Fix Identity Sprawl + Optimize Microsoft Entra

9 min readJun 10, 2025

Strengthen your security posture in Microsoft Entra by following prioritized Secure Score recommendations. Enforce MFA, block legacy authentication, and apply risk-based Conditional Access policies to reduce exposure from stale accounts and weak authentication methods. Use built-in tools for user, group, and device administration to detect and clean up identity sprawl — like unused credentials, inactive accounts, and expired apps — before they become vulnerabilities.

Jeremy Chapman, Microsoft 365 Director, shares steps to clean up your directory, strengthen authentication, and improve overall identity security.

Prioritize top risks.

Take action across MFA, risk policies, and stale objects with Microsoft Entra recommendations. Start here.

Block over 99% of identity attacks.

See how to enforce MFA for admins and users in Microsoft Entra.

Detect and delete stale user accounts.

See how to fix account sprawl, and get started with Microsoft Entra.

QUICK LINKS:

00:00 — Microsoft Entra optimization

00:54 — New Recommendations tab

02:11 — Enforce multifactor authentication

03:21 — Block legacy authentication protocols

03:58 — Apply risk-based Conditional Access

04:44 — Identity sprawl

05:46 — Fix account sprawl

08:06 — Microsoft 365 group sprawl

09:36 — Devices

10:33 — Wrap up

Link References

Watch part one of our Microsoft Entra Beginner’s Tutorial series at https://aka.ms/EntraBeginnerMechanics

Check out https://aka.ms/MicrosoftEntraRecommendations

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries
Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast

Keep getting this insider knowledge, join us on social:

Follow us on Twitter: https://twitter.com/MSFTMechanics
Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
Enjoy us on Instagram: https://www.instagram.com/msftmechanics/
Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics

Video Transcript:

-If you’re managing identities using Microsoft Entra, which includes any Microsoft Cloud service, today, I’ll show you how you can fix identity sprawl, where you probably have stale accounts, groups, and devices in your directory, and improve your identity posture with stronger authentication and more. Now, these are identity management challenges that left unaddressed will introduce security vulnerabilities, but there are ways to get them under control.

-So, using recommendations tailored specifically to your company to help you better secure and optimize your running environment, along with techniques to locate identity sprawl with users, groups, and devices, then delete stale objects in your directory. This is part two in our Microsoft Entra Beginner’s Tutorial series, and I’ll link you here to part one if you missed that at aka.ms/EntraBeginnerMechanics. Now, I’ll start in the Microsoft Entra admin center under Identity and the main Overview page. The new Recommendations tab gives you a super set of security and best practice-based recommendations that go beyond what’s available from Secure Score to increase your identity posture.

-In fact, if you look at the recommendations here, anything in the Secure Score column marked N/A are items based on best practices. And the list that you’re seeing here is based on what applies to this specific Microsoft Entra tenant, so your list, it might look a little different. For each recommendation, you can also see the licensing requirements to implement that recommendation. As I scroll down, you’ll see that the top recommendations with high priorities require multifactor authentication, or MFA, for administrative roles at 10 Secure Score points.

-Then ensure all users can complete multifactor authentication at 9 Secure Score points. And for any of these recommendations, like this one here for administrators, you can just click in to get more details and even find the accounts that are not meeting that requirement, even if you’ve scoped an all users policy and have that in place. And by the way, even Break Glass admin accounts should use MFA with FIDO2 or certificate-based authentication as a second factor. Requiring multifactor authentication is the most important control that you can enforce as an identity admin. It can block over 99% of identity-based attacks and can also solve for many of the other common issues that I mentioned before, like stale accounts, because those are most often breached because they use basic passwords. Multifactor authentication policies are set using Conditional Access policies, where it’s recommended that you assign the policy to all users and also target all resources, formerly all cloud apps.

-You can also access controls for grant and then specify specific access requirements. And if you ever wondered the difference between Require MFA and require authentication strength, well, Require MFA is more of a catch-all that works with two or more authentication methods at any strength level. Whereas require authentication strength lets you narrow down which combinations of authentication methods are allowed. For example, choosing phishing-resistant authentication as an authentication strength means that SMS text messages and passwords would not be allowed as factors, because both of those could be phished by a third party.

-The next highest recommendations are related to this as well. Under high priority and at 8 Secure Score points, there is a recommendation to block legacy authentication protocols like IMAP, SMTP, and POP3. Now these are related to MFA, because all of these protocols, which are used by legacy apps, do not support MFA and Conditional Access controls. Now, here’s why this is important. If an attacker can access a legacy app using those protocols with basic password authentication, they may still be able to access protected resources, then move laterally once they’ve gained access. Then, rounding out the list of high priority recommendations are the enforcement of risk-based Conditional Access policies.

