through site collections, getting user information, and checking the Graph for user existence or disabled status.
Third-party solutions like Syskit Point can help you efficiently discover and manage orphaned users.
Considerations for inactive and disabled users
Inactive or disabled users can be seen as a type of orphaned user. This can include inactive guests. Organizations need to define thresholds for managing inactive and disabled users to avoid unnecessary access removal.
Tenant management and cleanup
Expiration policies for workspaces and sites help in limiting orphaned user scenarios. It is recommended to clean up the environment before migrations, especially for on-premises to the cloud scenarios.
In the next episode
Up next, Drew and Vlad cover the topic of reclaiming unused Microsoft 365 licenses to ensure efficient usage and cost savings.