Stale Microsoft 365 accounts are a security risk: Remove them now

Stale accounts in any environment are an IT administrator’s nightmare. Cleaning up accounts has always been a problem, especially for large organizations or universities that turn over many accounts regularly. Some admins have the impression that the account is disabled, so why the big concern? Well, sometimes you think that accounts are disabled, but they are not. They are in Active Directory and Exchange Online with an active mailbox. Or if you running hybrid, you may have Microsoft 365 accounts on-premises as well that are stale and should be removed. The number of stale and old accounts has been exacerbated by the rush to Microsoft 365 during the pandemic.

Stale Microsoft 365 accounts: An invitation to attackers

Remove old and stale Microsoft 365 accounts for security

Let’s say that User A, who was high up in the HR department, left the company, but her account, mailbox, and permissions remained intact. If the account gets compromised, the attacker can navigate a long way into the environment because of the elevated permissions. Another example is an IT staff member who has a management account. If the account is hacked, the attacker will have full domain privileges to do what they want. Many attacks don’t happen immediately, as the attacker collects information before they launch an attack.

You could also look at it from a different angle where User A has full access to User B’s mailbox and permissions as they need to look after the mailbox in a transition phase. After a while, they do not use the account anymore, but it remains active. If User A’s computer gets compromised, the attacker not only has access to User A but also User B.

In Microsoft 365, you do not want to have accounts lying around with licenses assigned. You can free up those licenses and allocate them elsewhere or to new staff members when they join. So, the question arises: How do you manage accounts that are have not been accessed in a while, and what do you do with the data? The HR department should have a form where the employee needs to have each section signed off. If data is saved to a share or SharePoint, then the IT department can reformat the machine. When it comes to the mailbox, it can be exported to PST, and if any manager or employee needs access to it, they can give access to the PST file. The account can then be removed once the data has been exported and that part of the form signed off.

Coming back to the stale Microsoft 365 accounts: Attackers are always looking for ways to get access to a company. They will sniff places like LinkedIn, for example, and use this as a place to gain information about how they can launch an attack. People often post, “Today is my last day with company X,” and that is an easy way for attackers to try to get access, especially if the user leaving is a high-profile person. This is where automation in the HR department comes in handy as the same form that needs to be signed off for other things needs to be signed off by HR. Once they flag this account in the system, it should automatically go and remove all the users’ access, mailbox, and accounts. Depending on how Active Directory is set up, the account will go to the recycle bin and then be purged after a specified time.

Increasing the odds of ransomware

The big danger of having dormant accounts lying around means you are opening yourself to a ransomware attack. Ransomware not only causes downtime but also damages a company’s reputation, especially when information is stolen and put on the Internet or used in cases like cyber-extortion. While cleaning up old employee accounts may be an annoying chore, you are saving the company from a potential attack.

If other employees need access to files that previous employees had access to, grant them access to the files but to the stale/dormant account. One of the other things that IT admins tend to do is reset the account with a default password so other employees don’t need to remember a complex one. But all this does is make it easy for attackers to get into your network. Attackers can elevate privileges relatively easily.

And don’t reset passwords to default


To sum it all up, put measures in place to either have an automated HR system handle the access and account removal for you. Or work with the HR department to create a form so that when an employee leaves, the process is straightforward, and you can get everything cleaned up. This way, that account will no longer be around to be attacked. And do not reset passwords of the accounts to default ones like Pass@123 or Password123. That’s an open invitation to cybercriminals.

Featured image: Shutterstock

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top