Script repository

Check Entra account last logon

February 06, 2024 Views: 766
Microsoft 365 (Office 365) User Accounts

The script checks whether the last logon date of the related Entra user account equals the current date. To execute the script, use the If PowerShell script returns true condition in a business rule, custom command or scheduled task configured for the User object type.

In the script, the $daysToAdd variable specifies the number of days to deduct from the current date for comparison with the Last Logon Timestamp of the Entra ID account.

Edit Remove
PowerShell
$daysToAdd = -14 # TODO: modify me

$Context.ConditionIsMet = $False

# Bind to Entra account
try
{
    $guid = $Context.TargetObject.Get("adm-AzureId")
}
catch
{
    return
}

$entraAccount = $Context.BindToObject("Adaxes://<GUID=$guid>")

# Get Entra last logon date
try
{
    # Output Last Logon date/time
    $lastLogonTimeStamp = $entraAccount.Get("lastLogonTimestamp")
    $lastLogonTime = [DateTime]::FromFileTime([Int64]::Parse($lastLogonTimestamp))        
}
catch
{
    return
}

# Compare dates
$compareDate = ([System.DateTime]::UtcNow).AddDays($daysToAdd)
$Context.ConditionIsMet = $lastLogonTime.Date -eq $compareDate.Date
Comments 6
avatar
Jacob Chugg May 22, 2024
I was referred to this script for my post in Q&A.

I'm trying to leverage a scheduled task that checks if a user has logged in in the last 30 days and if they haven't it disables them and moves to a specific OU.

Currently the scheduled task works but is only leveraging the AD login values and not AAD.

I've made a custom command with the script above that says if script returns true then disable account and move user to specified OU etc. When testing on a user that does not have recent sign in data from AAD it's performing no operations aka not returning a true statement from the script. The only code we modified to fit our needs was the last line going from -eq to -lt.

Anything i'm misunderstanding?
Reply
avatar
Support May 22, 2024
Hello Jacob,

Do you see the Entra account in Adaxes? What value does it have in the lastLogonTimestamp property?
Reply
avatar
Jacob Chugg May 22, 2024
Yes I can see the Entra account in AD but there is no lastLogonTimestamp attribute for users under that domain
Reply
avatar
Support May 23, 2024
Hello Jacob,

It means that the account never logged in to Microsoft Entra. For such users the condition is never met.
Reply
avatar
Jacob Chugg May 23, 2024
The LastLogonTimestamp attribute does not exist for any user under the Azure AD domain registered to our administration console. It's not that it is blank, it is just not an attribute
Reply
avatar
Support May 23, 2024
Hello Jacob,

How exactly are you checking? For troubleshooting purposes, please, send us screenshots of the steps at support@adaxes.com. Any additional information will be much appreciated.
Reply
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers