Friday, April 20, 2018

SharePoint Online: Completely removing an external user

Problem

You are a Global Administrator for your organization's Office 365 subscription, employing both cloud and federated identities. Various site collection administrators look after day-to-day administration of user content site collections.  One site collection administrator manages a site having hundreds of internal (federated) and external (cloud) users.  The site collection is configured to allow both internal and external users to access the site.

The site collection administrator sends an invite to an external user, and the external responds and a cloud account is created for her.  The site collection administrator deletes the account for some reason and sends out another invite, which the external user responds to but experiences an error:
Sorry, something went wrong
We're sorry, sign-in isn't working right now. But we're on it! Please try again later.
In order to recover from the problem, the external user's account must be completely removed from both SharePoint Online and O365.

Solution

  1. Remove user account from all user groups: request the site collection administrator remove the user account from all SharePoint user groups he or she may have added the external user's account to.
  2. Remove the user account from the site collection: request the site collection administrator use this user listing to remove the user completely from the site collection:
    _layouts/15/people.aspx?MembershipGroupId=0
  3. Remove the user profile from SharePoint Online: request the SharePoint Online Admin to remove the user's profile:
    Navigate to: SharePoint Admin Center > user profiles > People > Manage User Profiles
  4. Remove the user's cloud account: as Global Administrator, remove the cloud account:
    Navigate to: Admin Center > Users > Guest users > [click Delete a user button] 

References

Notes

  • Cloud Identity: the identity exists in the cloud in Microsoft Azure Active Directory (MS AAD) and not in your organization's on-premises Active Directory. Also referred to as an external user.
  • Federated Identity: the identity exists in your organization's on-premises Active Directory, which is synchronized with AAD.  Also referred to as an internal user.
  • Global Administrator: has access to all administrative features in the Office 365 suite of services in your organization's Office 365 subscription.  They are the only admins who can assign other admin roles (e.g., SharePoint Admin, Exchange Admin, etc).
  • SharePoint Administrator: effectively the farm administrator, has access to all site collections in the O365 subscription.