Reevaluate "potential stale accounts in a privileged role" alert
This alert is to identify "Accounts in a privileged role that have not changed their password in the past 90 days. These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers."
Rotating of passwords is not the best way to identify stale accounts. SecureScore has a control that encourages setting passwords to never expire based on research which also led NIST to update their position on password expiration policies and the Microsoft security baseline for win 10 to recommend not expiring passwords. (see below)
A stale account is one that has not been logged into recently.
A stale account that is at risk is one that has a compromised credential and does not have MFA enabled. Or, a compromised credential and a compromised MFA token.
securescore.office.com has a control worth 10 points named "Do not
"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
(e.g., periodically). However, verifiers SHALL force a change if there is
evidence of compromise of the authenticator.”
Microsoft draft security baseline for windows 10 Guidance
"Periodic password expiration is a defense only against the probability
that a password (or hash) will be stolen during its validity interval and
will be used by an unauthorized entity. If a password is never stolen,
there’s no need to expire it."