GOV-02: Automatically Disable Stale Accounts

Frequently asked questions about implementing and managing the GOV-02 security control in Microsoft 365 and Entra ID.

Q
What is GOV-02 (Automatically Disable Stale Accounts)?
A

GOV-02 is a security control that manual reviews miss accounts. automated disabling ensures that former employees, forgotten accounts, and inactive identities cannot be used by attackers. the 14-day warning prevents disruption for legitimate users. It requires that accounts inactive for 90+ days are automatically disabled and a warning notification is sent 14 days before disabling, emergency access accounts and service accounts are excluded.

Related controls:GOV-02
Q
Why is Automatically Disable Stale Accounts important for Microsoft 365 security?
A

Manual reviews miss accounts. Automated disabling ensures that former employees, forgotten accounts, and inactive identities cannot be used by attackers. The 14-day warning prevents disruption for legitimate users.

Related controls:GOV-02
Q
How do I implement GOV-02 in my tenant?
A

TrueConfig can automate stale account disabling with exclusion lists

Related controls:GOV-02
Q
What license do I need for GOV-02?
A

This control requires Azure AD Premium P2 (included in Microsoft 365 E5) or standalone P2.

Related controls:GOV-02
Q
Which security baseline includes GOV-02?
A

GOV-02 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.

Related controls:GOV-02

5

Questions

1

Related Controls

Categorized

Related Resources

GOV-02 Control Reference

Detailed documentation and implementation guidance

Governance & Hygiene Controls

All controls in the Governance & Hygiene category

Security Glossary

Definitions of security and Microsoft 365 terms

Still have questions?

Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.

Start Free Trial
All FAQsBrowse Controls →