Language:
This IoE cannot work without a Microsoft Entra ID P1 or P2 license due to data availability restrictions by Microsoft.
A dormant user is a user account that has remained inactive by not completing any successful sign-in for a specified period (90 days by default, customizable through an option).
Dormant users could introduce the following security risks and operational complications:
As potential targets for attackers if these accounts have weak or unchanged passwords, facilitating a compromise. For example, a CISA alert reported that:
campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system
An increase in the Entra tenant's attack surface by creating potential vulnerabilities. For example, the same CISA alert reported that:
Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.
Access to individuals who no longer require it, such as former employees or interns.
Waste of resources such as licenses. Regular identification, deactivation, or removal of dormant users allow organizations to optimize resource allocation and save unnecessary costs.
Also, consider the related IoE "Never Used Privileged User" which identifies all users that were pre-created but never used. The risk is higher for privileged users. See also the related IOE, "Non-Privileged", for non-privileged users.
Note:
lastSuccessfulSignInDateTime
property within the signInActivity
property of User objects. Its advantage lies in reporting only successful sign-ins to avoid disruption arising from failed attempts, unlike the property lastSignInDateTime
. The lastSuccessfulSignInDateTime
property became available in December 2023.signInActivity
resource type, you need a Microsoft Entra ID P1 or P2 license for each tenant. Otherwise, this IoE cannot detect dormant users and therefore skips the entire analysis.Tenable recommends that you regularly review and disable or delete dormant users, especially privileged ones. After identifying them, take the following actions:
Name: Dormant Privileged User
Codename: DORMANT-PRIVILEGED-USER
Severity: Medium
Type: Microsoft Entra ID Indicator of Exposure