Dormant accounts are a favorite entry point for attackers because they often fly under the radar. Entra ID (formerly Azure AD) actually has some robust native features to handle this. But there is a catch.
Hidden Gems in Entra ID: The Cost and Complexity of Cleaning Stale Guest Accounts
I spend a considerable amount of time deep-diving into documentation. It’s part of the job here at Reclaim Security. We are constantly mapping out the intricate settings of the tools you already use to find the most effective ways to reduce your attack surface.
Recently, I was looking into a common headache for almost every organization: stale guest accounts.
We all have them. Vendors who finished a project six months ago; partners who moved on; contractors who switched agencies. These dormant accounts are a favorite entry point for attackers because they often fly under the radar.
While digging through Microsoft’s documentation, I found that Entra ID (formerly Azure AD) actually has some robust native features to handle this. But there is a catch.
The Native Solution: Access Reviews
Microsoft offers a feature called Access Reviews. It’s a solid mechanism that shifts the burden of verification away from the IT team and onto the people who actually know what’s going on.
Instead of an admin guessing if “John Doe from Vendor X” still needs access, Access Reviews allows you to require specific users, usually managers or group owners, to verify continued usage. They get a notification, they review the access, and they provide an explanation if the account needs to stay active.
This solves the discovery problem. It helps clean up the directory. It reduces the attack surface.
The “Gotcha”: The Price of Governance
Here is the nuance that often gets missed. To actually use these features effectively, you generally need a premium paid add-on called Microsoft Entra ID Governance.
This creates a dilemma for many security leaders. You know the risk of stale accounts is real. You know the tool to fix it exists within your platform. But unlocking that capability requires an additional licensing cost that might not fit the budget; especially if you are only using a fraction of the governance suite.
The Reclaim Perspective: Fix It Safely, Without the Tax
This finding reinforces what we focus on every day at Reclaim Security. There are often two ways to solve a configuration drift problem:
- The Manual/Expensive Way: Buy the premium governance module, set up the campaigns, chase down managers who ignore the “please verify” emails, and hope they don’t rubber-stamp approvals just to make the notification go away.
- The Automated/Safe Way: Leverage an intelligent layer that sits on top of your existing stack.
This is where our AI Security Engineer and PIPE™ (Productivity Impact Prediction Engine) come into play.
While Entra’s Access Reviews rely on human input to verify usage, Reclaim looks at the data. Our platform can identify stale guest accounts based on actual behavior and inactivity logs. But we don’t just flag them; that would just be another finding.
We move to remediation.
Before we disable a guest account, PIPE™ analyzes the potential business impact. It predicts if disabling that account will break a critical workflow or lock out a vendor who only logs in once a quarter for quarterly business reviews.
If the risk is low, Reclaim can automate the cleanup. If the risk is moderate, the AI Security Engineer can tee up a simplified decision for your team.
The Takeaway
If you are already paying for Entra ID Governance, you should absolutely be using Access Reviews. It is a powerful feature that is likely sitting dormant in your tenant. Turn it on; configure it for your guest users; start cleaning house.
However, if you are looking to avoid the “governance tax” and want a solution that focuses on fixing the problem rather than just reviewing it, you need a different approach. You need remediation that is aware of your business context.
Stale accounts are a liability. Whether you use Microsoft’s native governance tools or Reclaim’s automated remediation, the goal is the same: eliminate the exposure before it becomes an incident.
Next Step: Curious if you have stale guest accounts sitting open in your environment?
Request a free assesment and let our AI Security Engineer show you exactly what needs fixing.