Review and remove all inactive or unwanted accounts
Reduce both security risk and license spend
Problem description:
Reports states that 85% of all attacks starts with a compromised identity, and we've learned that companies has a 10-30% cost saving potential of their total license cost on Microsoft OnlineServices.
Most organizations will find many inactive or unwanted user accounts in their Entra ID. Test-, administrator-, guest- and member-accounts can be created by anyone (with permissions to do so). In most organizations between 30-50% of the identities in Entra ID is not in use. A normal finding is that many user accounts were created years ago and have not been used for years, if ever used. Many of these accounts have not registered MFA, and in most cases, we see that organizations allow new users to register MFA from anywhere. The first person guessing the correct username and password combination will then register MFA.
These users also represent a quite significant cost since they in many cases have licenses assigned.
Removing these users based on sign-in activity is one of the most beneficial activities you can do. You will then reduce both security risk and license cost at the same time.
Responsibility for the existence of the user accounts in most organizations are unclear. Leveraging cloud software and services put pressure on your existing processes to avoid successful attacks and increasing software license cost. IT department might be responsible for some of the accounts but they can't be responsible for all these users.
Considerations:
To free up licenses and save cost you will have to remove licenses from the inactive users. To reduce security risk you will have to disable or delete the user object. This seems scary, but by planning well and follow these guidelines you will succeed.
Deleted users is easily recoverable, with all content, within 30 days.
If You want to explore the options to keep the user data, without licensing an inactive user account Microsoft has written a great article covering this topic: Delete a user, stop paying for their license, and choose what to do with their email and OneDrive content
"You need to break some eggs to make an omelette"
Bsure recommendations:
IT department should be in lead of a clean-up project removing these users, but feedback is needed from both HR department and each manager within the organization. Gartner have been talking about IT being a part of every department and function within an organization for years, and this goes for the ownership and responsibility for the identities within Microsoft Entra ID as well. Review your processes and ensure that governance of all identities are included.
All identities should have an owner, and the best way of doing that is to use the field manager for all member accounts, even for service accounts and resources like meeting rooms and shared mailboxes. Someone needs to be responsible for their existence and review if they're needed to optimize cost and reduce security risk.
Clean-up project:
Project is based on how to remove the most users as quickly as possible to reduce security risk, and not optimized for quick cost reduction.
Remove member accounts never used
Remove inactive or unwanted guest accounts
Remove unmanaged guests
Remove inactive guests
Remove guests from unwanted organizations/companies
Review and remove inactive member accounts
Remove member accounts never used:
To identify these users in your current environment, use the report Bsure Insights - Users – Drilldown.
Set the latest created date 6 months back in time and tick the Never signed in slicer.
Export the list to excel clicking three dots in the top right corner of User Details Table and select Export data
Delete the users on-premises active directory or in the cloud/Entra ID based on where each user origins.
Remove inactive or unwanted guest accounts :
A guest account was created to give an external part access to some data in your environment. We find that many of these guest accounts is inactive and should be removed.
Unwanted guests:
Private mail accounts such as hotmail and gmail is considered unmanaged and not to be trusted. Decide whether such users are acceptable within your environment.
To review these users, go to Bsure Insights - Users – Guests report and select Domain Type UnManaged:
Review the guest users in the user details table. You can filter further by identifying users that are inactive as well by using Created Date and Last Sign-in slicer or just use the preconfigured User State slicer to filter between Inactive (Not signed in last 90 days) and Active users
Export the list and bulk delete them from Entra ID.
Inactive guests:
Set Domain Type to Managed, User State to Inactive and Created Date 3 months back in time to identify guest users not in use:
Export the list and bulk delete the guest users.
Unwanted companies/organizations:
Clear all filters in the top right corner of the report. Now it's time to do a quick review of the different companies having access to your environment by reviewing the mail domains in the Breakdown Table. If you find some organizations/companies that shouldn't be present in your environment, just click on that entry in the Breakdown Table, export result in User Details Table and bulk delete these users.
Review and remove enabled inactive member accounts:
In step one you removed user accounts never been used. To delete user accounts that have been used and that most likely have data in their mailbox and in OneDrive is often a bit scary, but planning and involving the organization should reduce the risk of wrongdoing. And You will always have the option to recover the users with all content within 30 days of deletion. Microsoft has written a great article covering this topic: Delete a user, stop paying for their license, and choose what to do with their email and OneDrive content
Review inactive member accounts:
Go to Bsure Insights - Users - Drilldown report, select User Type - Member, Account - Enabled, latest Created Date to e.g. 3 months back and Last Sign-in to e.g. one year back. Set Breakdown Filter to Manager.
Export the list as summarized data to excel to get a spreadsheet with a live connection to the dataset.
Create new columns to get feedback from HR and/or Manager, share and distribute the spreadsheet.
Some organization chose to put some junior capacity in charge of fetching the information from the organization.
Delete the users based on the feedback from the organization.
You will most likely find many accounts with Missing Data as Manager. You need someone to find and set the responsible for these accounts.
Some of these accounts are most likely being used as shared mailboxes. If you migrated from an on-premises exchange environment into Exchange Online, shared mailboxes would appear as normal users and not converted to shared mailboxes with a corresponding disabled user account. If the mailbox is smaller than 50 GB you can remove the license from the disabled user account.
How to: convert a user mailbox to a shared mailbox
Finished? If that's the case, pet your own back and say well done :)
Last updated