Adaxes

Leveraging last interactive sign in data from Azure AD inside the Adaxes Management Console

0 votes

Hello there,

We have recently moved (almost) every computer from on-prem to cloud only and have setup some scheduled tasks to disable users based off of Last Logon and Last Logon Timestamp attributes inside Adaxes. If users are only signing into cloud apps though Adaxes doesn't register that sign in.

I have added our Azure AD as a managed domain in Adaxes hoping that it would give us access to that last login data that Azure has but I'm not seeing any Last Logon attributes at all for users under the Azure AD managed domain in Adaxes Console. Is this achievable in a different way? And if not, are there any plans to leverage that data?

by (20 points)

1 Answer

0 votes
by (277k points)

Hello Jacob,

The thing is that logon information is stored separately for Entra accounts and for on-premises AD accounts. To check when a user last logged on to Entra, you can use the following script from our repository: https://www.adaxes.com/script-repository/check-entra-account-last-logon-s692.htm.

0

I was able to figure this out and implement it in Adaxes. You'll want to make sure you have these permissions in your enterprise application for Adaxes in Azure. They have to be Application, not Delegated.

adaxes.PNG

Once this is done the last logon timestamp attribute appeared for the Azure users in Adaxes. We created a scheduled task that would scope to the Azure domain users OU, look for the on-prem synced attribute to be true (that way this won't inadvertently target cloud only users), check if account is enabled, check if last-logon-timestamp attribute is before %datetime, -1M% (you can adjust the length of time to your preference), and this one is optional but I added in a When Created attribute is before %datetime, -1M% just so it wouldn't target newhires.

For the action I just had it run a powershell script and did the following:

disable-adaccount -identity %onPremisesObjectGuid% -confirm:$false

Hope this helps!

ago by (20 points)

Related questions

0 votes
1 answer
Inactive users allowed to log in - No Sign-in information for Azure AD user

Hello, The report named Inactive users allowed to log in shows the Active Directory sign-in (Last-Logon-Timestamp) and Azure AD sign-in (Last Logon) but only for Active Directory ... updated by an Azure logic App. But we'd love to have this natively in Adaxes.

asked Dec 13, 2022 by Gavin.Raymen (40 points)
0 votes
1 answer
Save AzureAD last sign in value for a user in an Adaxes attribute

Hi, is it possible to save to an Adaxes attribute the value of the last Sign In from Azure AD? When we query users for Last Logon, we, of course, can only see the Last Logon value from AD It would be very useful to know the latest login in Azure AD as well

asked Jun 22, 2020 by manuel.galli (100 points)
0 votes
1 answer
Adaxes 2023 Azure AD Management Feature

We have a hybrid environment with On-Prem AD and Azure AD. We currently have our On-Prem AD registered (See screenshot). For us to take advantage of the Azure AD management feature ... need register Azure AD domain as well as our On-Prem AD at the same time?

asked Dec 15, 2022 by Tfarmer (160 points)
0 votes
1 answer
Management of Custom Security Attributes (Preview) in Azure AD

Hello, We really like the new Azure AD functionality in Adaxes. Is it possible (or planned) to managed Azure AD Custom Security Attributes (currently in Preview) using Adaxes? We have ... an AAD only user so we'd like to start with Azure attrbiutes if we can.

asked Dec 9, 2022 by Gavin.Raymen (40 points)
0 votes
1 answer
Office missing in Adaxes Management Console when creating user

I have a Property Pattern that uses Office as a drop down list. I have it defaulted to one of the items in the list. I have setup Office to be a required field ... as a required field. Is it possible to make Office show up during user account creation?

asked Aug 17, 2020 by ComputerHabit (790 points)
3,408 questions
3,105 answers
7,899 comments
545,779 users