Comparing date time in a custom date field to %datetime%

Question

Trying to evaluate the time in days a user has been in a group based on a custom date field

# Get object creation date
$object = $Context.GetDirectoryObject()
$whenCreated = $object.Get("adm-CustomAttributeDate14")
$DaysText = "Days"

$timeSpan = New-TimeSpan -Start $whenCreated -End "%datetime%"
$Context.Value = $timeSpan.Days

This wasn't working for me, but I realized it was because the group the report is using to build on is a cloud only group. Therefore, the script above accurately reports that the field is null because I am assuming it is evaluating the Azure user object and not the AD user object.

Given this, is there an easy way for me to calculate this value on the AD equivalent user of the Azure user that is in the Azure group?

Thanks

Comments

Hello,

The Get method can never return Null. It either returns a value of the specified attribute or errors out if the attribute is empty. Also, it does not matter whether an account belongs to Microsoft Entra or on-premises AD. Adaxes custom attributes work the same for all.

For us to suggest a solution, please, describe the desired behavior in all the possible details with live examples. It looks like you are trying to add the script to a report. Please, provide all the settings you have for it.

---

This report, reports on the members of the Azure AD group. it does not calculate the days correctly and there are other errors.

If I switch the report to an on prem AD Group, the report functions as expected.

Here is the script for the column:

# Get object creation date
$object = $Context.GetDirectoryObject()
$whenCreated = $object.Get("adm-CustomAttributeDate14")
$DaysText = "Days"

# Calculate the timespan
$timeSpan = New-TimeSpan -Start $whenCreated -End "%datetime%"

# Round up to the next whole day and ensure a minimum value of 1
$roundedDays = [math]::Ceiling($timeSpan.TotalDays) -as [int]

# Ensure minimum output is 1
if ($roundedDays -lt 1) {
    $roundedDays = 1
}

# Store the result in the report column
$Context.Value = $roundedDays

Answer 1

Hello,

Thank you for the provided details. The thing is that your script does not take into account that a user can have CustomAttributeDate14 empty. You face all the errors because both users in your report have the property empty. You can use the below approach. It will set the column value to zero for those who have CustomAttributeDate14 empty.

# Get object creation date
$object = $Context.GetDirectoryObject()

try
{
    $whenCreated = $object.Get("adm-CustomAttributeDate14")
}
catch
{
    $whenCreated = $NULL
}

if ($whenCreated -eq $NULL)
{
    $Context.Value = 0
}
else
{
    # Calculate the timespan
    $timeSpan = New-TimeSpan -Start $whenCreated -End "%datetime%"

    # Round up to the next whole day and ensure a minimum value of 1
    $roundedDays = [math]::Ceiling($timeSpan.TotalDays) -as [int]

    # Ensure minimum output is 1
    if ($roundedDays -lt 1)
    {
        $roundedDays = 1
    }

    $Context.Value = $roundedDays
}

Comments

That is correct that I hadn't accounted for the empty attribute. I've applied your script and it does now handle this scenario gracefully.

That being said, the attribute is not empty in the on prem AD user object. It is populated which is why the report caclulates properly when it is run against the on prem AD group.

The issue seems, as I am understanding more, is the Azure user object does not have a value assigned to it. Since the report is being run against the Azure AD group, which holds the Azure user objects, it sees the empty custom fields.

This brings us to the root of the issue. I have a business rule which adds the %datetime% in the custom attribute (which you guys did just help me with a couple of days ago), but it places it in the on prem user object and not both the on prem and azure object.

Here is the script that does this (and adds to another group, which is the on prem AD group as I was trying to implement a work around).

$dateProperty = "adm-CustomAttributeDate14" # TODO: modify me
$targetGroupDN = "CN=MFA-Bypass-Report,OU=Reports,OU=Groups,DC=corp,DC=res,DC=us" # TODO: modify me

# Bind to new member
$member = $Context.BindToObject("Adaxes://%member%")

# Update new member
$member.Put($dateProperty, "%datetime%")
$member.SetInfo()

$group = $Context.BindToObjectByDN($targetGroupDN)

if (-not $group.IsMember("Adaxes://%member%"))
{
    $group.Add("Adaxes://%member%")
}

So in this case, is this expected behavior and we need to adjust the script to assign the value on both objects or should this happen automatically but it isn't? Or some other methodology - like Adaxes should know to look in the Active Directory user even though the user in the cloud group is the cloud user object etc....

---

Hello,

Yes, the behavior is expected. To achieve the desired, you need to set the custom atribtue for both the on-premises acount and the Microsoft Entra one. We updated the script accordingly. You can find it below.

$dateProperty = "adm-CustomAttributeDate14" # TODO: modify me
$targetGroupDN = "CN=MFA-Bypass-Report,OU=Reports,OU=Groups,DC=corp,DC=res,DC=us" # TODO: modify me

# Bind to new member
$member = $Context.BindToObject("Adaxes://%member%")

# Update new member
$member.Put($dateProperty, "%datetime%")
$member.SetInfo()

# Bind to the group
$group = $Context.BindToObjectByDN($targetGroupDN)

# Add new member to another group
if (-not $group.IsMember("Adaxes://%member%"))
{
    $group.Add("Adaxes://%member%")
}

# Bind to the Entra account of new member
try
{
    $entraId = $member.Get("adm-AzureId")
}
catch
{
    $Context.LogMessage("User %fullname% has no Microsoft Entra identifier", "Information")
    return
}

try
{
    $entraAccount = $Context.BindToObject("Adaxes://<GUID=$entraId>")
}
catch
{
    $Context.LogMessage("User %fullname% has no Microsoft Entra account", "Information")
    return
}

# Update the Entra account of new member
$entraAccount.Put($dateProperty, "%datetime%")
$entraAccount.SetInfo()

---

This works perfectly. Thanks for working through it with us.