Let's explore Center for Internet Security Controls or CISControls, which have become an industry standard to help businesses and organizations of all sizes maintain a best practice standard of Cybersecurity controls.

Safeguard 5.3 requires the deletion or disabling of any dormant accounts after a period of 45 days of inactivity, where supported.

When you have a user leave the company, you should be disabling, resetting the credentials, or removing the account immediately and with some cloud services a user may be able to reset credentials with multiple verification methods that you may not have control over, so disabling or removing the account should be the preferred practice.

Here you are typically looking at accounts that were setup for a vendor or service account that has been decommissioned and the account was forgotten in the process. So 5.3 while is viable if you're not removing standard user accounts, it's intent is to ensure those other accounts are disabled or deleted timely.

Over the years I have seen "legacy" accounts maintained for access to files, a specific application, or e-mail.

When you decommission a user the files should be migrated to the user replacing them or their manager.

Users should not be logging in with other user accounts to access an application, if you have issues getting the application working for another user account then contacting the application vendor's support team is your best next step.

Finally, I love using e-mail compliance backup tools like Barracuda's E-mail Archiver. I know all of the email is retained and can give another user access to it there and the user account and mailbox can go away. Even if a new e-mail comes in and can't be delivered, archiver will still archive it.

There are products and processes that are readily available that eliminate any argument your users would have on why you can't "remove" access to another user account.

Here I use the service Liongard which monitors most of the services including EntraID and Active Directory for unused or those dormant accounts.

All you need to do here is have the policy that outlines how you identify and handle dormant accounts, be prepared with logs or an auditing tool that shows that you actually follow the policy if you ever need to prove it. The last thing you want is an active dormant account used to breach your network.