0 votes

Hi,

I'm trying to add a column to a report to retrieve the last login data from AAD/Graph using the script posted here but i'm running into the following error message: Cannot find an overload for "GetAzureAuthAccessToken" and the argument count: "1".'

I'm using an application account for M365 tenant connection, it has the following Graph permissions and AAD roles:

  • Cloud application administrator
  • AuditLog.Read.All
  • User.Read
  • User.Read.All

Here's the script i'm using for the custom collumn:

# Get access token for Microsoft Graph API
$token = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com/")

# Get the last logon date
$userId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
$url = 'https://graph.microsoft.com/beta/users/' + $userId.ToString() + '?$select=signInActivity'
$response = Invoke-RestMethod -Method GET `
    -uri $url `
    -Headers @{Authorization="Bearer $token"}

$lastLogonDate = $response.value[0].signInActivity.lastSignInDateTime


# Assign a column value to $Context.Value 
$Context.Value = $lastLogonDate
by (260 points)
0

Hello Richard,

Please, specify the version of Adaxes you are currently using. For information on how to check it, have a look at the following help article: https://www.adaxes.com/help/CheckServiceVersion.

0

Hi,

Adaxes product version is 3.14.19312.0

0

Hello Richard,

Thank you for specifying. The script should work just fine in version 3.14.19312.0. Could you, please, specify whether you have multiple instances of Adaxes service sharing common configuration? If you do, please, make sure that all the services are of version 3.14.19312.0. For details on how check Adaxes services sharing common configuration and their versions, see https://www.adaxes.com/help/MultiServerEnvironment.

0

We only have the one instance on a single server. A similar script works as a custom command, just doesn't as a customer collumn script as a part of the last login default report

1 Answer

0 votes
by (282k points)

Hello Richard,

Thank you for the provided details. The thing is that you are using a wrong method. In reports and report custom columns the script will be different as the method requires passing an object as a parameter. For details and examples, see https://adaxes.com/sdk/ReportCloudServicesScriptContextClass/#GetAzureAuthAccessToken(IADs)_details.

Also, it is not a good idea to establish the connection in a custom column because it will be done separately for each object being added to the report. It is recommended to get the data right in the script for report generation. It will allow you to establish the connection just once. For details, have a look at section Setting values for custom columns of the following SDK article: https://adaxes.com/sdk/GeneratingReports/#setting-values-for-custom-columns.

0

I've had a go but running into an error loading the adm-O365ObjectId attribute for the script you've linked

[Exception calling "Get" with "1" argument(s): "The 'adm-O365ObjectId' property cannot be found in the cache."] Unspecified error.

Here's the script i'm using:

# Search filter
$filterUsers = "(&(sAMAccountType=805306368)(|(!(msExchRecipientTypeDetails=*))(!(msExchRecipientTypeDetails:1.2.840.113556.1.4.804:=7241860145202))))"
$Context.DirectorySearcher.AppendFilter($filterUsers)

$AADlastlogoncolumnID = "{cb10b107-2f09-4016-8ffd-a6b0e1a9d6ca}"

# Add AAD ObjectID to the list of properties to fetch
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("adm-O365ObjectId")

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        #Bind to current search result
        $searchResult = $searchIterator.Current
        $user = $Context.BindToObjectBySearchResult($searchResult)

        # Get access token for Microsoft Graph API
        $token = $Context.CloudServices.GetAzureAuthAccessToken($user)

        # Get the last logon date
        $o365ObjectId = [Guid]$user.Get("adm-O365ObjectId")
        $url = 'https://graph.microsoft.com/beta/users/' + $o365ObjectId.ToString() + `
        '?$select=signInActivity'
        $response = Invoke-RestMethod -Method GET `
            -uri $url `
            -Headers @{Authorization="Bearer $token"}

        $AADlastlogonvalue = $response.value[0].signInActivity.lastSignInDateTime     


        # Add the user to the report
        $columnValues = @{ }
        $columnValues.Add($AADlastlogoncolumnID, $AADlastlogonvalue)
        $Context.Items.Add($searchResult, $columnValues, $NULL)
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}
0

Hello Richard,

The error occurs because the account you execute the script for does not have a Microsoft 365 account or is not associated with a Microsoft 365 tenant in Adaxes. For information on how to check the latter, have a look at the following help article: https://www.adaxes.com/help/LookupTenantForUser.

For your information, it is recommended to always put requests to property values into try-catch blocks. Finally, your script should look like the following:

try
{
    $o365ObjectId = [Guid]$user.Get("adm-O365ObjectId")
}
catch
{
    break
}
0

The user is synced to AAD and running Lookup Tenant For User does succeed.

Thanks for the advice on the property values in try-catch blocks, i've completed that change

I now get the following error: Cannot index into a null array. Stack trace: at <ScriptBlock>, <No file>: line 37 Which is this line $AADlastlogonvalue = $response.value[0].signInActivity.lastSignInDateTime

Suggesting the query to MS Graph worked but returned no results however I can see in AAD sign-in logs a recent result.

0

Hello,

Most probably, the issue is related to the permissions of the account used to register your Microsoft 356 tenant in Adaxes. Unfortunately, we are currently very limited in resources and have no possibility to test the script and help you determine the root cause of the issue. Should you, have issues doing it yourself, we encourage you to address the request to our consulting partners that provide professional services: https://www.adaxes.com/purchase_consultants.htm. Sorry for the inconvenience and thank you for your understanding.

Related questions

0 votes
1 answer

We have a 3rd party vendor that we are able to add users based on AD security groups. What I need to do is set a parameter for the number of available licenses and whenever ... the group is 495 I would like an email to trigger telling me to add more licenses.

asked Oct 12, 2022 by A_Pastor (70 points)
0 votes
1 answer

How can i différenciante the two user without opening each one of them ?

asked Jan 20, 2023 by eric.lebrun (20 points)
0 votes
0 answers

Hi all, I got a script to count up a special AD Attribute which is like a customer ID. In this script it is called "PhanSachbearbNr" an starts with ... ))" # Setzen der neuen ID fuer den betreffenden Benutzer $Context.SetModifiedPropertyValue($idWertname, $id)

asked Jun 10, 2016 by massimo.ibba (450 points)
0 votes
1 answer

I have a scheduled task that runs the following PowerShell script. $user = New-AdmUser -Server $domain -AdaxesService localhost -Path $workdayDn -ChangePasswordAtLogon $true -PassThru - ... ) over all objects. I'm stumped! Any help would be super appreciated.

asked 2 days ago by emeisner (80 points)
0 votes
0 answers

Hello there, We have guest accounts created in AD (on our DMZ DC) that use the first initial + last name format for username with the last 4 digits of their mobile ... there any special way I should be updating a username and UPN from PowerShell? Thanks, Chris

asked Jul 13, 2018 by Bowman4864 (270 points)
3,472 questions
3,165 answers
8,057 comments
547,021 users