How to Eliminate Dormant Accounts Across Your SaaS Tools

Dormant accounts are one of the most common—and dangerous—identity risks in SMEs. They represent access without accountability, and attackers know it. Eliminating them requires a repeatable process.

Begin by exporting user lists from your core SaaS tools. Sort by last login date. Any account inactive for more than 60 days should be reviewed. For each dormant account, ask three questions: Is this person still with the organisation? Do they still need access? Is there any reason this account should remain active?

Disable accounts that fail any of these checks. Document the decision and notify the relevant manager. Repeat this process monthly. Over time, this simple discipline dramatically reduces your identity attack surface.

AISF automates this process by continuously mapping identities and detecting drift, but SMEs can start manually today.

Why dormant accounts are dangerous

Every dormant account is a potential entry point for attackers. Here's why:

Credentials remain valid: A dormant account still has valid username and password. If those credentials are ever compromised in a separate breach—and they frequently are—attackers can use them to access your systems.

No monitoring: Dormant accounts don't generate normal usage patterns. When an attacker uses a dormant account, it stands out less than compromising an active user's account would.

Accumulated access: A dormant account from a departed employee may still have access to sensitive systems. The longer it's dormant, the more likely access has accumulated without oversight.

Service accounts are vulnerable: Dormant service accounts often have elevated permissions and API access. These are prime targets for attackers seeking to automate their operations.

The risk compounds over time. A 30-day dormant account is concerning. A 365-day dormant account with admin access is a ticking time bomb.

Building your SaaS inventory

Before you can find dormant accounts, you need to know which SaaS tools your organisation uses.

Common categories:

• Communication: Microsoft 365, Google Workspace, Slack, Zoom, Teams
• Finance: Xero, QuickBooks, Sage, SAP
• CRM: Salesforce, HubSpot, Pipedrive
• Project management: Asana, Jira, Monday.com, Trello
• Development: GitHub, GitLab, Bitbucket
• HR: Workday, BambooHR, HiBob
• Marketing: HubSpot, Mailchimp, Hootsuite
• Storage: Dropbox, Google Drive, OneDrive

For each tool, identify who has admin access. You'll need this to export user lists.

The dormant account review process

Step 1: Export user lists

Log into each SaaS tool as an administrator. Navigate to the user management section and export a full user list.

Most SaaS platforms allow CSV exports. Look for:

• User list / users / team members
• Export / download
• User activity / last login

For tools that don't support exports, screen capture the user list with all columns visible.

What to capture for each user:

• Email address / username
• Display name
• Account status (active, inactive, suspended)
• Role / permission level
• Last login date (if available)
• Date created

Step 2: Identify dormant accounts

Once you have your user lists, sort by last login date.

Define your thresholds:

• 30 days: Review required—is there a reason for inactivity?
• 60 days: Strong concern—is this account still needed?
• 90 days: Presumptive disable—disable unless justification provided

Cross-reference with your HR system. Is the person still employed? If they left the organisation, why is the account still active?

Step 3: Apply the three questions

For each dormant account, ask:

1. Is this person still with the organisation?
   • Check HR records
   • Check if they have a current manager
   • Check if they're on the current payroll
2. Do they still need access?
   • What systems can this account access?
   • Is that access still required for business operations?
   • Are there other accounts that provide this access?
3. Is there any reason this account should remain active?
   • Is it a shared account with legitimate use?
   • Is it a service account for a critical integration?
   • Is it an emergency / break-glass account?

If you can't answer all three questions with confidence, disable the account.

Step 4: Document and notify

For each action taken, document:

• The account being acted on
• The reason for the action
• Who approved (or made) the decision
• The date of the action

Notify relevant managers before disabling accounts where possible. This prevents business disruption and builds cross-functional support for identity governance.

Step 5: Disable (don't delete)

When disabling dormant accounts:

• Disable rather than delete—this preserves audit trail and allows recovery if needed
• Remove from all groups and roles
• Revoke API tokens and OAuth grants
• Remove from licensed seats (to avoid wasted spend)

Store disabled accounts for at least 30 days before permanent deletion. This provides a safety net for accidental disabling.

Automating dormant account management

Manual reviews work, but they don't scale. As your SaaS portfolio grows, managing dormant accounts manually becomes unsustainable.

Automated solutions can:

• Continuously monitor all connected SaaS tools for account activity
• Automatically flag accounts exceeding your inactivity thresholds
• Integrate with HR systems to correlate employee status with account activity
• Generate workflows for approval to disable accounts
• Provide reporting on dormant account trends over time

IdentityFirst automates this entire process. It connects to your SaaS tools, continuously monitors activity, and surfaces dormant accounts for review. This transforms dormant account management from a quarterly project into an automated process.

Common challenges and solutions

"We can't tell who owns this account"

Service accounts often lack clear ownership. If you can't identify an owner:

• Check API integrations—does another system use this account?
• Review audit logs—what IP addresses and locations use this account?
• Check with system administrators—do they recognise the account?

If you still can't determine ownership, disable the account. If it's genuinely needed, someone will notice and request reactivation.

"This account is for a contractor who might come back"

If a contractor might return:

• Set a specific reactivation date
• Disable until needed, then re-enable with fresh credentials
• Don't keep active "just in case"

"We need this account for read-only access"

If an account is genuinely needed but not actively used:

• Convert to a service account with limited permissions
• Document the exception in your risk register
• Review quarterly for continued necessity

"Our SaaS tool doesn't show last login date"

Some tools don't expose last login. Options:

• Check for "last activity" in audit logs
• Review accounts that haven't used any features recently
• Look for accounts that haven't generated any activity logs
• Consider disabling all accounts that haven't been logged into within 90 days

Making it repeatable

The key to eliminating dormant accounts is consistency. One review isn't enough. You need a repeatable process.

Monthly review cadence

Each month:

1. Export user lists from all SaaS tools
2. Identify accounts exceeding 60-day inactivity threshold
3. Apply the three questions
4. Disable accounts that fail review
5. Document all actions
6. Report findings to security lead

Quarterly deep review

Each quarter:

1. Review all disabled accounts
2. Identify patterns in why accounts become dormant
3. Update onboarding/offboarding processes to prevent recurrence
4. Report trends to leadership

Annual cleanup

Each year:

1. Review all service accounts
2. Validate all admin role assignments
3. Verify integration accounts are still needed
4. Update documentation

The business case

Eliminating dormant accounts delivers measurable benefits:

Security: Reduced attack surface. Fewer valid credentials for attackers to target.

Compliance: Demonstrable governance. Evidence of access reviews for auditors.

Cost: Reduced SaaS spend. Every dormant account is a wasted license.

Efficiency: Cleaner identity landscape. Easier to manage when you know who has access.

Most organisations are surprised by how many dormant accounts they find. A typical SME with 50 employees and 20 SaaS tools will find 10-20% of accounts are dormant. That's 10-20 potential attack vectors you can eliminate in a single review.

Start today

You don't need special tools to get started. You need a list of your SaaS tools and admin access to each one.

Begin with your most critical tools—the ones that hold sensitive data or connect to core business processes. Expand to all tools over time.

The most important thing is to start. One review today prevents a breach tomorrow.