Why dormant Office 365 users are an attacker’s dream; and how to clean them up

Here is the bird’s eye view of the issue in hand.

One in three internal users in a typical enterprise tenant is a “ghost.” Those idle accounts rarely have MFA, often inherit admin-level rights, and make perfect launch pads for ransomware crews. The fix is continuous discovery + automatic remediation; ideally with the entire workflow baked into your identity-security platform.

Unosecur has launched a feature that can help you out with it. Read about it here.

How big is the ghost-user problem?

• One-third of internal user accounts are 'ghost users', said a long-running Varonis assessment of more than 130 enterprises. They found 34% of internal accounts inactive, but still enabled. Nearly half of those organisations host 1,000+ such stale users in their directories.
• 88% of companies admit they still have stale accounts in 2025, according to Varonis State of Data Security Report.
• Speaking of hosting dormant accounts, even Microsoft had housekeeping to do! The Secure Future Initiative has purged 6.3 million dormant Microsoft Entra tenants this year alone. 

If the host of O365 Suite can accumulate that much identity debris, every other large tenant almost certainly does too.

Why do dormant Office 365 users pile up so quickly?

Why attackers love orphaned identities

1. They’re invisible. Until yours is a real-time continuous identity and access monitoring system, no one would notice a dormant sales intern suddenly logging in from another country at 3 a.m.
2. They pre-date MFA. Stale accounts often slip through password-only legacy protocols (IMAP/POP, SMTP).
3. Privilege drift is real. The longer an account sits around, the more nested groups and shared links it accumulates.
4. Great for lateral movement. Once inside, adversaries harvest mail, OneDrive data, and Teams chats, then pivot on-prem.

Put simply, forgotten users give bad actors a low-noise, high-impact beachhead.

The three-step clean-up strategy

Continuous discovery, not annual audits
Flag any human or service account with no interactive sign-in or token activity for ≥ 90 days (or whatever threshold your auditors prefer).

Validate before you obliterate
Cross-check with HR and line managers. Is the identity tied to a legal hold, returning contractor, or break-glass admin?

Automate the full remediation loop
Disable the account, revoke refresh tokens, strip licences and group memberships, and log every action for SOX/GDPR/HIPAA evidence.

Manual scripts can get you part-way there, but the sheer volume in a Fortune 500 tenant makes automation essential.

How Unosecur’s Office 365 Connector does the heavy lifting

Security teams go from “We’ll run an audit script next quarter” to “We eliminated three dormant admins before lunch.”

Dormant Office 365 accounts aren’t trivial housekeeping; they’re a standing invitation for ransomware crews and insider threats. Moving from periodic clean-ups to real-time, closed-loop remediation eliminates that risk and keeps regulators satisfied.

Ready to see how many ghosts are haunting your tenant? Book a 15-minute demo of the Unosecur O365 Connector and watch them disappear.

‍