cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Active Directory - Add most recent successful sign in to identity aggregation

Azure Active Directory - Add most recent successful sign in to identity aggregation

 

Symptoms

We had a project that required the last sign in data from an Azure AD guest to allow us to perform life cycle events on the identity and any correlated accounts.

However, unlike Active Directory, Azure Active Directory doesn't store a last login time stamp in user attributes.

 

Solution

I have created an approach to obtain this and wanted to share with the community. Basically I created a rule that is triggered by a task to iterate all our user objects via the Microsoft Graph API which obtains the UPN, then we iterate the audit logs in Azure to find the last successful sign in for each UPN and store it in a Custom object which is used  later on when the aggregation runs to insert the last login time stamp.

In addition the task prunes any UPN that doesn't exist in Azure from the Custom object (i.e. its been deleted) and retains the last sign in even when Azure AD drops it after 30 days.

We run this task on a daily schedule before the aggregations.

Attached is the Rule, Custom object and Customization Rule

 Install steps:

1. Import XML objects through debug in ZIP attached

2. Create schema attribute in your Azure AD application called: "lastSignInSuccess"

3. Add the Customization Rule to your Azure AD application through the UI.

4. Create a new Task and use the "Run Rule" option

5. Structure your task as pictured, enter the name of your application in the rule config.

Capture3.jpg

 

Any builds on improving this are welcome, hope this helps someone else please ensure you test this before moving to a production instance.

Attachments
Comments

Now Microsoft exposes the lastSignInDateTime 

https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-3-get-us...

so maybe this approach can be simplified and maybe Sailpoint can consider adding this information as a default in the connector: I have submitted an idea for this: https://ideas.sailpoint.com/ideas/IIQ-I-500

Spoiler
IMPORTANT NOTE:  the below method is using a beta version of the MS Graph API so it is not recommended for a Production environment

From 8.1 Patch 3 the Azure AD Connector can rely completely on MS Graph API 8.1.3 SailPoint Azure Active Directory Connector Guide

To get the last logon date: 

1. Add the following to the application attributes map from the debug

<entry key="useMSGraphAPI">
<value>
<Boolean>true</Boolean>
</value>
</entry>
<entry key="msgraph-api-version" value="beta"/>

 2. Add the signInActivity to the account schema attributes

3. Use a Customization rule to parse it

hoping the MS can move this feature to a supported version of the MS Graph API it will be an easy win to retrieve the last login date

This can be enhanced where you create a link attribute and write an application rule logic to fetch the last sign in date. 

@carlodevittoria 

 

I like this but as you say using a beta version of the API isn't an option for Production. The key benefit of storing in a Custom object here though is that you retain the last signin success for more than 30 days. This enables events to be processed on that data until the account is deleted from Azure AD.

@priyanka_jain 

 

Please share your thoughts on the enhancement. Do you have a code snippet or example?

Can anyone guide me on how to import the attached XML objects into Sail Point?

Version history
Revision #:
7 of 7
Last update:
‎Jul 17, 2023 10:57 PM
Updated by: