Microsoft recently announced removal of Unmanaged Azure Ad accounts. Customers face serious challenges managing access and user lifecycles as a result of unmanaged accounts. This has increased support costs for many customers.
Self-service sign-up is used by people to create Azure AD guest accounts "by verifying ownership of their work email address when their domain isn't verified in Azure AD." This is problematic because "users would create accounts in a tenant that wasn't managed by their IT department."
Managed and Unmanaged Tenants
The Azure Active Directory comprises many tenant directories. A managed tenant is an instance of a service such as Microsoft 365 or Dynamics 365 that is supported by a world administrator (the manager). A managed Azure AD tenant is part of every Microsoft 365 organization.
Microsoft introduced Azure B2B Collaboration in 2016, which allows external users to sign on as guest members in managed tenants using their e-mail addresses. Guests can access some resources within the tenant's directory, such as documents in SharePoint on-line or teams. In addition, Azure AD attempts to link the guest account with the user's actual account within their supply tenant's directory. Several of these guests had email domains that didn't use Azure AD, and Microsoft stores their accounts in unmanaged tenants.
An associate degree external user's e-mail address is added to a Microsoft 365 cluster or team membership. As a result of this action, Azure AD creates a guest account for the external user and sends an invitation to redeem the invitation and verify their email address to the external user. An email invitation is sent to the user, who accepts it. As soon as Azure AD confirms that the user is genuine, it marks the guest account as accepting the invitation. As a result, the external user can participate within the cluster or guest account using their guest account, and everything will be fine.
In the event that the business owning the e-mail domain decides to use Azure AD to utilize a service like Microsoft 365, this process will continue to work. Once the unmanaged tenant and its unmanaged accounts have been taken over, the organization should take over their management. Onboarding organizations into services using this method is known and documented, but it interferes with the process of gracefully onboarding them.
No new unmanaged accounts
Microsoft is now removing the ability for external users to validate using email addresses, which allows them to create unmanaged accounts and tenants. As an alternative, if an external user doesn't originate from:
A directory that federates with Azure AD, like Google.
Consumer Microsoft Services (MSA).
Another Azure AD tenant.
A one-time password (OTP) will either be used to verify the email address or the user will be asked to create a consumer account using their email address. Microsoft emphasizes that guest accounts currently established in client organizations will continue to function with unmanaged Azure AD accounts. Only fresh guest accounts are subject to the new redemption procedure.
Azure AD B2B Collaboration invitation redemption flow (source: Microsoft)
Clean up existing unmanaged accounts from your tenant!
According to Microsoft, some tenants have thousands of unmanaged Azure AD accounts. Although these accounts will continue to work, if you'd like to clean them up (essentially revalidating unmanaged accounts), you can do so using the following steps:
You can now use this sample application or the MSIdentity Tools PowerShell Module to identify the unmanaged Azure AD accounts that exist in your tenant and optionally reset their redemption status. By resetting their redemption status, these guest accounts will maintain all existing access and permissions but will be forced to use a different redemption method Learn more about cleaning up unmanaged Azure AD accounts.
Unmanaged guest accounts may be left alone by tenants if they wish, or companies may convert them to managed accounts using their tools