Disable Inactive User Credentials

Inactive user accounts pose a significant security risk. They are often overlooked during access reviews and can be exploited by malicious actors if not properly deactivated. Sprinto monitors inactivity across integrated services and flags accounts that appear unused over a defined time window.

This article explains how Sprinto detects inactivity, how to interpret failing monitors, and how to disable stale credentials on supported platforms.

What is Checked

Sprinto checks for user accounts that meet the following conditions:

• Have not logged in or authenticated in the past 30/60/90 days (depending on the platform)

• Still retain access to cloud services, source control tools, or identity providers

• Are not marked as service accounts or intentionally excluded

How Sprinto Detects Inactivity

Sprinto uses integration data (via APIs or logs) to analyse:

• Last login timestamp

• Token usage (for platforms like AWS, GitHub)

• Activity logs (for platforms like GCP, Azure, Office365)

The monitor will show as Failing if:

• An active user has not logged in during the specified inactivity window

• Login records are not available and evidence is not uploaded

• A user was never onboarded properly but is provisioned

Platforms Covered

1. AWS IAM

   • Checks last used time for user access keys and console login

   • Recommends disabling or deleting keys for inactive IAM users

2. GitHub

   • Checks contribution and login activity for organisation members

   • Highlights users who haven’t interacted with any repositories recently

3. Google Workspace

   • Detects users with no email, calendar, or Drive activity

   • Suggests suspension of dormant accounts

4. Office365 / Microsoft Entra

   • Uses sign-in logs and account activity data

   • Flags accounts with no recent sign-in or resource access

5. Okta

   • Evaluates user sign-in data and SSO application access

   • Highlights users with no app activity

How to Disable Inactive Users

The recommended approach is to suspend or deactivate the user account instead of deleting it outright. This preserves logs and avoids breaking access dependencies.

AWS

1. Go to IAM > Users

2. Select user → Security Credentials

3. Deactivate access keys or delete user

4. Optionally remove group/role assignments

GitHub

1. Go to Organisation Settings > People

2. Select inactive user and click Remove from organisation

3. Reassign repo access if needed

Google Workspace

1. Go to Admin Console > Users

2. Select user → Click Suspend User

3. Confirm suspension

Office365

1. Open Microsoft Entra Admin Center

2. Go to Users > All users

3. Select user → Click Block sign-in

4. Optionally remove license

Okta

1. Navigate to Directory > People

2. Select user → Click Deactivate

3. Confirm and review app assignments

Remediating the Monitor in Sprinto

• After disabling the inactive user, Sprinto will reflect the updated status during the next sync

• For platforms where integration is not available:

  • Upload a screenshot or export of the deactivated user status

• Use Mark as Resolved after evidence is added

Best Practices

• Run monthly access reviews to identify unused accounts

• Use provisioning rules or SCIM to auto-deactivate stale users

• Maintain a naming convention for service accounts

• Log reasons for deactivation for future audits