EntraAnalyzer
High

Disabled users still assigned to roles

Detects disabled user accounts that are still members of directory roles

Category
Identity
Default severity
High
Rule key
CHECK_DISABLED_USERS_WITH_ROLES
Last updated

How to fix it

Remove disabled users from all directory roles as part of the off-boarding process.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

  • Directory.Read.All

Further reading

Search Microsoft Learn for related guidance →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →