Azure has the following logic to check Active Directory for stale users:
refreshTokensValidFromDateTime > STS TokenLifetimePolicy MaxInactiveTime (default of 90 days for Azure, may vary for customer) + acceptable number of days past the refresh token, for which an account can be inactive( in this case 30).
Security Posture Management can help with custom rule for above use case as in :
User should not have LastTokenChange isEarlierThan ( -120, "days")
