**Remove a Stale User Account**

**Scenario**
A former employee account, laura.cho@company.com, remains active in the directory despite the user having departed three months ago. To maintain identity hygiene and reduce the attack surface, the account must be safely deprovisioned. This process includes disabling the account, removing licenses, and permanently deleting the identity—ensuring compliance with audit and access review policies.

**Step-by-Step Action Flow (Simulated)**
Go to Microsoft Entra Admin Center → Identity → Users
Search: laura.cho@company.com
 → Confirm account status: Enabled
Click on the user → Account → Set Block sign-in to Yes
Navigate to Licenses → Remove all assigned licenses
Click Delete user → Confirm deletion
**Result:** User laura.cho@company.com
 is now blocked and removed from the directory. License entitlements are freed, and the identity is retained in soft-deleted state for the retention period.

**Entra Control Stack Mapping**

**Layer 1 – Authority Definition**
✅ Touched
This action must be performed by a user with sufficient privileges (e.g., User Administrator or Global Administrator). Deletion and blocking actions are recorded in audit logs.

**Layer 2 – Scope Boundaries**
✅ Engaged
The user is removed from all scopes, including groups, AUs, and roles. License and access scoping boundaries are dissolved as part of account deprovisioning.

**Layer 3 – Test Identity Validation**
✅ Confirmed
Post-deletion, attempt to sign in with laura.cho@company.com results in failure. Confirm that no downstream apps or Conditional Access policies still reference this identity.

**Layer 4 – External Entry Controls**
❌ Not Applicable
This is an internal user; no B2B guest identity or external collaboration is involved.

**Layer 5 – Privilege Channels**
✅ Defused
Any privileged roles, group memberships, or entitlements associated with this user are revoked as part of license removal and deletion. Privilege channels are explicitly closed.

**Layer 6 – Device Trust Enforcement**
❌ Not Affected
This project does not involve device compliance or registration; however, stale devices previously registered to the user could be audited separately.

**Layer 7 – Continuous Verification**
✅ Security Posture Enhanced
Removal of stale identities improves posture. Ensure regular dormant account reviews are scheduled via access reviews or automation tools.

**Observations and Follow-Up**
laura.cho@company.com
 is now blocked and deleted; no access remains.
All licenses have been revoked, avoiding billing overhead.
This action reduces risk from orphaned or dormant accounts.
Recommend monthly stale user audits across AUs and groups.
Soft-deleted state allows recovery if deletion was in error (within retention period).

**Entra Control Stack: Micro-Project Series**

This series simulates small but common identity tasks in Microsoft Entra ID, each mapped directly to the Entra Control Stack, a seven-layer operational governance model. The projects are intentionally narrow in scope to build muscle memory in tenant navigation, access governance, and control layer mapping.

Each facsimile project follows the principle of real-world simulation—steps are written as if executed live in the Azure portal, and each task is evaluated across the seven layers of the Entra Control Stack. Unaffected layers are explicitly noted to reinforce boundary understanding.

**Selected Micro-Projects (Progress Tracker)**

• ✅ Project 1 – Add a New Guest User
Action: Invite an external B2B user to the tenant
Why: Exercises external collaboration policy, guest access review, and audit confirmation

• ✅ Project 2 – Change a Global Administrator to a Privileged Role Administrator
Action: Replace Global Admin role with delegated Privileged Role Admin
Why: Promotes least-privilege governance and delegation of sensitive permissions

• ✅ Project 3 – Assign User Administrator Role at AU Scope
Action: Assign User Administrator role scoped to a specific Administrative Unit
Why: Demonstrates role scoping and delegated control enforcement

• ✅ Project 4 – Remove a Stale User Account
Action: Disable and delete a user account no longer in use
Why: Models deprovisioning, identity hygiene, and audit compliance

• ⬜ Project 5 – Create a Group and Assign Role
Action: Create a security group and assign a directory role to it
Why: Reinforces group-based RBAC and scalable access control strategies