Here’s a scenario that plays out in small businesses every week: You hire a contractor for a three-month project. They get access to your cloud apps—Teams, SharePoint, email, financial software. The project ends. They leave. Weeks or months pass. Nobody revokes their access. Their account sits dormant, but fully active, with all the same permissions they had on day one.
Then one day, a hacker buys that contractor’s credentials on the dark web for $15. They log in using an account that looks completely legitimate—no red flags, no alerts—and spend weeks stealing your customer data, financial records, and trade secrets. By the time you discover the breach, the damage is catastrophic.
This is not paranoia. This is happening right now. According to a 2025 Security Scorecard report, 35.5% of all breaches in 2024 originated from third-party or contractor compromises, up 6.5% from the previous year. In retail and hospitality, the rate is even higher: 52.4% of breaches involve third parties. The average cost of recovering from a third-party breach is $4.8 million.
The scariest part? Most small businesses have no automated way to revoke contractor access. They rely on memory. Someone is supposed to remember to disable the account when a contractor leaves. But studies show that 25% of former contractors still have access to company systems months or even years later.
The good news: This problem is solvable in less than an hour using Microsoft Entra Conditional Access. Once configured, it automatically grants access for the length of a contract and revokes it the moment a contractor is removed from your security group. No memory required. No manual cleanup. No forgotten accounts.
The Hidden Cost of Dormant Contractor Accounts
Every inactive account in your system is a door waiting to be kicked in. Dormant accounts are attackers’ favorite way to breach networks because they are invisible to normal security monitoring. An account with zero legitimate activity creates no baseline, so unusual behavior goes undetected.
The scale of the problem is staggering. On average, 1 in 8 employee accounts at any organization are dormant. For contractor accounts specifically, the risk is higher because contractors do not typically go through formal offboarding. A company hired a contractor contractor three years ago, the project is long forgotten, the account is never disabled—it just sits there, fully enabled, waiting.
Research from Material Security found that 88% of organizations have “ghost users”—stale but enabled accounts that still retain access to sensitive data. For every human user in an organization, there are roughly 40 service accounts, many of them undocumented and forgotten.
Here is why this matters financially: According to a 2025 Beyond Identity study, 50% of former employees’ accounts remain active for longer than one day after they leave. Thirty-two percent of organizations take more than seven days to fully deprovision a single former employee. That gap is where breaches happen.
Real-world example: A data hosting company that served 45+ federal agencies had two contractor employees with elevated privileges. Minutes after termination, they deleted 96 databases, including a Homeland Security production database. They stole IRS and EEOC records and corrupted critical investigative files. The company had no automated process to revoke access immediately upon termination, so what should have been a clean offboarding became a catastrophic data loss incident.
Another example from 2013: The Target breach that exposed 40 million credit cards and 70 million customer records started with a single compromised contractor account. Attackers obtained credentials from Fazio Mechanical Services, a heating and air-conditioning contractor hired to access Target’s billing and project management system. Within 48 hours of gaining access, the attackers had planted malware on every cash register in Target’s stores nationwide. The breach went undetected for four years.
That breach would never have happened—or would have been contained—if Target had used the principle of least privilege (giving contractors only the access they absolutely need) and set an automatic expiration on contractor access.
How Dormant Accounts Become Breaches
When contractors leave, forgotten accounts create multiple attack vectors:
Weak credentials: Dormant accounts almost never have multi-factor authentication enabled, making them trivially easy to compromise. Attackers can breach them with just a password.
Lateral movement: Contractor accounts often retain the same permissions they had while active. An attacker using a dormant contractor account can use those existing permissions to move deeper into your network, access databases, and escalate privileges.
No audit trail: Because a dormant account has no legitimate activity, unusual behavior goes undetected. An attacker can operate inside your network for weeks or months before anyone notices.
Compliance violation: Regulations like GDPR, HIPAA, and SOX require strict controls over who can access sensitive data. Dormant accounts with active access are a direct violation that can trigger hefty fines and failed audits.
The mathematical reality is sobering: Only 2% of assigned permissions are actively used, but 50% of all permissions are classified as high-risk—meaning they could be used to access or destroy data. Dormant contractor accounts represent exactly this kind of unused but dangerous permission sitting in your system.
