Dormant accounts are easy targets
An account that nobody is watching is an account nobody will notice when it gets compromised. Inactive accounts with retained permissions are a common entry point for attackers.
Find the accounts nobody is using but everyone is still paying for.
Every Entra ID tenant accumulates inactive accounts over time. Former employees, expired guest accounts, dormant service principals, and users who simply stopped logging in. Each one holds permissions and often a paid license. Zombie Account Hunter surfaces them so you can clean up, recover spend, and reduce your identity attack surface.
Why it matters
Inactive accounts are both a security risk and a cost leak.
License waste adds up quietly
Microsoft 365 E3 or E5 licenses assigned to accounts that have not signed in for months represent direct cost waste. Across a tenant with hundreds of users, the recovery can be significant.
Guest sprawl creates hidden risk
External guest accounts from past collaborations, vendor engagements, or one-time shares accumulate and retain access to shared resources long after their purpose has ended.
Compliance requires identity hygiene
Security frameworks expect regular access reviews and cleanup of inactive identities. Zombie Account Hunter provides the data needed to satisfy these requirements without manual directory audits.
Built with
Microsoft Graph API, read-only, configurable thresholds.
FAQ
Common questions about Zombie Account Hunter.
A zombie account is a user account, service principal, or guest identity that still exists in the directory but is no longer actively used. These accounts often retain permissions and licenses despite being dormant.
Yes. Zombie Account Hunter is open source and free to use under its license on GitHub.
The tool checks last sign-in activity, last password change, license assignment status, and other signals from the Microsoft Graph API to identify accounts that have been dormant beyond a configurable threshold.
The tool identifies which inactive accounts hold licenses that could be reclaimed. The actual license removal is a manual step to ensure human review before any changes are made.
Built by Orygn
Zombie Account Hunter is one of several identity security tools Orygn has published.
Orygn builds custom software, security tooling, and identity-focused systems. This tool is part of a broader set of open-source Entra ID utilities for tenant hygiene, cost recovery, and identity security.
View on GitHub