Dormant Device

A dormant or stale device is a device account that has remained inactive by not completing any sign-in for a specified period (90 days by default, customizable through an option).

Dormant devices could introduce the following security risks and operational complications:

• Increased attack surface: Obsolete configuration and unpatched vulnerabilities make dormant devices vulnerable to exploits that recent updates have addressed.
• Easier compromise: Threat actors can facilitate a full tenant compromise and gain unauthorized access to sensitive information.
• Audits: Issues raised during compliance audits.
• Resource consumption: Licenses that create unnecessary costs.
• Performance degradation: Unnecessary device writebacks that prolong the time required for Microsoft Entra Connect syncs.

Also, consider the related IoE "Never Used Device" which identifies all devices that were pre-created but never used.

Note:

1. This IoE relies on the approximateLastSignInDateTime property, which does not update in real time. The current value updates only if the difference exceeds 14 days (+/-5 days).
2. For this reason, Microsoft acknowledges that "some active devices may have a blank time stamp". In such instances, further investigation with sign-in audit logs is necessary to identify more frequent updates on the device.

Tenable recommends that you regularly review and disable or delete dormant devices. After identifying them, take the following actions:

1. Disable them.
2. Wait a few months.
3. After this delay, if there are no reported issues, and if the organization's information security policy allows, proceed to delete them.

Microsoft published a guide on How To: Manage stale devices in Microsoft Entra ID, which provides insights into managing stale devices based on their join type (e.g., Microsoft Entra registered, Microsoft Entra joined, etc.). We recommend reviewing it before deleting any devices.

Name: Dormant Device

Codename: DORMANT-DEVICE

Severity: Low