3.5.6 — Disable Identifier After a Defined Period of Inactivity

If an account sits unused for a long time, it becomes a risk — a former employee's credentials could be compromised, or a forgotten service account could be exploited. This practice says: set a timer, and if an account is inactive past that threshold, disable it automatically.

Example 1: In Active Directory, use a PowerShell script with Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 to find accounts inactive for 90 days. Schedule this as a weekly task via Task Scheduler that automatically disables matching accounts and logs the action. Review the output with your security team monthly.

Example 2: In the Entra Admin Center, go to Identity Governance > Access Reviews and create a review for all users. Set the review to auto-apply results and remove access for users who have not signed in within your defined inactivity period. You can also check sign-in activity under Users > Sign-in Logs and filter by "Last sign-in" to identify stale accounts.