• State Verified Answer
  • Replies 2 replies
  • Subscribers 62 subscribers
  • Views 781 views
  • Users 0 members are here
Options
Related

Azure Sign-in Logs

rws
over 1 year ago

With Active Roles and Azure integration set up, is it possible to pull Azure sign-in logs?   We sync our users to azure and then use pass-through authentication (PTA) to allow users to sign into 365 or any app with azure in front of it.  What we are finding out though, is that a sign-in into Azure, even though its being authenticated against one of our domain DCs using PTA, that does not count as a sign-in to local AD.  The local AD user's account lastlogontimestamp attribute is not updated. 

So we have some users, that are signing into Azure apps, but never into local AD.  We recently did a major cleanup of AD, where we use automation now to disable and move users who havent logged in in over 6 months to a non-syncing (to azure) OU.   Some users are calling in saying that can't sign into some apps now because their account was deemed inactive and moved by this new rule.

If Active Roles can look at Azure sign-in logs, this would solve our problem.   Thanks.

Parents
  • +1 over 1 year ago

    AR doesn't do anything natively around this that I can think of.

    Off the top of my head, this might work:

    Create a script that you have AR run as an Automation workflow that would interrogate the Azure sign-in logs for your users (for example once per week) and then have the script write the last sign in time to a virtual attribute on each user.  Your deprovisioning process could look at the attribute and along with lastlogonstimestamp, use this to determine if the account is "stale" or not.

  • 0 over 1 year ago in reply to JohnnyQuest

    great, thanks for the recommendation, we'll have to look into that, much appreciated.

Reply Children
No Data