0 votes

Hello,

The report named Inactive users allowed to log in shows the Active Directory sign-in (Last-Logon-Timestamp) and Azure AD sign-in (Last Logon) but only for Active Directory Synchronised Users (Directory Type = On-premises AD).

Any user with Directory Type of Azure AD does not have a Last Logon timestamp shown. Therefore every Azure AD user appears in the inactive user report.

Is there a way to get the Last Logon information to appear in the report - and can this value appear in the user management view.

We are currently managing Azure AD sign-in using an extension attribute which is updated by an Azure logic App. But we'd love to have this natively in Adaxes.

by (40 points)
0

Hello Gavin,

Do we understand correctly that you upgraded to Adaxes 2023 with restoring your Adaxes configuration from a backup? If that is correct, you need to restore the report to its initial state: image.png

0

We haven't restored the config. Adaxes 2023 has been installed on a new server and we are testing in parrallel.

The issue appeared to be missing permissions for the APP registration. We'd setup the registration up for use with the existing Adaxes version but didn't use it.

I corrected the permissions and now I can see sign-in dates in the Last-Logon-Timestamp column for Azure AD users which is great. The Last Logon column is empty for Azure AD users.

It does raise another issue however. For Active Diretory synchronised users we see two values. Last-Logon-Timestamp which is the value from AD. Last Logon which I was hoping would be the Azure AD last sign-in date.

For one user it shows 13/07/2020 In the Azure portal the actual last sign-in was 13/12/2022 I've checked a few others and the date in Last Logon doesn't show the same value as the portal.

Should Last Logon be the Azure AD last sign-in date or does this represent another value?

1 Answer

0 votes
by (294k points)

Hello Gavin,

Sorry for the confusion, but you are not quite right. Azure AD accounts do not have the Last Logon property in Adaxes at all. The corresponding information is taken from Azure AD and is reflected by Adaxes as the value of the Last Logon Timestamp property.

At the same time for on-premises AD user there is huge peculiarity regarding this point. First of all, the Last Logon property is not replicated. It means that the property value can be different on different domain controllers (DCs). As a result when you make a request, the property value depends on the DC you are querying. In this case, it is the DC Adaxes is connected to. Meanwhile, the Last Logon Timestamp property is replicated in AD and provides more relevant information.

0

I was able to figure this out and implement it in Adaxes. You'll want to make sure you have these permissions in your enterprise application for Adaxes in Azure. They have to be Application, not Delegated.

adaxes.PNG

Once this is done the last logon timestamp attribute appeared for the Azure users in Adaxes.

Hope this helps!

Related questions

+1 vote
0 answers

Currently, users from Azure AD domains cannot log in to Adaxes Web interface and cannot use password self-service to reset their forgotten passwords. Cause Feature is not yet implemented. Will be implemented in one of the future releases.

asked Nov 16, 2022 by Adaxes (560 points)
0 votes
1 answer

Hello there, We have recently moved (almost) every computer from on-prem to cloud only and have setup some scheduled tasks to disable users based off of Last Logon and Last Logon ... in a different way? And if not, are there any plans to leverage that data?

asked May 21 by jacobchugg (20 points)
0 votes
1 answer

I want to create a scheduled task to disable a user if he is inactive for 30days, the task must check inacivity o AD and Azure.

asked May 16 by johanpr (120 points)
0 votes
1 answer

Hi after the user acount is created in Active Directory I need the business rule to pause for 30mins for the azure sync to take place before the rule can continue to add the 365 license.

asked May 24 by johanpr (120 points)
0 votes
1 answer

Guys, I have implemeted SSO with Azure AD with my test instance. I am using 2019.2. Works fine - MFA triggers etc. But when I log out from Adaxes websites, it ... to attract some nasty looks from Infosec guys - specially when it is a user management tool.

asked Aug 3, 2020 by Brajesh (460 points)
3,589 questions
3,278 answers
8,303 comments
548,133 users