PCI DSS 8.2.6 says you must disable or delete any user who has not logged in for 90 days.
Here is what I have found so far:
Login Action
Runs only after a user signs in.
Doesn’t touch accounts that stay silent for 90 days or more.
Auth0 community suggestion
Build an external job that polls Auth0 and blocks stale accounts.
Adds another moving part that will grow with every new user.
My questions for you
How do you handle this cleanly in Auth0 today?
Did you find a built‑in feature I missed?
Any tips on keeping the process light as the user base expands?
Thank you for bringing that to our attention! I will inform our engineering team about that. Would you also be able to open a new thread in the Product Feedback category, explaining your use case and describing the desired flow? Please make sure to upvote it so that it gets as many votes as possible and attracts as many community members as possible. You can read our FAQ regarding submitting a feature request here: How to Submit Product Feedback or Feature Requests