disable or delete any user who has not logged in for xx days

paul.mugford · July 1, 2025, 4:03pm

Feature: Add the dynamic ability to disable account after xx days of inactivity.

Description: PCI DSS 8.2.6 says you must disable or delete any user who has not logged in for 90 days

Use-case: We have created a complex post login action but

Runs only after a user signs in.
Doesn’t touch accounts that stay silent for 90 days or more
Does not really comply with PCI DSS 8.2.6 as it is not dynamically checking accounts.

The Auth0 community suggestion is :-

Build an external job that polls Auth0 and blocks stale accounts.
Adds another moving part an external dependancy that will grow with every new user.

Topic		Replies	Views
Deactivation/Block Users after 90 Days of Inactivity - How do you meet PCI DSS 8.2.6 in Auth0? Get Help user-profile , user-management	2	35	June 30, 2025
Deactivate (or block) users after X number of days Get Help	4	5522	February 27, 2020
Deleted users are able to reactivated their accounts by logging in (social users) Get Help login-experience , new-universal-login-experience	5	1224	October 16, 2023
Deactivation or Block Users after X Number of Days of Inactivity Knowledge Articles inactivity , blocked-user	1	498	April 26, 2024
Destroy session after user delete Get Help delete-user , sessions	5	6491	March 12, 2021