How do I detect orphaned accounts in Microsoft 365 and SaaS apps?

You can detect orphaned accounts in Microsoft 365 and SaaS apps by comparing SaaS user lists against active Entra ID users, reviewing OAuth and application permissions tied to disabled accounts, and identifying accounts inside SaaS platforms that no longer map to an active identity. Orphaned accounts persist because most SaaS tools do not remove users automatically when Entra accounts are suspended or deleted.

Teams often use platforms like FrontierZero to correlate identity data across Microsoft 365 and SaaS applications, highlighting orphaned users, inactive accounts, and long-lived tokens that still grant access.

Why Orphaned Accounts Exist in Microsoft 365 and SaaS

Microsoft 365 acts as the identity provider, but each SaaS tool maintains its own identity store. When a user is removed or disabled in Entra ID, SaaS accounts usually remain active unless someone manually removes them.

1. Disabling a user in Entra ID does not remove SaaS accounts

Suspending or deleting a user does not propagate downstream to SaaS tools.

This affects:

  • collaboration platforms
  • project management tools
  • AI productivity tools
  • document editors
  • CRM/marketing tools
  • engineering platforms

SaaS apps simply keep the identity alive.

2. OAuth tokens continue to work after account deprovisioning

OAuth tokens remain valid unless revoked, even if:

  • the user is deleted
  • the account is disabled
  • the password changes
  • MFA resets

Attackers frequently exploit these “zombie tokens.”

FrontierZero surfaces tokens tied to disabled identities.

3. Enterprise apps and service principals maintain access independently

Entra ID contains:

  • user accounts
  • enterprise apps
  • app registrations
  • service principals
  • service accounts

Many SaaS tools authenticate through these paths, so user removal doesn’t affect app-level access.

4. Guest users and external collaborators accumulate over time

External accounts (B2B guests) often remain active for:

  • old projects
  • vendor access
  • past contractors
  • cross-tenant collaboration

And these accounts are not tied to your HR system.

How to Detect Orphaned Accounts in Microsoft 365 & SaaS (Step-by-Step)

1. Compare SaaS user lists against active Entra ID users

Export or review:

  • SaaS user directories
  • active Entra ID users
  • disabled users
  • deleted users
  • service accounts

Red flags:

  • SaaS users that no longer exist in Entra
  • renamed or migrated accounts
  • former employees still appearing in SaaS platforms
  • mismatched email domains

FrontierZero automates this correlation across all tools.

2. Identify accounts with stale or no recent activity

Most SaaS platforms show:

  • last login
  • login frequency
  • token usage

Flag:

  • accounts inactive for 30/60/90 days
  • identities created but never used
  • accounts that have no activity but still hold permissions

Inactive + no corresponding Entra identity = orphaned account.

3. Review OAuth permissions tied to disabled or removed users

Navigate to:
Entra ID → Users → (Select user) → Applications → App Permissions

Check:

  • OAuth apps still allowed for disabled users
  • tokens that remain active
  • apps with high-risk delegated permissions
  • legacy integrations no longer in use

FrontierZero detects tokens linked to disabled or missing identities.

4. Audit application-level and service-account identities

Many orphaned identities originate from:

  • legacy app registrations
  • abandoned service principals
  • API keys tied to removed users
  • admin-approved apps that never get cleaned up

These often retain powerful access for years.

5. Review External Identities (Guest Accounts)

Navigate to:
Entra ID → Users → External users

Look for guests who:

  • no longer work with your company
  • were invited by employees who have since left
  • have broad permissions
  • have not logged in recently

FrontierZero groups all external identities across your SaaS stack.

How do orphaned accounts turn into real security risks?

Risks include:

  • access to mail, files, or SharePoint
  • persistent OAuth tokens
  • admin roles inherited from old projects
  • access from unknown or external domains

These accounts often go unnoticed.

Why doesn’t Microsoft automatically clean up SaaS identities?

Because SaaS platforms maintain their own user directories. Entra ID is not authoritative inside those apps.

Which apps are most likely to accumulate orphaned users?

High-risk examples:

  • SharePoint external collaborators
  • Teams guest users
  • Slack, Asana, Jira, Miro
  • GitHub and DevOps tools
  • Marketing tools like HubSpot/Marketo
  • AI tools using OAuth

FAQ

Does disabling a user remove their access in SaaS apps?

No. It only affects Microsoft 365.

Are orphaned accounts and inactive accounts the same?

No. Inactive = unused. Orphaned = not tied to any active Entra identity.

Can OAuth tokens from orphaned accounts still access M365 data?

Yes, until manually revoked.