Learn about highly authorized disabled accounts and how to mitigate the risk the accounts pose.
A disabled admin account can be re-enabled by an attacker, granting the attacker access
to sensitive data and systems. Re-enabling a disabled account may be easier for an
attacker than granting admin privileges to a newly created user. Therefore, disabled
admin accounts should be monitored and secured to prevent unauthorized access. For
more information, see Microsoft Entra ID's information on privileged account risks, including disabled accounts.
To mitigate this risk, remove any disabled accounts from the following roles or groups:
Microsoft Entra ID roles:
-
Global Admin
-
Privileged Role Administrator
-
Share Point Admin
-
Exchange Admin
Active Directory groups:
-
Enterprise Admin
-
Domain Admin
-
Built-in Admin
Google Workspace roles:
-
Super Admin
 |
Note"Highly Authorized Disabled Accounts" risks cannot be added to the exception list.
|