Ensure Azure Active Directory donot have any stale users ( users who did not login in last 30 days)

  • 20 September 2021
  • 0 replies

Badge +1

Azure has the following logic to check  Active Directory for stale users:

refreshTokensValidFromDateTime > STS TokenLifetimePolicy MaxInactiveTime (default of 90 days for Azure, may vary for customer) + acceptable number of days past the refresh token, for which an account can be inactive( in this case 30).


Security Posture Management can help with custom rule for above use case as in :


User should not have LastTokenChange isEarlierThan ( -120, "days")

0 replies

Be the first to reply!