Adaxes

What is the best way of establishing the last logon when a user account has both a AD and AzureAD user account?

0 votes

I am unsure how to deal with this because of how Adaxes treats one identity account as two different objects, an AD and AzureAD user account, and both has different last logon values.

What is a good way to combine the data?

by (160 points)
0

Hello Daniel,

The behavior has nothing to do with Adaxes. It comes from Microsoft. First of all, Entra (former Azure AD) accounts do not have the Last Logon property at all. Both the on-premises accounts and Entra accounts have the Last Logon Timestamp property. However, it is not replicated and the behavior is by design. Pay attention that there is also Exchange Online login and that it a totally different story. For us to suggest a solution, please, describe the desired workflow in all the possible details with live examples.

by (289k points)
0

I have the same question, I assume that Daniel's requirement is similar to mine.

I want to be able to select users that have an older than xx AD lastlogon time stamp AND also have an older than yy Azure last logon time stamp / last authenticated / last activity time stamp so that users that have not been authenticated by the AD domain but are active in Azure are not false positives for inactivity who mistakenly get their AD account disabled and lose access to resources unnecessarily.

by (20 points)
0

Hello,

Sorry for the confusion, but we are not sure what exactly you mean by select users here. Do you need a report containing only the users that have both dates older than a specific period? Also, please, specify whether you have your Entra domain (not Microsoft 365 tenant) registered in Adaxes (will be displayed under the Managed domains node).

by (289k points)
0

I have a scheduled task that moves, strips group memberships from and disables users when their last login timestamp is more than 5 weeks ago.

I don't want users that are actively using their account in Azure to be caught by this task. I want to add an exception for those user accounts that have recent authentications in Azure.

The current scheduled task catches users that do not have a recent domain last login timestamp. In those cases those users have generally been authenticated by Entra and are actively present in Azure / M365 logs as being active.

Am I over thinking this?

I have a task which mainly does what I need. An unwanted impact is inconveniencing users that are able to connect into our infrastructure and do their work without logging into AD. Until they unexpectedly get switched off.

by (20 points)

1 Answer

0 votes
by (289k points)

Hello,

If you register your Entra domain in Adaxes, you can use the following script from our repository in the scheduled task condition: https://www.adaxes.com/script-repository/check-entra-account-last-logon-s692.htm.

Related questions

0 votes
1 answer
What is the best way to handle delayed changes to a user account?

I belive we may have opened a ticket for this question in the past but I can't find the answer. We have a need to delay changing user attributes until their ... title, and department until the scheduled date. Any help would be much much appreciated. Thanks!

asked Jan 13, 2022 by trwhalen (70 points)
0 votes
1 answer
What is the most current way of checking if a user has MFA enabled in Azure?

We used to use a script to check if an AD user's MFA was set in Azure (Hybrid AD/AAD set up). I do not think it is relevant any longer. Is there another script that handles this or some other functionality in order to check a user's Azure MFA status?

asked Aug 23 by msheppard (470 points)
0 votes
1 answer
Is there a way to get the name of the user who approved a request and supply that to a step inside of a custom command?

Is there a way to get the name of the user who approved a request and supply that to a step inside of a custom command? For example, HR submits a status change for an employee. ... and pass it as a param in a custom command that is called in one of the steps?

asked May 12, 2021 by davfount90 (20 points)
0 votes
1 answer
Is there a way to send notification to remind users of AD for changing password when it is about to expire?

We are evaluating the product and would like to let users of AD to change password in self service page. We would like to set a 90 days change password policy, ... self service page? Is it achievable (with customization and batch program)? Thanks in advance.

asked Apr 27, 2020 by eric (20 points)
0 votes
1 answer
Is there a report that will show users recently moved (in the last 7 days) to one of four different OUs in AD?

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3, 2021 by RayBilyk (240 points)
3,548 questions
3,239 answers
8,232 comments
547,814 users