|
| 1 | +--- |
| 2 | +title: Clean up unmanaged Azure AD accounts - Azure Active Directory | Microsoft Docs |
| 3 | +description: Clean up unmanaged accounts using email OTP and PowerShell modules in Azure Active Directory |
| 4 | +services: active-directory |
| 5 | +author: gargi-sinha |
| 6 | +ms.author: gasinh |
| 7 | +manager: martinco |
| 8 | +ms.date: 06/28/2022 |
| 9 | +ms.topic: how-to |
| 10 | +ms.service: active-directory |
| 11 | +ms.subservice: enterprise-users |
| 12 | +ms.workload: identity |
| 13 | +ms.custom: it-pro |
| 14 | +ms.collection: M365-identity-device-management |
| 15 | +--- |
| 16 | + |
| 17 | +# Clean up unmanaged Azure Active Directory accounts |
| 18 | + |
| 19 | +Azure Active Directory (Azure AD) supports self-service sign-up for |
| 20 | +email-verified users. Users can create Azure AD accounts if they can |
| 21 | +verify email ownership. To learn more, see, [What is self-service |
| 22 | +sign-up for Azure Active |
| 23 | +Directory?](https://docs.microsoft.com/azure/active-directory/enterprise-users/directory-self-service-signup) |
| 24 | + |
| 25 | +However, if a user creates an account, and the domain isn't verified in |
| 26 | +an Azure AD tenant, the user is created in an unmanaged, or viral |
| 27 | +tenant. The user can create an account with an organization's domain, |
| 28 | +not under the lifecycle management of the organization's IT. Access can |
| 29 | +persist after the user leaves the organization. |
| 30 | + |
| 31 | +## Remove unmanaged Azure AD accounts |
| 32 | + |
| 33 | +You can remove unmanaged Azure AD accounts from your Azure AD tenants |
| 34 | +and prevent these types of accounts from redeeming future invitations. |
| 35 | + |
| 36 | +1. Read how to enable [one-time |
| 37 | + passcodes](https://docs.microsoft.com/azure/active-directory/external-identities/one-time-passcode#enable-email-one-time-passcode) |
| 38 | + (OTP) |
| 39 | + |
| 40 | +2. Use the sample application in [Azure-samples/Remove-unmanaged-guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests) or |
| 41 | + go to |
| 42 | + [AzureAD/MSIdentityTools](https://github.com/AzureAD/MSIdentityTools/wiki/) |
| 43 | + PowerShell module to identify viral users in an Azure AD tenant and |
| 44 | + reset user redemption status. |
| 45 | + |
| 46 | +Once the above steps are complete, when users with unmanaged Azure AD accounts try to access your tenant, they'll re-redeem their invitations. However, because Email OTP is enabled, Azure AD will prevent users from redeeming with an existing unmanaged Azure AD account and they’ll redeem with another account type. Google Federation and SAML/WS-Fed aren't enabled by default. So by default, these users will redeem with either an MSA or Email OTP, with MSA taking precedence. For a full explanation on the B2B redemption precedence, refer to the [redemption precedence flow chart](https://docs.microsoft.com/azure/active-directory/external-identities/redemption-experience#invitation-redemption-flow). |
| 47 | + |
| 48 | +## Overtaken tenants and domains |
| 49 | + |
| 50 | +Some tenants created as unmanaged tenants can be taken over and |
| 51 | +converted to a managed tenant. See, [take over an unmanaged directory as |
| 52 | +administrator in Azure AD](https://docs.microsoft.com/azure/active-directory/enterprise-users/domains-admin-takeover). |
| 53 | + |
| 54 | +In some cases, overtaken domains might not be updated, for example, missing a DNS TXT record and therefore become flagged as unmanaged. Implications are: |
| 55 | + |
| 56 | +- For guest users who belong to formerly unmanaged tenants, redemption status is reset and one consent prompt appears. Redemption occurs with same account as before. |
| 57 | + |
| 58 | +- After unmanaged user redemption status is reset, the tool might identify unmanaged users that are false positives. |
| 59 | + |
| 60 | +## Reset redemption using a sample application |
| 61 | + |
| 62 | +Before you begin, to identify and reset unmanaged Azure AD account redemption: |
| 63 | + |
| 64 | +1. Ensure email OTP is enabled. |
| 65 | + |
| 66 | +2. Use the sample application on |
| 67 | + [Azure-Samples/Remove-Unmanaged-Guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests). |
| 68 | + |
| 69 | +## Reset redemption using MSIdentityTools PowerShell Module |
| 70 | + |
| 71 | +MSIdentityTools PowerShell Module is a collection of cmdlets and |
| 72 | +scripts. They are for use in the Microsoft identity platform and Azure |
| 73 | +AD; they augment capabilities in the PowerShell SDK. See, [Microsoft |
| 74 | +Graph PowerShell |
| 75 | +SDK](https://github.com/microsoftgraph/msgraph-sdk-powershell). |
| 76 | + |
| 77 | +Run the following cmdlets: |
| 78 | + |
| 79 | +- `Install-Module Microsoft.Graph -Scope CurrentUser` |
| 80 | + |
| 81 | +- `Install-Module MSIdentityTools` |
| 82 | + |
| 83 | +- `Import-Module msidentitytools,microsoft.graph` |
| 84 | + |
| 85 | +To identify unmanaged Azure AD accounts, run: |
| 86 | + |
| 87 | +- `Connect-MgGraph --Scope User.Read.All` |
| 88 | + |
| 89 | +- `Get-MsIdUnmanagedExternalUser` |
| 90 | + |
| 91 | +To reset unmanaged Azure AD account redemption status, run: |
| 92 | + |
| 93 | +- `Connect-MgGraph --Scope User.Readwrite.All` |
| 94 | + |
| 95 | +- `Get-MsIdUnmanagedExternalUser | Reset-MsIdExternalUser` |
| 96 | + |
| 97 | +To delete unmanaged Azure AD accounts, run: |
| 98 | + |
| 99 | +- `Connect-MgGraph --Scope User.Readwrite.All` |
| 100 | + |
| 101 | +- `Get-MsIdUnmanagedExternalUser | Remove-MgUser` |
| 102 | + |
| 103 | +## Next steps |
| 104 | + |
| 105 | +Examples of using |
| 106 | +[Get-MSIdUnmanagedExternalUser](https://github.com/AzureAD/MSIdentityTools/wiki/Get-MsIdUnmanagedExternalUser) |
0 commit comments