GOV-01MediumRecommended Secure

Review Stale User Accounts

Governance & Hygiene control for Microsoft 365 and Entra ID

Why This Control Matters

Unused accounts are common attacker footholds. Former employees, contractors, or forgotten accounts can be compromised without detection. Regular review ensures only active users retain access.

Expected State

When this control is compliant, your tenant should meet these criteria:

1User accounts inactive for 90+ days are identified and reviewed
2Stale accounts are either disabled, deleted, or documented as exceptions
3Sign-in activity is reviewed at least quarterly

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Manual review required at Level 1; auto-disable available at Level 2

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.