0 votes

Hi,

I'm trying to add a column to a report to retrieve the last login data from AAD/Graph using the script posted here but i'm running into the following error message: Cannot find an overload for "GetAzureAuthAccessToken" and the argument count: "1".'

I'm using an application account for M365 tenant connection, it has the following Graph permissions and AAD roles:

  • Cloud application administrator
  • AuditLog.Read.All
  • User.Read
  • User.Read.All

Here's the script i'm using for the custom collumn:

# Get access token for Microsoft Graph API
$token = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com/")

# Get the last logon date
$userId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
$url = 'https://graph.microsoft.com/beta/users/' + $userId.ToString() + '?$select=signInActivity'
$response = Invoke-RestMethod -Method GET `
    -uri $url `
    -Headers @{Authorization="Bearer $token"}

$lastLogonDate = $response.value[0].signInActivity.lastSignInDateTime


# Assign a column value to $Context.Value 
$Context.Value = $lastLogonDate
by (240 points)
0

Hello Richard,

Please, specify the version of Adaxes you are currently using. For information on how to check it, have a look at the following help article: https://www.adaxes.com/help/CheckServiceVersion.

0

Hi,

Adaxes product version is 3.14.19312.0

0

Hello Richard,

Thank you for specifying. The script should work just fine in version 3.14.19312.0. Could you, please, specify whether you have multiple instances of Adaxes service sharing common configuration? If you do, please, make sure that all the services are of version 3.14.19312.0. For details on how check Adaxes services sharing common configuration and their versions, see https://www.adaxes.com/help/MultiServerEnvironment.

0

We only have the one instance on a single server. A similar script works as a custom command, just doesn't as a customer collumn script as a part of the last login default report

1 Answer

0 votes
by (226k points)

Hello Richard,

Thank you for the provided details. The thing is that you are using a wrong method. In reports and report custom columns the script will be different as the method requires passing an object as a parameter. For details and examples, see https://adaxes.com/sdk/ReportCloudServicesScriptContextClass/#GetAzureAuthAccessToken(IADs)_details.

Also, it is not a good idea to establish the connection in a custom column because it will be done separately for each object being added to the report. It is recommended to get the data right in the script for report generation. It will allow you to establish the connection just once. For details, have a look at section Setting values for custom columns of the following SDK article: https://adaxes.com/sdk/GeneratingReports/#setting-values-for-custom-columns.

0

I've had a go but running into an error loading the adm-O365ObjectId attribute for the script you've linked

[Exception calling "Get" with "1" argument(s): "The 'adm-O365ObjectId' property cannot be found in the cache."] Unspecified error.

Here's the script i'm using:

# Search filter
$filterUsers = "(&(sAMAccountType=805306368)(|(!(msExchRecipientTypeDetails=*))(!(msExchRecipientTypeDetails:1.2.840.113556.1.4.804:=7241860145202))))"
$Context.DirectorySearcher.AppendFilter($filterUsers)

$AADlastlogoncolumnID = "{cb10b107-2f09-4016-8ffd-a6b0e1a9d6ca}"

# Add AAD ObjectID to the list of properties to fetch
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("adm-O365ObjectId")

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        #Bind to current search result
        $searchResult = $searchIterator.Current
        $user = $Context.BindToObjectBySearchResult($searchResult)

        # Get access token for Microsoft Graph API
        $token = $Context.CloudServices.GetAzureAuthAccessToken($user)

        # Get the last logon date
        $o365ObjectId = [Guid]$user.Get("adm-O365ObjectId")
        $url = 'https://graph.microsoft.com/beta/users/' + $o365ObjectId.ToString() + `
        '?$select=signInActivity'
        $response = Invoke-RestMethod -Method GET `
            -uri $url `
            -Headers @{Authorization="Bearer $token"}

        $AADlastlogonvalue = $response.value[0].signInActivity.lastSignInDateTime     


        # Add the user to the report
        $columnValues = @{ }
        $columnValues.Add($AADlastlogoncolumnID, $AADlastlogonvalue)
        $Context.Items.Add($searchResult, $columnValues, $NULL)
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}
0

Hello Richard,

The error occurs because the account you execute the script for does not have a Microsoft 365 account or is not associated with a Microsoft 365 tenant in Adaxes. For information on how to check the latter, have a look at the following help article: https://www.adaxes.com/help/LookupTenantForUser.

For your information, it is recommended to always put requests to property values into try-catch blocks. Finally, your script should look like the following:

try
{
    $o365ObjectId = [Guid]$user.Get("adm-O365ObjectId")
}
catch
{
    break
}
0

The user is synced to AAD and running Lookup Tenant For User does succeed.

Thanks for the advice on the property values in try-catch blocks, i've completed that change

I now get the following error: Cannot index into a null array. Stack trace: at <ScriptBlock>, <No file>: line 37 Which is this line $AADlastlogonvalue = $response.value[0].signInActivity.lastSignInDateTime

Suggesting the query to MS Graph worked but returned no results however I can see in AAD sign-in logs a recent result.

0

Hello,

Most probably, the issue is related to the permissions of the account used to register your Microsoft 356 tenant in Adaxes. Unfortunately, we are currently very limited in resources and have no possibility to test the script and help you determine the root cause of the issue. Should you, have issues doing it yourself, we encourage you to address the request to our consulting partners that provide professional services: https://www.adaxes.com/purchase_consultants.htm. Sorry for the inconvenience and thank you for your understanding.

Related questions

0 votes
0 answers

Hi all, I got a script to count up a special AD Attribute which is like a customer ID. In this script it is called "PhanSachbearbNr" an starts with ... ))" # Setzen der neuen ID fuer den betreffenden Benutzer $Context.SetModifiedPropertyValue($idWertname, $id)

asked Jun 10, 2016 by massimo.ibba (450 points)
0 votes
0 answers

Hello there, We have guest accounts created in AD (on our DMZ DC) that use the first initial + last name format for username with the last 4 digits of their mobile ... there any special way I should be updating a username and UPN from PowerShell? Thanks, Chris

asked Jul 13, 2018 by Bowman4864 (270 points)
0 votes
1 answer

I need a list of all the URLs that Adaxes creates in IIS on the server Adaxes is installed on.

asked Feb 6, 2020 by DaralenManta (20 points)
0 votes
0 answers

Hello I'm trying to pass another credential than the initiator, to add a member to a group. $Server = $Context.GetObjectDomain("%distinguishedName%") $Secpasswd = ConvertTo- ... invoke this function because the current host does not implement it." - Thanks

asked Jul 8, 2016 by Boxx.dk (2.6k points)
0 votes
1 answer

Hello again! I discovered to make the password reset function with default account options (force password reset on first logon checked, User Cannot Change Password and password never expired ... that I can add to my script, I just can't find the darn thing.

asked Nov 20, 2015 by drew.tittle (810 points)
2,779 questions
2,512 answers
6,574 comments
25,901 users