0 votes

Hello,

The report named Inactive users allowed to log in shows the Active Directory sign-in (Last-Logon-Timestamp) and Azure AD sign-in (Last Logon) but only for Active Directory Synchronised Users (Directory Type = On-premises AD).

Any user with Directory Type of Azure AD does not have a Last Logon timestamp shown. Therefore every Azure AD user appears in the inactive user report.

Is there a way to get the Last Logon information to appear in the report - and can this value appear in the user management view.

We are currently managing Azure AD sign-in using an extension attribute which is updated by an Azure logic App. But we'd love to have this natively in Adaxes.

by (40 points)
0

Hello Gavin,

Do we understand correctly that you upgraded to Adaxes 2023 with restoring your Adaxes configuration from a backup? If that is correct, you need to restore the report to its initial state: image.png

0

We haven't restored the config. Adaxes 2023 has been installed on a new server and we are testing in parrallel.

The issue appeared to be missing permissions for the APP registration. We'd setup the registration up for use with the existing Adaxes version but didn't use it.

I corrected the permissions and now I can see sign-in dates in the Last-Logon-Timestamp column for Azure AD users which is great. The Last Logon column is empty for Azure AD users.

It does raise another issue however. For Active Diretory synchronised users we see two values. Last-Logon-Timestamp which is the value from AD. Last Logon which I was hoping would be the Azure AD last sign-in date.

For one user it shows 13/07/2020 In the Azure portal the actual last sign-in was 13/12/2022 I've checked a few others and the date in Last Logon doesn't show the same value as the portal.

Should Last Logon be the Azure AD last sign-in date or does this represent another value?

1 Answer

0 votes
by (267k points)

Hello Gavin,

Sorry for the confusion, but you are not quite right. Azure AD accounts do not have the Last Logon property in Adaxes at all. The corresponding information is taken from Azure AD and is reflected by Adaxes as the value of the Last Logon Timestamp property.

At the same time for on-premises AD user there is huge peculiarity regarding this point. First of all, the Last Logon property is not replicated. It means that the property value can be different on different domain controllers (DCs). As a result when you make a request, the property value depends on the DC you are querying. In this case, it is the DC Adaxes is connected to. Meanwhile, the Last Logon Timestamp property is replicated in AD and provides more relevant information.

Related questions

+1 vote
0 answers

Currently, users from Azure AD domains cannot log in to Adaxes Web interface and cannot use password self-service to reset their forgotten passwords. Cause Feature is not yet implemented. Will be implemented in one of the future releases.

asked Nov 16, 2022 by Adaxes (550 points)
0 votes
1 answer

Guys, I have implemeted SSO with Azure AD with my test instance. I am using 2019.2. Works fine - MFA triggers etc. But when I log out from Adaxes websites, it ... to attract some nasty looks from Infosec guys - specially when it is a user management tool.

asked Aug 3, 2020 by Brajesh (460 points)
0 votes
1 answer

Hi When reading the REST API documentation it does not mention working directly against Azure AD and Exchange Online. Will this be added? Thanks /Peter Sonander

asked Jan 26, 2023 by Sonander (40 points)
0 votes
1 answer

We manage employee user accounts in our on-premise Active Directory and synchronize them to Azure Active Directory using Azure AD Connect. We'd like to be able to generate ... if this is possible so we can easily identify user accounts that are truly inactive.

asked May 9, 2023 by RickWaukCo (320 points)
0 votes
1 answer

Hello, Is there a built in method for checking user accounts that have expired in Azure?

asked Jul 31, 2023 by Homelander90 (330 points)
3,293 questions
2,991 answers
7,664 comments
544,159 users