High RiskIdentity Compromise

How to Prevent Stale Account Attacks in Microsoft 365

Inactive and stale accounts are prime targets for attackers. Learn how to identify and remediate dormant accounts in Microsoft 365.

Stale accounts—belonging to former employees, unused service accounts, or abandoned projects—represent significant security risk. Attackers target these accounts because they are often forgotten, lack monitoring, and may have weak or unchanged credentials. This guide covers how to identify, disable, and prevent stale accounts in your Microsoft 365 environment.

Warning Signs

Watch for these indicators that may signal this problem in your environment:

  • Accounts with no sign-in activity for 90+ days
  • Service accounts with unknown purpose
  • Former employee accounts still active
  • Accounts without assigned licenses
  • Test accounts from past projects

What Could Happen

  • Account compromise goes undetected
  • Attackers use stale accounts for persistence
  • Compliance violations for access management
  • License costs for unused accounts
  • Data accessible via forgotten accounts

The Solution

Implement account lifecycle management, automate stale account detection, and establish regular access reviews to eliminate dormant accounts.

Implementation Steps

  1. 1Run stale account report (90+ days inactive)
  2. 2Disable accounts for departed employees immediately
  3. 3Review and document all service accounts
  4. 4Implement automated account deprovisioning
  5. 5Set up alerts for accounts inactive 60+ days
  6. 6Remove or archive accounts inactive 90+ days

Ongoing Prevention

  • Integrate HR system with identity management
  • Monthly stale account review process
  • Service account ownership requirements
  • Automated access recertification

TrueConfig Controls That Help

GOV-01Review Stale User Accounts
GOV-02Automatically Disable Stale Accounts
GOV-03Conduct Quarterly Privileged Access Reviews
ID-02Block Legacy Authentication

Frequently Asked Questions

What is considered a stale account?

A stale account is typically one with no sign-in activity for 90 days or more. However, service accounts and break-glass accounts may be intentionally inactive. Each account type should have appropriate activity expectations.

Should I delete or disable stale accounts?

Initially disable stale accounts rather than deleting them. Deletion is permanent and removes associated data. After a holding period (typically 30 days), accounts can be deleted if no business need is identified. Always retain audit logs.

Ready to protect your Microsoft 365 environment?

TrueConfig continuously monitors for this and other security risks, alerting you to issues before attackers can exploit them.