Never Logged In

Detects accounts that were created but never successfully used to log in. Attackers may exploit these unused accounts to register their own MFA factors, potentially bypassing authentication controls and gaining unauthorized access.

A user will fail this check if they have not logged in 7 (configurable) days after an account was created. If needed, adjust the new account grace period in Custom Detection Settings to align with your organization's procedures.

Recommended Actions

Trigger an access review with the user’s manager to verify that the unused account is still necessary. If not needed, suspend the account immediately. Otherwise, reset the account and direct the manager to onboard the user correctly.

Default Check Settings

Number of days: 7

Compatibility

Duo

Google Workspace

Microsoft Entra ID

Okta

Salesforce

Snowflake

OpenAI