Never Used Privileged User

This IoE cannot work without a Microsoft Entra ID P1 or P2 license due to data availability restrictions by Microsoft.

A never used user is a user account created in Entra ID that never successfully authenticated for a certain number of days (90 days by default, customizable) since its creation.

They increase the attack surface for various reasons, such as:

• A backdoor account allowing access to individuals who no longer require it, such as former employees or interns.

• Continued use of the default password, thus exposing the account to a higher risk of compromise. For example, a CISA alert reported that:

  campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system

  and also that:

  Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.

• Waste of resources such as licenses. Regular identification, deactivation, or removal of unnecessary users allow organizations to optimize resource allocation and save unnecessary costs.

Also, consider the related IoE "Dormant User" which identifies all previously active users who have since become inactive. The risk is higher for privileged users. See also the related IOE, "Never Used Non-Privileged User", for non-privileged users.

Note:

1. This IoE relies on the lastSuccessfulSignInDateTime property within the signInActivity property of User objects. Its advantage lies in reporting only successful sign-ins to avoid disruption arising from failed attempts, unlike the property lastSignInDateTime. The lastSuccessfulSignInDateTime property became available in December 2023.
2. To access the signInActivity resource type, you need a Microsoft Entra ID P1 or P2 license for each tenant. Otherwise, this IoE cannot detect never used users and therefore skips the entire analysis.
3. Since this property remains unfilled for users who never signed in or last signed in before December 2023, the required data to evaluate the interval is unavailable. Consequently, Tenable Identity Exposure cannot properly detect the last sign-in date, potentially resulting in false positives.

Tenable recommends that you regularly review and disable or delete never used users, especially privileged ones. After identifying them, take the following actions:

1. Disable them.
2. Wait a few months.
3. After this delay, if there are no reported issues, and if the organization's information security policy allows, proceed to delete them.

Name: Never Used Privileged User

Codename: NEVER-USED-PRIVILEGED-USER

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure