Azure Active Directory

10 Kudos

Symptoms
Solution

Symptoms

We had a project that required the last sign in data from an Azure AD guest to allow us to perform life cycle events on the identity and any correlated accounts.

However, unlike Active Directory, Azure Active Directory doesn't store a last login time stamp in user attributes.

Solution

I have created an approach to obtain this and wanted to share with the community. Basically I created a rule that is triggered by a task to iterate all our user objects via the Microsoft Graph API which obtains the UPN, then we iterate the audit logs in Azure to find the last successful sign in for each UPN and store it in a Custom object which is used later on when the aggregation runs to insert the last login time stamp.

In addition the task prunes any UPN that doesn't exist in Azure from the Custom object (i.e. its been deleted) and retains the last sign in even when Azure AD drops it after 30 days.

We run this task on a daily schedule before the aggregations.

Attached is the Rule, Custom object and Customization Rule

Install steps:

1. Import XML objects through debug in ZIP attached

2. Create schema attribute in your Azure AD application called: "lastSignInSuccess"

3. Add the Customization Rule to your Azure AD application through the UI.

4. Create a new Task and use the "Run Rule" option

5. Structure your task as pictured, enter the name of your application in the rule config.

Any builds on improving this are welcome, hope this helps someone else please ensure you test this before moving to a production instance.

carlodevittoria · ‎Jun 24, 2021

Now Microsoft exposes the lastSignInDateTime

https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-3-get-us...

so maybe this approach can be simplified and maybe Sailpoint can consider adding this information as a default in the connector: I have submitted an idea for this: https://ideas.sailpoint.com/ideas/IIQ-I-500

carlodevittoria · ‎Oct 06, 2021

Spoiler

IMPORTANT NOTE: the below method is using a beta version of the MS Graph API so it is not recommended for a Production environment

IMPORTANT NOTE: the below method is using a beta version of the MS Graph API so it is not recommended for a Production environment

From 8.1 Patch 3 the Azure AD Connector can rely completely on MS Graph API 8.1.3 SailPoint Azure Active Directory Connector Guide

To get the last logon date:

1. Add the following to the application attributes map from the debug

<entry key="useMSGraphAPI">
<value>
<Boolean>true</Boolean>
</value>
</entry>
<entry key="msgraph-api-version" value="beta"/>

2. Add the signInActivity to the account schema attributes

3. Use a Customization rule to parse it

hoping the MS can move this feature to a supported version of the MS Graph API it will be an easy win to retrieve the last login date

priyanka_jain · ‎Mar 07, 2022

This can be enhanced where you create a link attribute and write an application rule logic to fetch the last sign in date.

nick01king · ‎Mar 11, 2022

@carlodevittoria

I like this but as you say using a beta version of the API isn't an option for Production. The key benefit of storing in a Custom object here though is that you retain the last signin success for more than 30 days. This enables events to be processed on that data until the account is deleted from Azure AD.

nick01king · ‎Mar 11, 2022

@priyanka_jain

Please share your thoughts on the enhancement. Do you have a code snippet or example?

NPM15 · ‎Mar 05, 2024

Can anyone guide me on how to import the attached XML objects into Sail Point?

Azure Active Directory - Add most recent successful sign in to identity aggregation