Detects users who are enabled (Active status) and who have not successfully authenticated for more than 30 days.

Dormant accounts carry unnecessary financial and information security risk for your organization. These users might consume application licenses without using them. By leaving standing entitlements in place that are not needed or not used on a regular basis, attackers may be able to use a dormant account to gain access to sensitive systems and data.

Recommended Actions

Trigger an access review with the user’s manager to verify that the dormant account still needs access. If not needed, suspend the account immediately. Otherwise, continue monitoring the account for activity and suspend after a grace period. By reducing the number of accounts and adopting a least privilege model, organizations can reduce their attack surface.

Default Check Settings

Number of days:30

Compatibility

Microsoft Entra ID

Okta

Workday

Salesforce

GitHub