GOV-01: Reviewing and Disabling Stale Accounts

Overview

Stale accounts are user accounts that have not been actively used for an extended period (typically 90+ days). These accounts represent a significant security risk as they may:

  • Be compromised without detection due to lack of monitoring
  • Retain access to sensitive resources despite the user no longer needing them
  • Violate compliance requirements for access management

This guide walks you through the process of identifying, reviewing, and disabling stale accounts in Microsoft 365.

Prerequisites

Required Roles

  • Global Administrator or User Administrator - Required to disable/delete accounts
  • Security Reader - Minimum for viewing sign-in activity reports

Required Licenses

  • Microsoft 365 Business Basic or higher (for basic sign-in logs)
  • Microsoft Entra ID P1 or higher (recommended for advanced filtering and 30-day sign-in log retention)
  • Microsoft Entra ID P2 (recommended for 90-day sign-in log retention)

Required Permissions

  • Access to Microsoft Entra admin center
  • Access to Microsoft 365 admin center

Time Estimate

TaskDuration
Initial review and export30-45 minutes
Stakeholder coordination1-2 hours
Account disabling15-30 minutes
Verification15 minutes
Total2-4 hours

Step-by-Step Instructions

Step 1: Access the Inactive Users Report

  1. Navigate to Microsoft Entra admin center: https://entra.microsoft.com
  2. Go to Identity > Users > All users
  3. Click Sign-in logs in the left navigation
  4. Set the date range filter to show the last 90 days

Alternative Method - Using User List:

  1. Navigate to Identity > Users > All users
  2. Click Add filter
  3. Select Last sign-in (non-interactive) as the filter
  4. Set the date to 90 days ago or earlier

Step 2: Export the Stale Accounts List

  1. From the filtered view, click Download > Download CSV
  2. Select the columns to include:
    • Display name
    • User principal name
    • Last sign-in date
    • Account enabled status
    • Department
    • Manager
  3. Save the CSV file for review

Step 3: Review and Validate Accounts

Before disabling accounts, validate each one:

  1. Check for service accounts: Some accounts may be used for automated processes
  2. Verify with managers: Contact the listed manager to confirm the user's status
  3. Check leave status: Users on extended leave should not be disabled
  4. Review group memberships: Document critical group memberships before disabling

Create a spreadsheet with the following columns:

  • User principal name
  • Last sign-in date
  • Manager contacted (Yes/No)
  • Action (Disable/Keep/Delete)
  • Notes

Step 4: Disable Stale Accounts

For Individual Accounts:

  1. Navigate to Identity > Users > All users
  2. Search for and select the user account
  3. Click Edit properties
  4. Under Settings, toggle Account enabled to No
  5. Click Save

For Bulk Disabling (PowerShell):

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All"

# Import list of UPNs to disable
$usersToDisable = Import-Csv "stale-accounts.csv"

foreach ($user in $usersToDisable) {
    Update-MgUser -UserId $user.UserPrincipalName -AccountEnabled:$false
    Write-Host "Disabled: $($user.UserPrincipalName)"
}

Step 5: Revoke Active Sessions

After disabling accounts, revoke any active sessions:

  1. Navigate to the user's profile in Entra admin center
  2. Click Revoke sessions
  3. Confirm the action

For Bulk Session Revocation (PowerShell):

foreach ($user in $usersToDisable) {
    Revoke-MgUserSignInSession -UserId $user.UserPrincipalName
    Write-Host "Sessions revoked: $($user.UserPrincipalName)"
}

Step 6: Document Actions

  1. Update your tracking spreadsheet with:
    • Date of action
    • Action taken (disabled/deleted)
    • Administrator who performed the action
  2. Save the documentation for compliance audits
  3. Set a calendar reminder for 30 days to review for deletion

Verification Checklist

After completing the remediation, verify the following:

  • All identified stale accounts have been disabled
  • Active sessions have been revoked for disabled accounts
  • Manager notifications have been sent
  • Documentation has been saved for audit purposes
  • Disabled accounts no longer appear in active user counts
  • Sign-in attempts for disabled accounts are blocked (test if possible)
  • Calendar reminder set for permanent deletion review

Troubleshooting

Issue: Cannot Disable a Synced Account

Cause: The account is synchronized from on-premises Active Directory.

Solution:

  1. Disable the account in on-premises Active Directory
  2. Run a delta sync: Start-ADSyncSyncCycle -PolicyType Delta
  3. Wait for synchronization to complete (typically 30 minutes)

Issue: User Still Has Access After Disabling

Cause: Active tokens may persist for up to 1 hour after session revocation.

Solution:

  1. Revoke sessions again
  2. Wait for token expiration (up to 1 hour)
  3. For immediate revocation, use Conditional Access to block the user specifically

Issue: Cannot Find Sign-in Activity

Cause: Sign-in logs have limited retention based on license.

Solution:

  • Microsoft Entra ID Free: 7 days retention
  • Microsoft Entra ID P1: 30 days retention
  • Microsoft Entra ID P2: 90 days retention

Consider exporting logs to Azure Log Analytics for longer retention.

Issue: Accidentally Disabled a Service Account

Solution:

  1. Immediately re-enable the account
  2. Document the incident
  3. Add a note to the account description indicating it's a service account
  4. Consider using a naming convention for service accounts (e.g., svc-*)

Cost Considerations

License Requirements

FeatureLicense RequiredMonthly Cost (approx.)
Basic sign-in logs (7 days)Microsoft Entra ID FreeIncluded
Extended sign-in logs (30 days)Microsoft Entra ID P1$6/user/month
Extended sign-in logs (90 days)Microsoft Entra ID P2$9/user/month
Log Analytics exportAzure subscription~$2.30/GB ingested

Cost Savings from Cleanup

Disabling and eventually deleting stale accounts can result in significant license savings:

  • Example: 50 unused Microsoft 365 Business Premium licenses at $22/user/month = $1,100/month savings
  • Remove licenses from disabled accounts immediately
  • Set a 30-day retention period before permanent deletion

Automation Options

  • Microsoft Entra ID Governance (P2): Automated access reviews can identify stale accounts automatically
  • Azure Automation: Schedule PowerShell scripts to run weekly reports
  • Third-party tools: Consider SIEM integration for continuous monitoring

Best Practices

  1. Establish a regular review cadence: Monthly or quarterly stale account reviews
  2. Define clear thresholds: Document what constitutes a "stale" account (e.g., 90 days)
  3. Implement a warning process: Notify managers before disabling accounts
  4. Maintain documentation: Keep records for compliance and auditing
  5. Automate where possible: Use access reviews or scheduled scripts

Related Controls

  • GOV-02: Bulk cleanup of inactive users (permanent deletion)
  • GOV-03: Access reviews for automated stale account detection
  • EXT-04: Configure Guest Access Expiration

Revision History

DateVersionAuthorChanges
2025-01-071.0TrueConfigInitial release