Skip to main content

Clean up unused groups (cloud and on-prem) based on inventory

Implementation Effort: High – IT and identity teams must analyze group usage, validate it is no longer in use, and execute a phased cleanup strategy across both cloud and on-premises environments.

User Impact: Low – If a group is marked for cleanup incorrectly, some users may experience access issues until group membership is restored

Overview

Cleaning up unused groups in both Microsoft Entra ID and on-premises Active Directory (AD) is essential for maintaining a secure and efficient identity infrastructure. This process involves identifying groups that are no longer in use, validating their inactivity, and systematically removing them to reduce clutter and potential security risks.

The cleanup process should begin with a comprehensive inventory of all groups, analyzing their usage patterns, membership, and access assignments. Groups with no recent activity or those not linked to any resources can be marked for review. It's crucial to coordinate with application and resource owners to confirm that these groups are indeed obsolete.

For Microsoft 365 groups, implementing an expiration policy can automate the removal of inactive groups. This policy allows administrators to set a specific period of inactivity after which groups are automatically deleted unless renewed by the owner.

In on-premises AD, identifying unused groups may require analyzing security logs and group membership reports. Once identified, these groups can be disabled or deleted using PowerShell scripts or administrative tools.

This cleanup aligns with the Zero Trust principles by enforcing "Verify explicitly" through regular validation of group memberships and "Use least privilege access" by ensuring users have only the necessary permissions. Neglecting to remove unused groups can lead to security vulnerabilities, such as unauthorized access and privilege escalation.

Reference