Defender for Identity - Dormant Account Details
MDI Dormant Accounts
Query
let sid_list = dynamic(['S-1-5-21-2026063863-2462317154-4127401698-00001', 'S-1-5-21-3621612571-1889916199-1199630630-00002', 'S-1-5-21-4055507806-322200393-1713978839-0002']);
IdentityInfo
| where TimeGenerated > ago(21d)
| where OnPremSid in~ (sid_list)
| summarize arg_max(TimeGenerated,*) by OnPremSid
| project AccountDisplayName, AccountName,AccountDomain, OnPremSid, OnPremObjectId, CompanyName, Department, Country, AccountUpn, DistinguishedName, IsAccountEnabled, ManagerAbout this query
Explanation
This KQL query is designed to gather information about dormant accounts and track certain activities related to them within Microsoft Defender for Identity. Here's a simplified breakdown of what each part of the query does:
-
Retrieve Dormant Account Details:
- The query starts by defining a list of specific Security Identifiers (SIDs) for accounts of interest.
- It then searches the
IdentityInfotable for any records related to these SIDs that have been generated in the last 21 days. - The query summarizes the latest information for each SID and selects various account details such as display name, account name, domain, and other attributes.
-
Track Account Disablement Activities:
- This part of the query looks into the
IdentityDirectoryEventstable for events where accounts have been disabled. - It extends the data to include the SID of the target account and the name of the person who initiated the action.
- The query filters the results to only include events related to the specified SIDs.
- This part of the query looks into the
-
Monitor Group Membership Changes:
- The final section checks for changes in group membership, specifically looking for instances where an account has been removed from a group.
- It extends the data to include details about the membership change, the target account SID, the initiator of the change, and the group name.
- Again, it filters the results to focus on the specified SIDs.
Overall, this query helps in monitoring dormant accounts by providing details about them, tracking when they are disabled, and observing any changes in their group memberships.
Details

Alex Verboon
Released: August 22, 2025
Tables
IdentityInfoIdentityDirectoryEvents
Keywords
DormantAccountsIdentityInformationAccountDisablementActivitiesGroupMembershipChanges
Operators
letdynamicwherein~agosummarizearg_maxbyprojectextendtostring==in