GOV-01: Reviewing and Disabling Stale Accounts
Overview
Stale accounts are user accounts that have not been actively used for an extended period (typically 90+ days). These accounts represent a significant security risk as they may:
- Be compromised without detection due to lack of monitoring
- Retain access to sensitive resources despite the user no longer needing them
- Violate compliance requirements for access management
This guide walks you through the process of identifying, reviewing, and disabling stale accounts in Microsoft 365.
Prerequisites
Required Roles
- Global Administrator or User Administrator - Required to disable/delete accounts
- Security Reader - Minimum for viewing sign-in activity reports
Required Licenses
- Microsoft 365 Business Basic or higher (for basic sign-in logs)
- Microsoft Entra ID P1 or higher (recommended for advanced filtering and 30-day sign-in log retention)
- Microsoft Entra ID P2 (recommended for 90-day sign-in log retention)
Required Permissions
- Access to Microsoft Entra admin center
- Access to Microsoft 365 admin center
Time Estimate
| Task | Duration |
|---|---|
| Initial review and export | 30-45 minutes |
| Stakeholder coordination | 1-2 hours |
| Account disabling | 15-30 minutes |
| Verification | 15 minutes |
| Total | 2-4 hours |
Step-by-Step Instructions
Step 1: Access the Inactive Users Report
- Navigate to Microsoft Entra admin center: https://entra.microsoft.com
- Go to Identity > Users > All users
- Click Sign-in logs in the left navigation
- Set the date range filter to show the last 90 days
Alternative Method - Using User List:
- Navigate to Identity > Users > All users
- Click Add filter
- Select Last sign-in (non-interactive) as the filter
- Set the date to 90 days ago or earlier
Step 2: Export the Stale Accounts List
- From the filtered view, click Download > Download CSV
- Select the columns to include:
- Display name
- User principal name
- Last sign-in date
- Account enabled status
- Department
- Manager
- Save the CSV file for review
Step 3: Review and Validate Accounts
Before disabling accounts, validate each one:
- Check for service accounts: Some accounts may be used for automated processes
- Verify with managers: Contact the listed manager to confirm the user's status
- Check leave status: Users on extended leave should not be disabled
- Review group memberships: Document critical group memberships before disabling
Create a spreadsheet with the following columns:
- User principal name
- Last sign-in date
- Manager contacted (Yes/No)
- Action (Disable/Keep/Delete)
- Notes
Step 4: Disable Stale Accounts
For Individual Accounts:
- Navigate to Identity > Users > All users
- Search for and select the user account
- Click Edit properties
- Under Settings, toggle Account enabled to No
- Click Save
For Bulk Disabling (PowerShell):
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All"
# Import list of UPNs to disable
$usersToDisable = Import-Csv "stale-accounts.csv"
foreach ($user in $usersToDisable) {
Update-MgUser -UserId $user.UserPrincipalName -AccountEnabled:$false
Write-Host "Disabled: $($user.UserPrincipalName)"
}
Step 5: Revoke Active Sessions
After disabling accounts, revoke any active sessions:
- Navigate to the user's profile in Entra admin center
- Click Revoke sessions
- Confirm the action
For Bulk Session Revocation (PowerShell):
foreach ($user in $usersToDisable) {
Revoke-MgUserSignInSession -UserId $user.UserPrincipalName
Write-Host "Sessions revoked: $($user.UserPrincipalName)"
}
Step 6: Document Actions
- Update your tracking spreadsheet with:
- Date of action
- Action taken (disabled/deleted)
- Administrator who performed the action
- Save the documentation for compliance audits
- Set a calendar reminder for 30 days to review for deletion
Verification Checklist
After completing the remediation, verify the following:
- All identified stale accounts have been disabled
- Active sessions have been revoked for disabled accounts
- Manager notifications have been sent
- Documentation has been saved for audit purposes
- Disabled accounts no longer appear in active user counts
- Sign-in attempts for disabled accounts are blocked (test if possible)
- Calendar reminder set for permanent deletion review
Troubleshooting
Issue: Cannot Disable a Synced Account
Cause: The account is synchronized from on-premises Active Directory.
Solution:
- Disable the account in on-premises Active Directory
- Run a delta sync:
Start-ADSyncSyncCycle -PolicyType Delta - Wait for synchronization to complete (typically 30 minutes)
Issue: User Still Has Access After Disabling
Cause: Active tokens may persist for up to 1 hour after session revocation.
Solution:
- Revoke sessions again
- Wait for token expiration (up to 1 hour)
- For immediate revocation, use Conditional Access to block the user specifically
Issue: Cannot Find Sign-in Activity
Cause: Sign-in logs have limited retention based on license.
Solution:
- Microsoft Entra ID Free: 7 days retention
- Microsoft Entra ID P1: 30 days retention
- Microsoft Entra ID P2: 90 days retention
Consider exporting logs to Azure Log Analytics for longer retention.
Issue: Accidentally Disabled a Service Account
Solution:
- Immediately re-enable the account
- Document the incident
- Add a note to the account description indicating it's a service account
- Consider using a naming convention for service accounts (e.g., svc-*)
Cost Considerations
License Requirements
| Feature | License Required | Monthly Cost (approx.) |
|---|---|---|
| Basic sign-in logs (7 days) | Microsoft Entra ID Free | Included |
| Extended sign-in logs (30 days) | Microsoft Entra ID P1 | $6/user/month |
| Extended sign-in logs (90 days) | Microsoft Entra ID P2 | $9/user/month |
| Log Analytics export | Azure subscription | ~$2.30/GB ingested |
Cost Savings from Cleanup
Disabling and eventually deleting stale accounts can result in significant license savings:
- Example: 50 unused Microsoft 365 Business Premium licenses at $22/user/month = $1,100/month savings
- Remove licenses from disabled accounts immediately
- Set a 30-day retention period before permanent deletion
Automation Options
- Microsoft Entra ID Governance (P2): Automated access reviews can identify stale accounts automatically
- Azure Automation: Schedule PowerShell scripts to run weekly reports
- Third-party tools: Consider SIEM integration for continuous monitoring
Best Practices
- Establish a regular review cadence: Monthly or quarterly stale account reviews
- Define clear thresholds: Document what constitutes a "stale" account (e.g., 90 days)
- Implement a warning process: Notify managers before disabling accounts
- Maintain documentation: Keep records for compliance and auditing
- Automate where possible: Use access reviews or scheduled scripts
Related Controls
- GOV-02: Bulk cleanup of inactive users (permanent deletion)
- GOV-03: Access reviews for automated stale account detection
- EXT-04: Configure Guest Access Expiration
Revision History
| Date | Version | Author | Changes |
|---|---|---|---|
| 2025-01-07 | 1.0 | TrueConfig | Initial release |