-Now, these risk types might indicate that a user account has been compromised or that the user is either intentionally or unintentionally doing something that they shouldn’t be doing. And all of these recommendations are easy to implement with corresponding Conditional Access policies, where you’ll target each as a condition and pair that with a risk-based control to either block access outright or grant access with additional requirements that need to be met. Next, you’ll find a few recommendations to renew expiring application credentials. And finally, a few remove recommendations, like remove unused credentials from applications and also Remove unused applications themselves.

-This leads us to identity sprawl, including unused or stale accounts, non-human accounts, and inactive registered devices. Enforcing MFA and disabling legacy authentication can mitigate much of the risk, though some of the accounts might still fall outside of MFA policies. Often, these users move on or their accounts are seasonal. They leave your company and their accounts then become stale. So, what’s the risk? The problem is that most people reuse their passwords or will just modify them slightly with known patterns like adding numbers or symbols at the end of it. And if the account in Microsoft Entra is password-only and another account of theirs is compromised by an attacker to steal their password, all the attacker needs to do then is look up the user’s profile on LinkedIn, for example, to see where they’ve last worked, guess their email address, sign into their previous employer domain using the stolen password with variations to access their stale user account, and they’re in.

-Fortunately, there are ways to fix account sprawl. I’ll show you how you can do this in the admin center, but you can also automate this using PowerShell with the Microsoft Graph Module. From all users, you can see that I have 2007 users right now. Now, remember that number because we’ll come back to it.

-Next, using the manage view control, I’ve added a column to my view with last interactive sign-in time so I can see how long it’s been since each account has signed in. From there, I can create a filter using that property with an operator here of less than or equal to, and I’ll go ahead and choose a time, I’ll go back about eight months ago, and then I’ll apply the filter. That narrowed my list down to 27 accounts, so now I’ll hit download users to export a CSV file with their details, which is an Excel file that starts out looking like this. Now, to save time, you’ll see that I’ve removed user principal names that I don’t want to delete. In my case, that was the meeting room accounts only. And for this to work, I needed to delete all other columns and to add a version number using this format here with the colon. In the second field, I use this exact string. User, space, name, space, userPrincipalName in square brackets. Then under that, I have my chosen UPNs listed that I want to delete.

-Now, moving back to the admin center, once I have that final list of items that I want to delete, I’ll use Bulk operations and select Bulk delete. And then for the sale accounts, all I need to do is upload my CSV file that we just saw. There it is. Now I need to type yes here, and then confirm and submit. And that takes a moment to run. And you’ll see that it succeeded. Now, when I refresh the list, you’ll see that only my meeting rooms are still here. The blank lines are actually deleted. Because they matched my filter, they’re still there. And if I remove the filter, you’ll see that my user count is now 1985 or 22 fewer than before. And just in case you accidentally delete a user that you didn’t want to delete, from the deleted users, you can actually recover those accounts for up to 30 days.

-So, next, let’s move on to Microsoft 365 group sprawl. These groups are typically created by users so they can quickly sprawl and pose a similar risk, especially when users with basic password auth might have persistent access to the resources from that group, or if those groups have standing access for external user accounts. Here, to help control sprawl, you can set up group lifetime policies for a number of days. By default, there are options for 180, 365, and custom. I’ll choose 180. In this case, the group owners are sent an email notification at 30 days, 15 days, and one day prior to group expiration, where they can choose to renew the impacted groups or just let them go. Now, if left unrenewed, those groups will be deleted along with associated content in Outlook, SharePoint, Teams and Power BI. In this field, you’ll add an email address for groups with no owners.

-And finally, you’ll choose which Microsoft 365 groups to enable for these automatic expiration controls, either all groups or using the selected option, you’ll then be able to choose exactly each of the groups that you want to have added to this policy, or you can choose none, which will effectively disable the policy. So, in my case, I’ll keep all and then I’ll hit save. Like user accounts, groups have 30 days of grace prior to permanent deletion, and you or the group owner can restore them.

-We’ve covered two main areas of identity sprawl, and the third common category we’ll cover today is devices. For this, before you just start deleting devices, you’ll need to prevent your users or yourself even from getting locked out. This is because Microsoft Entra-joined physical Windows devices are often the ones that you own and manage. Their associated BitLocker keys used to encrypt and unencrypt the local drives are stored in Microsoft Entra and accessible through their device properties, which acts as an insurance policy in case, for whatever reason, you get locked out. Likewise, local administrator passwords can be maintained here, too. So, for Windows devices, unless you’re sure, don’t delete them. Otherwise, deleting Windows devices or other registered device platforms follows roughly the same process that I showed for users and groups with one important exception. Deletion in this case is permanent. There’s not a recycle bin or 30 days grace to undelete those devices.

-Implementing the tips that I’ve shown today will help improve your identity posture, and help contain identity sprawl. Now, the latter helps keep your users, groups, and devices more manageable and reduces risk associated with stale objects in your directory. To learn more, check out aka.ms/microsoftEntraRecommendations. And be sure to subscribe to Microsoft Mechanics for latest updates and thanks so much for watching.