Solution
I have created an approach to obtain this and wanted to share with the community. Basically I created a rule that is triggered by a task to iterate all our user objects via the Microsoft Graph API which obtains the UPN, then we iterate the audit logs in Azure to find the last successful sign in for each UPN and store it in a Custom object which is used later on when the aggregation runs to insert the last login time stamp.
In addition the task prunes any UPN that doesn't exist in Azure from the Custom object (i.e. its been deleted) and retains the last sign in even when Azure AD drops it after 30 days.
We run this task on a daily schedule before the aggregations.
Attached is the Rule, Custom object and Customization Rule
Install steps:
1. Import XML objects through debug in ZIP attached
2. Create schema attribute in your Azure AD application called: "lastSignInSuccess"
3. Add the Customization Rule to your Azure AD application through the UI.
4. Create a new Task and use the "Run Rule" option
5. Structure your task as pictured, enter the name of your application in the rule config.
Any builds on improving this are welcome, hope this helps someone else please ensure you test this before moving to a production instance.
