Microsoft Entra ID must automatically disable accounts after a 35-day period of account inactivity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-270204 | ENTR-ID-000090 | SV-270204r1085660_rule | Medium |
| Description |
| STIG | Date |
| Microsoft Entra ID Security Technical Implementation Guide | 2025-03-17 |
Details
| Check Text (C-74237r1085659_chk) |
| Verify Entra ID disables accounts after 35 days of inactivity. Use the following procedure to discover inactive user accounts in Entra ID (35+ days) via the use of the Graph PowerShell SDK. Installation instructions: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0 Required roles: At least Global Reader Required tenant license: Entra ID Premium P1 Example PowerShell commands: Connect-MgGraph -Scopes AuditLog.Read.All,User.Read.All -Environment USGov $inactiveDate = (Get-Date).AddDays(-35) $users = Get-MgUser -All:$true -Property Id, DisplayName, UserPrincipalName, UserType, createdDateTime, SignInActivity, AccountEnabled | Where-Object { $_.AccountEnabled -eq $true } $inactiveUsers = $users | Where-Object { ($_.SignInActivity.LastSignInDateTime -lt $inactiveDate) -or ($_.SignInActivity.LastSignInDateTime -eq $null -and $_.CreatedDateTime -lt $inactiveDate) } | Select-Object DisplayName, UserPrincipalName, UserType, createdDateTime, @{Name = 'LastSignInDateTime'; Expression = {($_.SignInActivity).LastSignInDateTime}}, Id | Sort-Object LastSignInDateTime $inactiveUsers | Format-Table -AutoSize If accounts are not disabled after a 35-day period of account inactivity, this is a finding. |
| Fix Text (F-74138r1085612_fix) |
| 1. Sign in to the Microsoft Entra admin center as at least a Reports Reader. 2. Browse to Identity >> Users >> All users. 3. Select a user from the list. 4. Use the following procedure to disable inactive user accounts in Entra ID via the use of the Graph PowerShell SDK. Installation instructions: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0 Required roles: Global Administrator Install the Microsoft Graph PowerShell SDK. Install-Module Microsoft.Graph -Scope CurrentUser Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "SignInActivity.Read.All" # Set the inactivity threshold (in days) $inactivityThreshold = 35 # Get the current date $currentDate = Get-Date # Get all users and their last sign-in activity $users = Get-MgUser -All -Property "DisplayName", "SignInActivity" # Filter for inactive users $inactiveUsers = $users | Where-Object { $_.SignInActivity.LastSignInDateTime -lt ($currentDate.AddDays(-$inactivityThreshold)) } # Disable inactive users foreach ($user in $inactiveUsers) { Set-MgUser -UserId $user.Id -AccountEnabled $false Write-Host "Disabled user: $($user.DisplayName)" } |