Blog Post

Microsoft Entra Blog
4 MIN READ

Step-by-step guide to identify inactive users by using Microsoft Entra ID Governance Access Reviews

dishanfrancis's avatar
dishanfrancis
Icon for Microsoft rankMicrosoft
Oct 10, 2023

Within an organization, inactive user accounts can persist for various reasons, including former employees, service providers, and service accounts associated with products or services. These accounts may remain inactive temporarily or for extended periods. If an account remains inactive for 90 days or more, it is more likely to remain inactive. It’s crucial to periodically review these inactive accounts and eliminate any that are unnecessary. Microsoft Entra ID Governance Access Reviews now offers the capability to detect inactive accounts effectively. 

 

Using the Entra ID Governance Access Review feature, it’s possible to identify accounts that have not been actively used to sign into Entra ID, either interactively or non-interactively, for up to 720 days.  

 

Accounts that are left inactive are susceptible to being targeted by cybercriminals for several reasons: 

 

  1. Inactive accounts may still use well-known passwords or credentials that have been compromised. 
  2. Inactive accounts are less likely to have multifactor authentication (MFA) enabled. 
  3. Due to their inactivity, these accounts may go unnoticed by advanced security controls in place. 

While organizations with a formal JML (Joiners, Movers, and Leavers) process in place can mitigate some of these risks, regular reviews are still essential to ensure that security measures are effective.  

 

Understanding the standards for monitoring accounts 

 

According to CIS Control V8 Safe guard 5.3 it’s recommended to delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. This is also aligned with Azure Security Benchmark v3 PA-4 Control - Review and reconcile user access regularly.  

NIST SP 800-53 Revision 5 Moderate Baseline - AC-2(3) Control  - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf  

 

Account Management | Disable Accounts - Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. 

 

These standards serve as additional confirmation of the importance of monitoring inactive or dormant accounts. Let's proceed to explore how Microsoft Entra ID Governance Access Reviews can assist in identifying these inactive accounts. 

 

Setting up Entra ID Governance Access Reviews 

 

Please note that it's essential to review the licensing requirements for Microsoft Entra ID Governance before proceeding. Check out this blog about Microsoft Entra ID Governance to learn more.  

 

To set up an access review for inactive accounts, follow these steps: 

 

1. Log in to Entra as the Identity Governance administrator at https://entra.microsoft.com/. 

2. Navigate to Identity Governance and select Access Reviews. 

 

Ar1 - Microsoft Entra ID Governance Access Reviews plane.

 

3. Select '+ New access review' to proceed. 

 

 

Ar2 – initiate configuration of new access review.

 

 4. On the next page, choose 'Teams + Groups' as the review type. 

 

 

Ar3 – Defining review scope.

 

5. For the review scope, choose 'Select Teams + groups.' 

 

 

Ar4 – Targeting teams and groups.

 

6. Then, visit the link under '+ Select group(s)' and choose the desired group from the list. In this demo, we are using a group that includes all standard users. 

 

 

Ar5 – Choosing the security group.

 

 

7. Select the option 'Inactive users (on tenant level) only' and specify the number of days an account should be inactive; this can range up to 720 days. Once the settings are configured, choose 'Next: Reviews.' 

 

Ar6 – Choosing inactive users as review type.

 

 

8. In the review pages, select the reviewers for the task. You can also configure a multi-stage review process to align with your organization's requirements. Once the review settings are defined, use 'Next: Settings.' 

 

 

Ar7 – defining reviewers and schedule.

 

9. Under the settings page, you can specify what actions should occur upon completion of the review. You can choose to auto-apply results or leave it for manual review. Additionally, you can utilize 'No sign-in within 30 days' data as a decision-making aid. After configuring the settings, use 'Next: Review + Create.' 

 

 

Ar8 – Post review settings and other advanced settings.

 

10. On the last page, define a name for the review task and then choose 'Create' to finalize the setup process. 

 

Ar9 – Configuration summary.

 

 

This completes the setup process for an Access Review targeting inactive accounts. The next step is to review the results of the access review. 

 

After the review is complete, the assigned reviewers will receive an email notification: 

 

Ar10 – Access review notification.

 

In the review results, reviewers can access details about the users and recommended actions: 

 

 

Ar11 – Access review results.

 

 

By using the link for the details, reviewers can access additional information: 

 

Ar12 – Additional information about task.

 

Based on the findings, reviewers can choose to approve or deny access for the identified accounts.  

 

Microsoft Entra ID Governance Access Reviews provide a valuable tool for identifying and managing inactive accounts within the organization. This can be seamlessly integrated into the Just-in-Time (JML) process, ensuring regular reviews to identify and address inactive accounts. 

 

To learn more about Manage inactive user accounts, check out the documentation 

 

To learn more about Privileged Access, see the Azure Security Benchmark v3 Controls documentation.

 

Dishan Francis  

 

 

Learn more about Microsoft Entra: 

Updated Apr 17, 2024
Version 3.0
  • Mbezuneh's avatar
    Mbezuneh
    Copper Contributor

    This is excellent! I've successfully configured the Access Review. However, despite denying dormant accounts, I'm still encountering instances where the account status appears as active or enabled in Microsoft Entra. Could you help me identify what I might be overlooking?

  • Daniel_T2's avatar
    Daniel_T2
    Copper Contributor

    So this will identify accounts that are inactive, might remove some group memberships, but will still leave the accounts enabled requiring manual remediation?

  • jedi_z's avatar
    jedi_z
    Copper Contributor

    this is no longer the case, it requires a license I believe. 

  • Lastsight2018's avatar
    Lastsight2018
    Copper Contributor

    Does this review exclude accounts that are sign-in blocked? Hopefully it does as I think it would not make sense if accounts that are sign-in blocked also appear in the review. 

  • TheGift73's avatar
    TheGift73
    Iron Contributor

    Need to remove the '.' period, at the end of the link for the blog link that leads to, 'Microsoft Entra ID Governance is generally available'.

  • belaie's avatar
    belaie
    Brass Contributor

    Can we have this same  access review enabled for access packages?, currently its enabled and configured in each access package  policy level.  

     

    Normally governance team wants to setup this globally for  groups, apps, and access packages form one place.

     

    Another input. we are managing  groups membership from access's packages only as resource type group in access package , can we somehow  disable  "management of those groups" from Entra ID Portal so that they are only managed by Entitment management?

  • Your link to the licence blog does not work.

     

    Can you confirm the *exact* licence requirement for this feature - I believe it was previously AADP2 but has now been moved behind the Entra ID Governance licence.