EntraAnalyzer
Medium

Inactive User Accounts

Identifies user accounts inactive for 90+ days

Category
Identity
Default severity
Medium
Rule key
CHECK_INACTIVE_USERS
Last updated

Why this matters

What this means

User accounts were found that have not signed in for over 90 days. These dormant accounts still have active credentials and any previously assigned roles and group memberships.

Why is it a security risk?

  • Inactive accounts are prime targets for credential-stuffing and password-spray attacks — the legitimate owner is unlikely to notice unusual sign-in activity.
  • Former employees or contractors whose accounts were not properly off-boarded may still have access to sensitive resources.
  • Each unused account with a valid password is a dormant entry point into your organisation.

Recommended next steps

  1. Go to Microsoft Entra admin center → Users and sort or filter by last sign-in activity.
  2. Cross-reference with HR records to identify users who have left the organisation.
  3. Disable sign-in for confirmed inactive accounts, then delete after a grace period.
  4. Set up Access Reviews to automatically flag inactive accounts on a recurring basis.

How to fix it

Disable or remove inactive user accounts

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

  • Directory.Read.All
  • User.Read.All
  • AuditLog.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →