Forum Discussion
Clarification over "dormant" account status
I was looking today at our list of "Remove dormant accounts from sensitive groups" within Microsoft Defender for Identity, and one service account has caused a bit of discussion. The account would only be used on-premise and would never be carrying out authentications out of our estate. In this case would Defender for Identity still see the account as being "dormant", or is the reason because it's not carried out any of those off-estate authentications?
Apologies if this is a simple question, but it would be very helpful to know the answer.
1 Reply
jasonbourne5379 - Microsoft Defender for Identity sensors looks into the authentication activity within certain time frame before the account is flagged for a dormant account status.
In your case the service account is on-prem only and is expected not to authenticate outside of the estate. Since your service account does not have any authentication activity outside of your estate, MDI will flag this as a dormant account.
Even though the account is technically valid, the lack of authentication, infrequent usage and login outside of the estate positions it as dormant account. Because its a privileged account and is a prime target for attackers its considered as risk thus MDI intentionally flag it as dormant.
Its best to accept this finding is logged as a accepted risk which will help during any security audit or incident review.
If you find the answer useful and you appreciate my time, please do not forget to like and mark it as a solution 🙂
