Excluding 'Non-User' Accounts

Indexing Your Azure AD

When you first connect your Torsion system to your Microsoft 365 tenant, Torsion builds an index of all the data (files, folders, SharePoint Sites, Teams, etc), users and groups, and all of the access and permissions between them.

Torsion's gets its knowledge of your users and groups by integrating with the instance of Azure Active Directory ('AD') which is associated with your Microsoft 365 tenant. Microsoft recently rebranded Azure AD to 'Microsoft Entra ID'.

You might not have known that there is always an instance of Azure AD with every Microsoft 365 tenant, but we assure you, it's there! If you have the right permissions, you can usually access your AD Admin Console here: Home - Microsoft Entra admin center. 

Torsion Sees All The User Accounts

We've never seen an AD which is perfectly neat and tidy. Ever. (And we've been doing this a long time!). 'Cleaning up AD' is one of those tasks which never quite seems to make it to the top of an IT team's priority list. It is what it is.

Most ADs will contain a lot of user accounts which don't belong to actual users. They accumulate from a lot of different places over the years. Service accounts, group accounts, meeting room accounts, test accounts, etc.

These accounts can all receive permissions to access data in Microsoft 365. This is why Torsion indexes all the accounts in AD, even these 'non-user' accounts. Torsion can provide visibility and control over the permissions to access data in Microsoft 365 which are assigned to these accounts, just like it does for regular users.

'Non-User' Accounts Aren't Always Wanted

In practice, there is a balance to be struck between being aware of what permissions these 'non-user' accounts have, and practical factors such as it isn't always possible for anyone to actually log in using these accounts. 

When your AD contains lots of 'non-user' accounts, Torsion's access visibility features such as 'See Who Has Access' and Security Reports can get a bit cluttered. This can be a turnoff for your business users, and reduce the value you get from these features.

So, Torsion includes the ability to easily exclude certain accounts from the index. Excluded accounts won't be included in Torsion's visibility features and reports, and won't count towards displays of 'n people have access to this file'.

Obviously you'll need to be very careful not to exclude accounts which someone might actually use to access data, or you'll be creating blind spots in your own Data Access Governance. It's a balance to be found using careful thought and common sense.

It is also worth keeping in mind that you need a Torsion license for every non-external user account which hasn't been excluded. So if you have a lot of 'non-user' accounts, you can keep your costs down by excluding them.

Excluding 'Non-User' Accounts From Torsion, One-At-A-Time

You can exclude accounts from Torsion either one-at-a-time, or in bulk.

In your Torsion Admin Console, click Users > User Sources > Manage Excluded Accounts.

Under 'Add User' search for the account to exclude, and select it:

It is recommended to add as many accounts to the list as practical before you click OK, as saving updated Excluded Accounts configurations can take a few minutes.

Excluding 'Non-User' Accounts From Torsion, In Bulk

This process will let you quickly exclude many accounts at once, using PowerShell scripts to create an AD group with all the accounts to be excluded.

To perform this process, you must be able to authenticate to your AD with an account that has Read/Write permissions to the Users and Groups sections of your AD. For this part, we'll assume you have a working knowledge of using PowerShell for basic system administrative tasks.

Step 1: Download the PowerShell scripts attached to this article (scroll to the bottom of the page), 'Step 1 - ExportAllUserAccounts.ps1' and 'Step 3 - CreateExcludedUserGroup.ps1', and save them to a temporary working folder.

Run the first script, 'Step 1 - ExportAllUserAccounts.ps1'. It will export a list of all the accounts in your AD to a CSV file, 'Step 2 - AllUserAccounts.csv'.

Step 2: Open the CSV file with Excel. You'll see it contains a range of columns describing the accounts in your AD: UserPrincipalName, Id, DisplayName, AccountEnabled, IsExternal, CreatedDateTime, JobTitle, and Department. These columns should be enough for you to be able to pinpoint each account. You can edit the PowerShell script to include more columns if you need.

You'll also see one additional column: ExcludeAccount. You need to put an 'X' in this column, for each account you want to exclude. You should be able to use Excel's sorting, filtering and searching capabilities with the other data columns to quickly mark every account to be excluded. Save the CSV file when you're done.

Step 3: Run the second script, 'Step 3 - CreateExcludedUserGroup.ps1'. It will create a new AD group called 'TIS_ExcludedAccounts', and add every account with an 'X' against it in the CSV.

If you need to make changes to the CSV, you can simply run the 'Step 3 - CreateExcludedUserGroup.ps1' again, and it will re-sync your changes with the exclusion group. And if you lose the CSV, you can generate it again using the first script. The accounts in the exclusion group will still have their 'X' against them, so you won't have to start over.

Step 4: In your Torsion Admin Console, click Users > User Sources > Manage Excluded Accounts. 

Click Add Security Group. Search for the 'TIS_ExcludedAccounts' group, and click to add it.

Please note that it can take up to 20 minutes for new AD groups to become available for selection. If the group doesn't show up immediately, please try again after a short while.

Going forward, any user accounts added this AD group will automatically be excluded from Torsion.