Notifications
Clear all
Topic starter
24/06/2026 5:43 pm
TL;DR: Dormant Office 365 accounts remain common, with Varonis finding 34% of internal accounts inactive but still enabled and 88% of companies admitting they still have stale accounts in 2025, creating low-noise entry points for attackers, according to Unosecur. Periodic audits are no longer enough; continuous discovery and closed-loop remediation are now the practical baseline for identity governance.
NHIMG editorial — based on content published by Unosecur: Why dormant Office 365 users are an attacker’s dream, and how to clean them up
By the numbers:
- 34% of internal accounts were inactive but still enabled across more than 130 enterprises.
- 88% of companies admit they still have stale accounts in 2025.
Questions worth separating out
Q: How should security teams handle dormant Office 365 accounts safely?
A: Start by identifying inactivity with sign-in and token telemetry, then validate business exceptions with HR or managers.
Q: Why do stale Office 365 users increase lateral movement risk?
A: Because they often retain valid access, inherited permissions, and mailbox or file sharing paths that were never re-evaluated.
Q: What do IAM teams get wrong about dormant user cleanup?
A: They focus on inactivity instead of access residue.
Practitioner guidance
- Build continuous dormant-account discovery Track interactive sign-in activity, token activity, and directory state together so inactive identities surface before attackers use them.
- Remediate stale access as one workflow Disable the account, revoke refresh tokens, remove group memberships, strip licences, and write evidence to your audit trail in the same runbook.
- Review privilege residue before reactivation Validate whether a dormant account still carries nested admin rights, shared mailbox access, or delegated collaboration permissions.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- The exact cleanup workflow for dormant Office 365 identities, including disablement, token revocation, licence removal, and group membership stripping.
- The practical threshold logic for flagging inactivity, including how teams decide when 90 days is appropriate and when exceptions apply.
- The Office 365 Connector workflow mechanics that automate identity cleanup across tenant-scale directories.
- The article's own framing of how stale users contribute to ransomware exposure and insider threat risk.
👉 Read Unosecur's analysis of dormant Office 365 users and identity cleanup →
Dormant Office 365 users: what IAM teams need to clean up now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:39 am
Dormant human identities now function like unmanaged machine access unless lifecycle controls are continuous. A stale Office 365 account is still a live identity object, and attackers treat it that way. The governance mistake is assuming inactivity equals irrelevance, when the real risk is retained validity, inherited access, and missing ownership. Practitioners should treat dormant users as an identity lifecycle failure, not an admin backlog.
A few things that frame the scale:
- 88% of companies admit they still have stale accounts in 2025, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who should own stale-account remediation in an enterprise?
A: IAM or IGA should own the workflow, with HR and business managers supplying validation and security defining the control standard. If ownership is split too widely, accounts survive longer than they should, and attackers get more time to exploit the leftover access.
👉 Read our full editorial: Dormant Office 365 users create hidden access paths for attackers
