Learn about highly-authorized disabled accounts and how to mitigate this risk.

A disabled admin account poses a security risk as it can be re-enabled by an attacker, granting them access to sensitive data and systems. Re-enabling a disabled account may be easier than granting admin privileges to a new user, making it vulnerable to attack. Therefore, disabled admin accounts should be closely monitored and secured to prevent unauthorized access.
To mitigate this risk, remove any disabled accounts from the following roles or groups.
Microsoft Entra ID roles:
  • Global Admin
  • Privileged Role Administrator
  • Share Point Admin
  • Exchange Admin
Active Directory groups:
  • Enterprise Admin
  • Domain Admin
  • Built-in Admin
"Highly-Authorized Disabled Accounts" risks cannot be added to the exception list.