Detections
Analytics

Dormant User

LOW
Note: This indicator is in Early Access.

Description

This IoE cannot work without a Microsoft Entra ID P1 or P2 license due to data availability restrictions by Microsoft.

A dormant user is a user account that has remained inactive by not completing any successful sign-in for a specified period (90 days by default, customizable through an option).

Dormant users could introduce the following security risks and operational complications:

  • As potential targets for attackers if these accounts have weak or unchanged passwords, facilitating a compromise.
  • An increase in the Entra tenant's attack surface by creating potential vulnerabilities.
  • Access to individuals who no longer require it, such as former employees or interns.
  • Waste of resources such as licenses. Regular identification, deactivation, or removal of dormant users allow organizations to optimize resource allocation and save unnecessary costs.

Also, consider the related IoE "Never Used User" which identifies all users that were pre-created but never used.

Note:

  1. This IoE relies on the lastSuccessfulSignInDateTime property within the signInActivity property of User objects. Its advantage lies in reporting only successful sign-ins to avoid disruption arising from failed attempts, unlike the property lastSignInDateTime. The lastSuccessfulSignInDateTime property became available in December 2023.
  2. To access the signInActivity resource type, you need a Microsoft Entra ID P1 or P2 license for each tenant. Otherwise, this IoE cannot detect dormant users and therefore skips the entire analysis.
  3. Since this property remains unfilled for users who never signed in or last signed in before December 2023, the required data to evaluate the interval is unavailable. Consequently, Tenable Identity Exposure cannot properly detect the last sign-in date, potentially resulting in false positives.

Solution

Tenable recommends that you regularly review and disable or delete dormant users. After identifying them, take the following actions:

  1. Disable them.
  2. Wait a few months.
  3. After this delay, if there are no reported issues, and if the organization's information security policy allows, proceed to delete them.

Indicator Details

Name: Dormant User

Codename: DORMANT-USER

Severity: Low

MITRE ATT&CK Information: