The organisation loses the signal that the leaver workflow is complete, but the identity can still retain administrative power through standing roles, eligible PIM assignments, or stale devices. That means the account is offboarded on paper, not in practice. The control failure is unfinished lifecycle removal, not failed authentication.
Why This Matters for Security Teams
Disabling a Microsoft 365 account often stops interactive sign-in, but it does not automatically remove every privileged pathway attached to that identity. In practice, standing admin roles, eligible Privileged Identity Management assignments, stale refresh tokens, and trusted devices can preserve effective access after the user is gone. That creates a governance gap where offboarding looks complete in the directory but not in the control plane. This is the same class of issue highlighted in the OWASP Non-Human Identity Top 10: credentials and entitlements outlive the intended lifecycle unless they are explicitly removed.
The risk is not just unauthorized access. A disabled account with residual privilege can still be used for mailbox access, SharePoint, Entra-connected application paths, or administrative actions if the session, device trust, or role eligibility remains intact. NHIMG’s research on the 52 NHI Breaches Analysis shows the same pattern across identities that were assumed inactive but still held actionable access. In practice, many security teams discover this only after an audit finding, a separation-of-duties exception, or an incident review, rather than through intentional lifecycle validation.
How It Works in Practice
The Microsoft 365 offboarding problem is usually a sequence problem, not a single control failure. Disabling the account removes one authentication path, but privilege often exists in parallel through Entra ID roles, group membership, app assignments, mailbox delegation, or privileged session context. If the account had eligible PIM access, the entitlement may still be present even if it is not currently active. If refresh tokens or trusted endpoints remain valid, the user can sometimes continue operating until those artifacts expire or are revoked.
Security teams should treat offboarding as a full identity teardown with explicit checks across authentication, authorization, and device trust. At minimum, that means:
- revoking active sessions and refresh tokens after account disablement
- removing standing privileged roles and reviewing eligible PIM assignments
- checking mailbox, SharePoint, and application delegation paths
- validating device compliance and removing trust from stale endpoints
- confirming that administrative access is not inherited through groups or nested role assignments
This is where the guidance in Ultimate Guide to NHIs is useful: lifecycle management must cover the identity, the secret, and every attached privilege, not only the user object. The practical goal is to make disablement irreversible from an access perspective, not merely from a login perspective. Where teams want stronger assurance, current guidance suggests using periodic entitlement reconciliation and automated post-disable checks against role, token, and device state. These controls tend to break down in hybrid Microsoft environments because Azure AD, Exchange, Intune, and legacy app permissions can each preserve a different fragment of access.
Common Variations and Edge Cases
Tighter offboarding controls often increase operational overhead, requiring organisations to balance faster deprovisioning against the risk of breaking legitimate business continuity. That tradeoff becomes especially visible when executives, shared mailboxes, service desks, or emergency admin accounts are involved. In those cases, access removal may need a staged process, but the staging must be time-bound and monitored rather than left open-ended.
Best practice is evolving for accounts that held privileged access through JIT or PIM. A disabled user may still have an eligibility record, so the security team must distinguish between standing privilege, eligible privilege, and active privilege. The account can also remain indirectly powerful if it owns resources, manages automation, or has delegated administrative consent on applications. That is why current guidance suggests treating offboarding as a full entitlement review, not a user status change.
If the account was used for automation or shared operational tasks, the safer pattern is to migrate privileges to a dedicated workload identity and then disable the human account only after the replacement is verified. For Microsoft 365 environments, the question is not whether sign-in is blocked, but whether any residual path still authorises action. NHIMG’s analysis of the Microsoft Midnight Blizzard breach shows why identity remnants matter: once privilege persists, attackers only need one surviving path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Residual privilege after disablement is a non-human identity lifecycle failure. |
| NIST CSF 2.0 | PR.AA-5 | Identity lifecycle and authorization state must be reconciled after offboarding. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero trust requires continuous authorization, not trust from prior account state. |
Re-evaluate access at runtime and remove trust from stale sessions and devices.
Related resources from NHI Mgmt Group
- What breaks when a contractor account still has privileged access after termination?
- What is the difference between rotating a secret and revoking access?
- What is the difference between a disabled app and a deleted app in Microsoft 365?
- What breaks when privileged access is not continuously governed?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org