One forgotten account can undo months of security work. In Microsoft Entra ID, stale identities often keep old group memberships, app access, and sometimes admin rights long after a person stops using them.
I treat a dormant account review as routine control hygiene, not audit theater. For IT admins, MSPs, and security teams, it is one of the cleanest ways to support least privilege and produce evidence that stands up under CMMC Level 2 scrutiny.
Why dormant accounts matter for CMMC Level 2
As of April 2026, CMMC Level 2 still aligns to the 110 practices in NIST SP 800-171 Rev. 2, and identity controls keep drawing attention during assessments. A dormant account review supports account management, least privilege, and periodic review expectations. It also helps me catch accounts that look harmless but still hold access to CUI, shared mailboxes, line-of-business apps, or privileged groups.
Microsoft’s CMMC Level 2 identification and authentication guidance points to disabling identifiers after a defined period of inactivity. The broader Entra ID for CMMC compliance guidance makes another point I agree with, tenant settings alone are not enough. I still need policy, review cadence, approvals, and proof that I followed through.
A dormant account review does not make anyone “CMMC certified” by itself. What it does is give me a clean, repeatable process that an assessor can trace. If I can show the inactivity threshold, the review record, the decision, and the remediation action, I am in a much stronger position.
When I work with clients, this reaches far beyond defense contracts. It matters in Small Business IT, Cloud Infrastructure, Office 365 Migration, and Data Center Technology work. It also matters for Restaurant POS Support and Kitchen Technology Solutions, because stale identities can still touch payment systems and vendor portals. For me, Cybersecurity Services, Endpoint Security, Device Hardening, Cloud Management, Technology Consulting, Infrastructure Optimization, Digital Transformation, IT Strategy for SMBs, Secure Cloud Architecture, Managed IT for Small Business, and Business Continuity & Security all depend on identity cleanup. That is where Innovative IT Solutions, Tailored Technology Services, and a reliable Business Technology Partner matter.
If I can’t show who reviewed the account, when I approved action, and what I changed, the control is not assessment-ready.
How I run the review in the Entra admin center
I start with a written rule. Most teams pick 90 or 180 days for workforce accounts. I document the threshold, the account types in scope, and the exclusions. I also note that inactivity is not only interactive sign-in. Some accounts use non-interactive sign-in, and that changes the decision.
Then I use the Entra admin center and Microsoft’s inactive user account guidance to pull sign-in activity. The key field is signInActivity, including lastSignInDateTime. If I need a governed workflow, I use Entra ID Governance access reviews. Microsoft’s post on inactive-user access reviews is useful because it shows how to scope a review to inactive users only and set a recurrence.
My review flow is simple:
- I export users with recent sign-in data and flag accounts past the inactivity threshold.
- I compare the list against HR status, ticket history, license assignment, and role membership.
- I route each account to an owner or reviewer for approval.
- After approval, I block sign-in first, then remove access or delete the account after my retention window.
I don’t stop at the portal action. I keep an evidence set for each review cycle:
- screenshots of the review settings and reviewer assignments
- exported user activity data
- approval records and reviewer comments
- audit logs for block sign-in, group removal, or deletion
- exception notes with owner, reason, compensating controls, and next review date
That evidence is what turns a routine cleanup into a control you can defend.
Automating the review and handling exceptions the right way
At small scale, the portal is enough. Once I manage multiple clients or larger tenants, I automate. With Microsoft Graph or the Graph PowerShell SDK, I query users and select signInActivity, sort by last sign-in, and export to CSV. I often use Get-MgUser to gather the data and Update-MgUser to disable approved accounts. I keep the script logic simple so another admin can review it and reproduce the output.
Automation helps, but blind automation causes outages. Some accounts need exception handling, and that has to be documented before the review closes.
The table below shows the approach I use most often:
| Account type | Typical action | Evidence I keep |
|---|---|---|
| Service account | Review non-interactive use, app dependency, owner; do not disable on interactive inactivity alone | Owner approval, app mapping, next review date |
| Shared account | Challenge the business need, rotate credentials, reduce scope, plan replacement | Exception record, approval, remediation plan |
| Privileged account | Remove standing admin access, use PIM, review role assignments separately | Role export, approval, audit log |
| Emergency access account | Exclude from auto-disable, test under controlled process, keep MFA and monitoring plan | Break-glass procedure, test record, exception approval |
I also save proof of remediation. If I disabled sign-in, I export the audit event. If I removed group access, I save the before-and-after membership record. If I keep an exception, I require an owner and an expiry date. Without that, exceptions become permanent holes.
Conclusion
A good dormant account review is not flashy, but it closes one of the most common identity gaps in Entra ID. It supports least privilege, trims old access, and gives me evidence that maps cleanly to CMMC Level 2 expectations.
The strongest move is also the simplest: define inactivity, review on a schedule, document every decision, and treat exceptions with the same discipline as active accounts. That is how I turn account cleanup into a control that holds up when it matters.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.