Dormant Users: Stale Account Access & Persistence Risk

Why this risk matters

Dormant user accounts are active directory identities that have not signed in for an extended period but still hold access to Microsoft 365 resources. These accounts are commonly overlooked during offboarding, role changes, or organisational restructuring, and represent a quiet but persistent risk.

Overe flags accounts that show no sign-in activity above a defined threshold while remaining enabled. The risk is not that these accounts are actively being abused — it is that if an attacker acquires the credentials, they can sign in largely undetected. Dormant accounts are rarely monitored, seldom appear in daily operational review, and may not trigger alerts even after compromise because the account owner is not around to notice unusual behaviour.

Former employees, contractors, or vendors whose accounts were not disabled on departure represent the clearest risk profile. But dormant accounts also include internal staff who changed roles or moved teams and whose access was never reviewed.

What happens if this is abused

  • Former employee or contractor credential used to re-access the organisation months or years after departure
  • Attacker acquires dormant credentials through a breach or credential dump and uses them to access live data without triggering behavioural anomalies
  • Sign-in activity not noticed because there is no active owner to report unusual behaviour or raise an alert
  • Sensitive data, emails, or files accessed without detection because dormant accounts sit outside normal monitoring scope
  • Account used as a persistence mechanism after a more visible compromise is discovered and remediated on the primary account
  • Access to shared resources, Teams channels, SharePoint, or applications maintained long after the person left
  • Former employee's delegate rights or shared mailbox access persist after the primary account appears disabled, providing a continued access path to historical communications
  • Dormant account with an active licence used as a staging environment for lateral movement — attacker blends in by using an identity that exists in your directory

When this is expected or acceptable

Some accounts may show low or no sign-in activity for legitimate reasons — extended leave, parental leave, secondment, or seasonal workers. These should be documented with an expected return date.

Break-glass or emergency accounts are intentionally dormant most of the time. These should be clearly identified and monitored through dedicated alerting rather than general dormancy flags, and excluded from routine dormancy remediation.

Service accounts that operate via non-interactive sign-ins may appear dormant in user sign-in logs but are actively used. Always confirm sign-in method before taking action on a service account.

Checks to perform before taking action

Before disabling or removing a dormant account:

  • Confirm the account's last interactive sign-in date and last non-interactive sign-in date — service account activity can look different
  • Check whether the account belongs to a current employee, a former employee, a contractor, or a service account
  • Check with HR or the line manager whether the individual is on leave, has changed roles, or has left the organisation
  • Review what groups, licences, and applications the account has access to
  • Check whether the account has any active delegates, shared mailbox access, or forwarding rules that might still be in use
  • Review Overe for any related risk signals or alerts tied to the account
  • Confirm whether disabling the account would affect any shared resources or workflows

Safe remediation steps

  1. Use Overe to review the full list of dormant accounts and sort by last sign-in date and access scope
  2. Separate dormant accounts into categories: confirmed leavers, possible leavers, leave of absence, and service accounts
  3. For confirmed leavers, disable the account rather than deleting it — this preserves data and is reversible
  4. For accounts where ownership is unclear, contact the manager or HR before taking action
  5. Where the account has an active mailbox or SharePoint access, consider converting to a shared mailbox before disabling
  6. For service accounts showing no sign-in activity, investigate whether the dependent service is still active before making any changes
  7. Set a review cycle for dormant accounts to prevent the list from growing again over time

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Enable Unified Log — Manages the Audit Log which records user and admin activity and is required for Overe to monitor and detect anomalous activity.
  • Require MFA for all users — Creates a Conditional Access Policy that grants access only to users who complete MFA.
  • Set passwords to never expire — Enforces the Password Expiration Policy to be set to 'Never Expire' as per Microsoft recommendation.
  • Block High-Risk Users — Creates a Conditional Access Policy that prevents any user categorized as 'High Risk' from signing in.

Supporting documentation

Related risks and follow-on checks

After reviewing dormant user accounts, also check these related risk areas:

  • Admins with Risky MFA Settings — dormant accounts with admin roles are particularly dangerous; confirm no inactive admin accounts remain enabled with weak authentication
  • Users with Risky MFA Settings — dormant accounts often have stale or weak MFA registration; if they are reactivated or compromised, authentication protection may be minimal
  • Dormant Apps — the same staleness problem applies to application credentials; a dormant app with an active client secret is a parallel risk worth reviewing alongside user accounts
  • Risky Inbox Forwarding Rules — a dormant account previously compromised may still have active forwarding rules silently exfiltrating mail; check rules on all accounts being reviewed
  • Guest Users with Risky Access — external identities can also become dormant; check guest users with no recent sign-in as part of the same review cycle
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.