What Is Microsoft Entra Conditional Access?
Conditional Access is Microsoft’s zero-trust policy engine built into Microsoft 365 and Entra ID (formerly Azure AD). It is a set of automated rules that determine who can access what resources under what conditions.
For contractor management, Conditional Access works like this: You define a policy that says, “Anyone in the Contractors security group can access Teams, SharePoint, and Microsoft 365 apps, but only if they authenticate with multi-factor authentication, and their access automatically expires in 90 days.” When you add a contractor to that group, access is granted automatically. When you remove them from the group, access is revoked immediately—even if they are currently logged in.
The power is in the automation. You go from a manual process prone to human error to a system that manages contractor access like a traffic light: green when they should have access, red the moment they should not.
Setting Up Contractor Access Control in 60 Minutes
The beauty of Conditional Access is that it requires minimal technical expertise to set up. Here is a step-by-step breakdown:
Step 1: Create a Security Group for Contractors (5 minutes)
Go to your Microsoft Entra admin center and create a new security group called “External-Contractors” or “Temporary-Vendors.” This becomes your control point. Add each new contractor to this group when they start work. Remove them when they leave. That is it.
Why this works: Instead of managing rules for individual contractors, you manage one rule that applies to an entire group. When someone joins the group, the rule applies. When they leave, the rule no longer applies. Simple and scalable.
Step 2: Create a Conditional Access Policy for Contractors (15 minutes)
In the Entra admin center, go to Conditional Access and create a new policy. Name it “Contractor Access Control.”
Under Assignments, select:
- Users and groups: Choose the “External-Contractors” security group you just created.
- Cloud apps: Select only the applications contractors need (Teams, SharePoint, Outlook, Microsoft Office). Block everything else.
- Conditions: No special conditions needed for a basic setup.
This ensures contractors can only reach the tools they need to do their job. If a contractor tries to access your financial software, HR system, or admin portals, access is automatically blocked.
Step 3: Enforce Multi-Factor Authentication (10 minutes)
Under Grant controls, select “Require multi-factor authentication.” This means every time a contractor logs in, they must provide a second form of authentication—a code from an authenticator app, a text message, or a security key. This dramatically reduces the risk of a stolen password being enough to compromise the account.
Step 4: Set an Automatic Expiration Using Sign-In Frequency (15 minutes)
This is the magic step. Under Session controls, locate “Sign-in frequency” and set it to 90 days (or match the length of your contract). This setting does two things:
First, it prompts users for fresh authentication periodically, ensuring security.
Second—and most importantly—when you remove a contractor from the security group, their login is immediately invalidated. Even if they are currently logged in, they cannot re-authenticate. The door slams shut automatically.
Your 90-day sign-in frequency means contractors cannot stay logged in forever. They must re-authenticate regularly. If they have been removed from the group, that re-authentication fails, and they are logged out.
Step 5: Add Optional Advanced Controls (15 minutes)
For additional security, you can add:
- Device compliance: Require contractors to use devices that meet your security standards (firewall enabled, antivirus active, latest patches).
- Phishing-resistant authentication: Encourage contractors to use Microsoft Authenticator or security keys instead of SMS or password.
- Trusted locations: If contractors only work from specific office locations, restrict access to those locations only.
None of these are required for a basic setup, but they add defense layers.
Step 6: Test Before You Go Live (Optional, but Recommended)
Microsoft Entra allows you to run policies in “report-only” mode first. Enable the policy on a test group of contractors for one week. Review the logs to make sure nothing is breaking. Then move to enforcement mode.
Total setup time: 60 minutes for a functional, secure contractor access system.
Why Conditional Access Beats Manual Deprovisioning
Traditional contractor offboarding is a mess. HR notifies IT. IT tickets the request. Someone eventually disables the account—if they remember. Studies show this process takes an average of one hour just to deprovision a single person, and many accounts stay active for days or weeks after someone leaves.
Conditional Access removes human error. The moment a contractor leaves and you remove them from the security group:
- They can no longer log in (sign-in frequency expires their session).
- All active sessions are terminated.
- Access to cloud apps is revoked.
- No manual steps required.
