It’s a big nuisance to have a lot of inactive and disabled users and empty groups. It’s always a wise decision to keep your Office 365 clean for more efficient management and productivity. A lot of clutter – data/users no longer in use or other unnecessary information – can take up space and your attention. These objects add up to the total count in your Office tenant and can increase the total time for synchronization.
Cleaning Office 365 of Disabled and Empty Users/Groups
It becomes even more important to clean up such inactive/stale users before synchronizing to Azure database.
This article will shed some more light on these issues inside Office 365 admin center.
Stale users:
‘Stale’ is an umbrella used for users who are inactive for a long time and there are no recent login attempts under their IDs, but they might still be active in Active Directory.
It is obviously the varying organizations’ policies on what to do with these accounts. Not all inactive accounts are meant for deletion, but it is generally considered a good idea to delete the ones that have been inactive for more than 90 days.
Keep in mind that the licenses are not consumed before synching, however, they still pose a certain security risk. Based on those concerns, we highly recommend checking the privileges of these stale users and to remove any higher-level access for them. You can also move them to an organization unit, although no OUs exist in Office 365, but there are some workarounds like third-party products that help in user-objects management.
Disabled users:
Disabled users are not inactive users but the ones that have been disabled entirely including their login-access. But their licenses can still exist, which is something that must be cleaned as well before you plan to sync them to either Office 365 or Azure. Note that even if you delete an account, there is still a 30 days period under which you can recover them.
There is an important point here to make considering the security. Even after disabling a user account, some client’s protocols can still cache the users’ authentication and might allow access even disabling it. This is a reality for both Office 365 and on-premises systems. In fact, some AD account can remain connected to Exchanged (mainly Outlook or MAPI connections) after disabling. It’s crucial to immediately check the following list of actions to protect an organization from such “untrusted” accounts:
- Disable ActiveSync
- Move to mailbox to end active logons to the mailbox
- Set a quota to block access from sending any emails from the still connected account
These are very basic security steps that must be taken immediately, however, there is a lot of other in-depth information relevant if you don’t want to take any risks. Those will be mentioned in the other article.
Unused or Empty Groups:
Groups without any active users in them might not have the same security concerns as disabled users, but they can still amount to high object count and therefore the total time required for synchronization. You can delete them before synchronization to save time. It will also save the server database space and help clean things up.
Go through the distribution groups and check if things are up to date and still active.
There are often two kinds of groups:
- Distribution groups
- Security groups
Security groups become inactive/invalid when the resource for which these groups was given access for no longer exists or is no longer valid. It often happens when a project is finished but the groups that were created for that particular project were never deleted or cleaned.
Deleting these inactive groups, disabled users, empty security and distribution groups is not too difficult. However, when it needs to be done in bulk, such as during a massive clean-up venture, things can get time consuming and frustrating. Therefore, we will deal with that in an upcoming article, including the security clearance in case you do not want to delete the groups and the users.