--- name: Stale and Guest Account Audit description: Read-only audit that finds inactive, disabled, and orphaned Microsoft Entra guest accounts to reduce identity attack surface and support access reviews. --- # Stale and Guest Account Audit > **TL;DR:** This skill inspects your Microsoft Entra directory to find users who have not signed in for over 90 days, accounts that are disabled but never deleted, and guest accounts with no sponsor, then produces a prioritised risk report so you can clean up unused identities. ## What is a stale or orphaned Microsoft Entra account? A stale account is a Microsoft Entra user or guest identity that is no longer in active use, such as someone who has not signed in for 90 days or more, an account left in a disabled state, or a guest invited for a project that has since ended. Orphaned or sponsorless guests are external identities with no owning user to vouch for ongoing access. Each of these inflates the identity attack surface that Conditional Access and Microsoft Purview access reviews are meant to constrain, and they often retain stale permissions to data and Microsoft 365 Copilot grounding content. ## When should you run this skill? - "Show me every user who has not signed in for 90 days or more." - "Which guest accounts have no sponsor or owner assigned?" - "Find accounts that are disabled but were never deleted." - "We are preparing for an access review and need a stale identity baseline." - "Audit our external guests before the next Conditional Access change." - "Which inactive accounts still hold licences we could reclaim?" - "Give me a clean-up list of orphaned identities ahead of an audit." ## How this skill works, step by step 1. Connect read-only to Microsoft Entra using delegated Microsoft Graph permissions scoped to directory and sign-in activity reads. 2. Enumerate all member and guest user objects, capturing account enabled state, creation date, and assigned licences. 3. Retrieve the last interactive and non-interactive sign-in timestamps for each account from sign-in activity data. 4. Flag accounts with no successful sign-in in the trailing 90 days as inactive, noting accounts that have never signed in. 5. Identify accounts where the enabled state is false to surface disabled-but-not-deleted identities. 6. For each guest, resolve the sponsor or inviting user and mark guests with no resolvable sponsor as orphaned or sponsorless. 7. Derive a risk score per account by weighting inactivity duration, guest status, missing sponsor, retained licences, and privileged role membership. 8. Sort findings by risk score, highest first, and group them by category for review. 9. Compile the results into a structured report with remediation guidance for an administrator to action separately. ## Output format The skill returns a ranked table of flagged accounts followed by a summary. | User principal name | Type | Last sign-in | Status | Sponsor | Risk score | | --- | --- | --- | --- | --- | --- | | `jdoe@contoso.com` | Member | 212 days ago | Enabled | n/a | 78 (High) | | `partner.user_fabrikam.com#EXT#@contoso.com` | Guest | Never | Enabled | None | 91 (Critical) | | `temp.svc@contoso.com` | Member | 134 days ago | Disabled | n/a | 64 (Medium) | - Total accounts analysed and the count flagged in each category. - Inactive accounts (no sign-in over 90 days), with those that never signed in highlighted. - Disabled-but-not-deleted accounts that may still hold permissions or licences. - Orphaned or sponsorless guest accounts recommended for review. - Reclaimable licences attached to inactive or disabled accounts. ## Scope and safety This skill is read-only by default and makes no changes to your tenant. It only reads directory objects and sign-in activity to build the audit report; all remediation is left to an administrator to perform deliberately. This skill does NOT: - Disable, delete, or block any user or guest account. - Remove, reassign, or reclaim any licence. - Modify sponsor, group membership, or Conditional Access assignments. - Send notifications or invitations to any user. ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Sign-in activity reports (last sign-in date) | Microsoft Entra ID P1 | | Directory and guest object reads | Microsoft Entra ID Free | ### Least-privilege roles - Global Reader (read-only directory and sign-in data) - Security Reader (review identity risk and sign-in activity) ### Microsoft Graph permissions (read-only) - `Directory.Read.All` — reads member and guest user objects, account enabled state, creation dates, and sponsor relationships - `User.Read.All` — reads user profiles and assigned licences - `AuditLog.Read.All` — reads interactive and non-interactive sign-in activity to determine last sign-in timestamps ## Sources and compliance - [How to manage inactive user accounts in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-manage-inactive-user-accounts) - [Clean up stale guest accounts in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/clean-up-stale-guest-accounts) - Supports the Restrict administrative privileges and user application hardening intent of the [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) by surfacing unused and privileged identities for review. - Aligns with ISM access management controls covering the disabling and review of inactive and temporary accounts. - Output in Australian English.