- No forgotten accounts.
This is not a nice-to-have. It is critical risk management. The federal agency contractor breach happened because access was not revoked fast enough. The Target breach happened because a contractor account was never truly locked down. Both would have been prevented by Conditional Access policies with automatic expiration.
Calculating the ROI of Conditional Access
Cost of implementation:
- Microsoft Entra ID P1 licenses: $6 per user per month
- For 10 contractors: $60/month or $720/year
- For 25 contractors: $150/month or $1,800/year
- One-time setup: 1-2 hours of IT time ($200-$400 value)
Cost of a single breach:
- Average third-party breach: $4.8 million
- Legal liability, notification costs, regulatory fines: $500,000 to $5,000,000+
- Reputational damage and lost customers: Incalculable
ROI: If Conditional Access prevents even one breach over five years, it pays for itself 1,000 times over.
For a small business, this is not a complex decision. The cost of implementation is negligible compared to the risk of a forgotten contractor account becoming a breach vector.
When to Use Conditional Access
Use Conditional Access if you:
- Hire any contractors, vendors, or temporary staff.
- Use Microsoft 365 or Azure cloud services.
- Have customer data, financial records, or proprietary information contractors might access.
- Want to reduce your breach risk and improve compliance.
You specifically need this if:
- You have more than 3-5 contractors at any time.
- Contractors change frequently (high churn).
- Your contractors access sensitive data or critical systems.
- You are in a regulated industry (healthcare, finance, education).
If you fit any of these categories, set up Conditional Access this week. The risk of not doing it far outweighs the minimal cost and effort.
Licensing and Requirements
To use Conditional Access, you need:
- Microsoft Entra ID P1 licenses: $6 per user per month
- Microsoft 365 Business Premium or E3: These licenses include Entra ID P1
- Global Administrator or Conditional Access Administrator role: You need this access to set up policies
If you already have Microsoft 365 for your business, you likely already have the licensing. Check with your Microsoft administrator to confirm.
For advanced features like risk-based access policies, you would need Entra ID P2 ($9/user/month), but the basic contractor access control described here works perfectly with P1.
FAQ: Conditional Access for Contractor Management
Can I Set Different Access Levels for Different Contractors?
Yes. Create multiple security groups—one for “Development Contractors,” one for “Finance Contractors,” etc.—and assign each group its own Conditional Access policy with different app restrictions. This way, a developer only sees development tools, and a bookkeeper only sees accounting software.
What Happens if a Contractor Needs Extended Access?
Simply extend their contract in your system. When the new end date arrives, remove them from the security group. If they need access again later, add them back. No need to reconfigure anything.
Can Contractors Still Work if They Are in a Blocked Location?
Yes, if you set up location-based restrictions. You can exclude them by using a VPN, or you can create a policy that says “Require MFA from outside the office” rather than blocking entirely. Flexibility is part of Conditional Access design.
What If a Contractor Loses Their MFA Device?
They contact your IT support, verify their identity (security questions, passphrase, etc.), and you reset their MFA enrollment. Same process as any user.
Do I Need Active Directory On-Premises?
No. Conditional Access works with cloud-only identities in Entra ID. If you have hybrid (on-premises AD synced to Entra ID), it still works the same way.
Can Conditional Access Expire Access At a Specific Date and Time?
The sign-in frequency resets the requirement to reauthenticate, but it is not a hard cutoff. For a hard cutoff at a specific time, you would manually remove the contractor from the security group on the date they leave. The system prompts removal, but you control the timing.
Forgotten contractor accounts are one of the easiest breaches to prevent. Conditional Access takes what is normally a manual, error-prone process and turns it into an automated, zero-touch system. For small businesses, this is table stakes security.
If you want help setting up Conditional Access for your contractor management, or if you want to audit your current contractor accounts to find forgotten access, contact Z-JAK Technologies today. Our Managed IT Services can design and deploy Conditional Access policies tailored to your business, and our Cybersecurity Consulting Services can help you audit your current contractor access and fix gaps before they become breaches.
The Target breach could have been prevented with this. The federal agency breach could have been prevented with this. Your business does not have to learn those lessons the hard way. Set up Conditional Access this week.