Forum Discussion
What is your SOP for old risky users?
Recently have been tasked with leveraging Entra ID to it's full potential. We've a suite of different tools we use for alerting, so the Risky Users component was essentially ignored for a couple year...
This is a great process, but I am not sure how you are looking for old risky signing are you saving them in some storage? I guess Microsoft keep them for 90 days . I would suggest using access reviews and perform quarterly assessment which show access user activates if he has logged into the system or not if the user is a privilege user you can directly send email if they still need it or else remove the privilege access.
Most importantly if you find user who is high privileged and not logged for more than 60-90 days better remove his privileges and make him a normal user and then force him to reset the password, if still doesn't do then better disable it
For our tenants, Ms only keeps actual sign-in logs for 30 days. But we've inherited Tenants before that had user risk from years ago (presumably because no one understood Entra, which I can't blame them for). Can't validate what caused the risk. But we have a 3rd party service that scans various darkweb forums and db's and alerts us (sort of like haveibeenpwned, but for full domains)... I've been checking this, and often that risk lines up with a posting on darkweb. Either case, I'll check the most recent password change and validate it's not lingering. If I have darkweb info, I can usually get some of the password schema and get the user to completely redo it
