Workflow overview
Why this workflow matters
Relevant for managed services and support workflows.
Quick overview This workflow runs weekly to find inactive Entra ID (Azure AD) B2B guest accounts using Microsoft Graph sign-in activity, notifies each guest’s sponsor via Microsoft Teams, waits 72 hours, deletes the accounts, and logs successful deletions to a SharePoint list. How it works Runs every Monday at 08:00 (server time) on a scheduled trigger. Fetches all Entra ID guest users from Microsoft Graph (with pagination) including signInActivity metadata. Filters guests whose last sign-in (or creation date if they never signed in) is older than the configured inactivity threshold. If no stale guests are found, posts a completion message to a Microsoft Teams channel and stops. For each stale guest, looks up the guest’s manager in Microsoft Graph and posts a deletion notice to a Microsoft Teams channel tagging the sponsor details. Waits 72 hours, then deletes the stale guest account via Microsoft Graph. If deletion succeeds, writes an audit record to a SharePoint list; if deletion fails, posts an error alert to Microsoft Teams and continues with the next guest. Posts a final “run complete” summary to Microsoft Teams after all stale guests are processed. Setup Create a Microsoft Graph OAuth2 credential in AlekSystem with permissions to read users and sign-in activity, read user manager, delete users, and write to the target SharePoint list. Create or choose a SharePoint site and list for audit logging, ensure the list has fields like GuestEmail, DisplayName, LastSignIn, SponsorNotified, DeletedAt, and DeletedBy, then set the SharePoint site ID and list ID in the Config values. Add Microsoft Teams credentials (or ensure Graph-backed Teams access) and set the Team ID and Channel ID in the Config values for where notifications and summaries are posted. Adjust the inactivity threshold (days) and response window (hours) in the Config values to match your governance policy and confirm the workflow timezone matches your intended schedule. Requirements Microsoft Entra ID app registration with the following application permissions granted and admin consent applied: User.Read.All, AuditLog.Read.All, User.ReadWrite.All, Directory.Read.All, Sites.ReadWrite.All Two credentials configured in AlekSystem: a Generic OAuth2 credential using Client Credentials flow for Microsoft Graph API calls, and a Microsoft Teams OAuth2 credential for Teams notifications A SharePoint list named GuestAccountAuditLog with columns: GuestEmail, DisplayName, LastSignIn, SponsorNotified, DeletedAt, DeletedBy Customization Update the Config node with your SharePoint site ID, SharePoint list ID, Teams team ID, and Teams channel ID before activating Edit the Teams notification message in the Send Notification to Sponsor node to match your organization's tone and include any required policy references Replace the static channel destination with a dynamic lookup if your organization routes notifications to different channels per department or business unit To add human approval instead of time-based deletion, configure the Wait node to resume via webhook and build a companion workflow that calls the AlekSystem resume endpoint when a sponsor responds
Best fit
Categories
Services
Use cases
Need another direction?