Back to GSO Recommendations

Dormant Users: Stale Account Access & Persistence Risk

Why this risk matters

Dormant user accounts are active directory identities that have not signed in for an extended period but still hold access to Microsoft 365 resources. These accounts are commonly overlooked during offboarding, role changes, or organisational restructuring, and represent a quiet but persistent risk.

Overe flags accounts that show no sign-in activity above a defined threshold while remaining enabled. The risk is not that these accounts are actively being abused — it is that if an attacker acquires the credentials, they can sign in largely undetected. Dormant accounts are rarely monitored, seldom appear in daily operational review, and may not trigger alerts even after compromise because the account owner is not around to notice unusual behaviour.

Former employees, contractors, or vendors whose accounts were not disabled on departure represent the clearest risk profile. But dormant accounts also include internal staff who changed roles or moved teams and whose access was never reviewed.

What happens if this is abused

  • Former employee or contractor credential used to re-access the organisation months or years after departure
  • Attacker acquires dormant credentials through a breach or credential dump and uses them to access live data
  • Sign-in activity not noticed because there is no active owner to report unusual behaviour
  • Sensitive data, emails, or files accessed without triggering behavioural anomalies
  • Account used as a persistence mechanism after a more visible compromise is discovered and remediated
  • Access to shared resources, Teams channels, SharePoint, or applications maintained long after the person left

When this is expected or acceptable

Some accounts may show low or no sign-in activity for legitimate reasons — extended leave, parental leave, secondment, or seasonal workers. These should be documented with an expected return date.

Break-glass or emergency accounts are intentionally dormant most of the time. These should be clearly identified and monitored through dedicated alerting rather than general dormancy flags, and excluded from routine dormancy remediation.

Service accounts that operate via non-interactive sign-ins may appear dormant in user sign-in logs but are actively used. Always confirm sign-in method before taking action on a service account.

Checks to perform before taking action

Before disabling or removing a dormant account:

  • Confirm the account's last interactive sign-in date and last non-interactive sign-in date — service account activity can look different
  • Check whether the account belongs to a current employee, a former employee, a contractor, or a service account
  • Check with HR or the line manager whether the individual is on leave, has changed roles, or has left the organisation
  • Review what groups, licences, and applications the account has access to
  • Check whether the account has any active delegates, shared mailbox access, or forwarding rules that might still be in use
  • Review Overe for any related risk signals or alerts tied to the account
  • Confirm whether disabling the account would affect any shared resources or workflows

Safe remediation steps

  1. Use Overe to review the full list of dormant accounts and sort by last sign-in date and access scope
  2. Separate dormant accounts into categories: confirmed leavers, possible leavers, leave of absence, and service accounts
  3. For confirmed leavers, disable the account rather than deleting it — this preserves data and is reversible
  4. For accounts where ownership is unclear, contact the manager or HR before taking action
  5. Where the account has an active mailbox or SharePoint access, consider converting to a shared mailbox before disabling
  6. For service accounts showing no sign-in activity, investigate whether the dependent service is still active before making any changes
  7. Set a review cycle for dormant accounts to prevent the list from growing again over time

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: Manage inactive user accounts in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-manage-inactive-user-accounts

Microsoft: Best practices for Microsoft Entra roles - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices

Microsoft: Revoke user access in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/users/users-revoke-access

Related risks and follow-on checks

  • Admins with risky MFA settings
  • Users with risky MFA settings
  • Dormant apps
  • Risky forwarding rules
  • Guest users with risky access
TBD CTA