Inactive users allowed to log in - No Sign-in information for Azure AD user

Question

Hello,

The report named Inactive users allowed to log in shows the Active Directory sign-in (Last-Logon-Timestamp) and Azure AD sign-in (Last Logon) but only for Active Directory Synchronised Users (Directory Type = On-premises AD).

Any user with Directory Type of Azure AD does not have a Last Logon timestamp shown. Therefore every Azure AD user appears in the inactive user report.

Is there a way to get the Last Logon information to appear in the report - and can this value appear in the user management view.

We are currently managing Azure AD sign-in using an extension attribute which is updated by an Azure logic App. But we'd love to have this natively in Adaxes.

Comments

Hello Gavin,

Do we understand correctly that you upgraded to Adaxes 2023 with restoring your Adaxes configuration from a backup? If that is correct, you need to restore the report to its initial state:

---

We haven't restored the config. Adaxes 2023 has been installed on a new server and we are testing in parrallel.

The issue appeared to be missing permissions for the APP registration. We'd setup the registration up for use with the existing Adaxes version but didn't use it.

I corrected the permissions and now I can see sign-in dates in the Last-Logon-Timestamp column for Azure AD users which is great. The Last Logon column is empty for Azure AD users.

It does raise another issue however. For Active Diretory synchronised users we see two values. Last-Logon-Timestamp which is the value from AD. Last Logon which I was hoping would be the Azure AD last sign-in date.

For one user it shows 13/07/2020 In the Azure portal the actual last sign-in was 13/12/2022 I've checked a few others and the date in Last Logon doesn't show the same value as the portal.

Should Last Logon be the Azure AD last sign-in date or does this represent another value?

Answer 1

Hello Gavin,

Sorry for the confusion, but you are not quite right. Azure AD accounts do not have the Last Logon property in Adaxes at all. The corresponding information is taken from Azure AD and is reflected by Adaxes as the value of the Last Logon Timestamp property.

At the same time for on-premises AD user there is huge peculiarity regarding this point. First of all, the Last Logon property is not replicated. It means that the property value can be different on different domain controllers (DCs). As a result when you make a request, the property value depends on the DC you are querying. In this case, it is the DC Adaxes is connected to. Meanwhile, the Last Logon Timestamp property is replicated in AD and provides more relevant information.

Comments

I was able to figure this out and implement it in Adaxes. You'll want to make sure you have these permissions in your enterprise application for Adaxes in Azure. They have to be Application, not Delegated.

Once this is done the last logon timestamp attribute appeared for the Azure users in Adaxes.

Hope this helps!